kamal 2.3.0 → 2.5.0

data/lib/kamal/commands/app/assets.rb

@@ -4,10 +4,10 @@ module Kamal::Commands::App::Assets
 
     combine \
       make_directory(role.asset_extracted_directory),
-      [ *docker(:stop, "-t 1", asset_container, "2> /dev/null"), "|| true" ],
-      docker(:run, "--name", asset_container, "--detach", "--rm", "--entrypoint", "sleep", config.absolute_image, "1000000"),
-      docker(:cp, "-L", "#{asset_container}:#{role.asset_path}/.", role.asset_extracted_directory),
-      docker(:stop, "-t 1", asset_container),
+      [ *docker(:container, :rm, asset_container, "2> /dev/null"), "|| true" ],
+      docker(:container, :create, "--name", asset_container, config.absolute_image),
+      docker(:container, :cp, "-L", "#{asset_container}:#{role.asset_path}/.", role.asset_extracted_directory),
+      docker(:container, :rm, asset_container),
       by: "&&"
   end
 

data/lib/kamal/commands/app/containers.rb

@@ -2,7 +2,7 @@ module Kamal::Commands::App::Containers
   DOCKER_HEALTH_LOG_FORMAT    = "'{{json .State.Health}}'"
 
   def list_containers
-    docker :container, :ls, "--all", *filter_args
+    docker :container, :ls, "--all", *container_filter_args
   end
 
   def list_container_names
@@ -20,7 +20,7 @@ module Kamal::Commands::App::Containers
   end
 
   def remove_containers
-    docker :container, :prune, "--force", *filter_args
+    docker :container, :prune, "--force", *container_filter_args
   end
 
   def container_health_log(version:)

data/lib/kamal/commands/app/execution.rb

@@ -7,13 +7,15 @@ module Kamal::Commands::App::Execution
       *command
   end
 
-  def execute_in_new_container(*command, interactive: false, env:)
+  def execute_in_new_container(*command, interactive: false, detach: false, env:)
     docker :run,
       ("-it" if interactive),
-      "--rm",
+      ("--detach" if detach),
+      ("--rm" unless detach),
       "--network", "kamal",
       *role&.env_args(host),
       *argumentize("--env", env),
+      *role.logging_args,
       *config.volume_args,
       *role&.option_args,
       config.absolute_image,

data/lib/kamal/commands/app/images.rb

@@ -4,7 +4,7 @@ module Kamal::Commands::App::Images
   end
 
   def remove_images
-    docker :image, :prune, "--all", "--force", *filter_args
+    docker :image, :prune, "--all", "--force", *image_filter_args
   end
 
   def tag_latest_image

data/lib/kamal/commands/app/logging.rb

@@ -1,18 +1,28 @@
 module Kamal::Commands::App::Logging
-  def logs(version: nil, timestamps: true, since: nil, lines: nil, grep: nil, grep_options: nil)
+  def logs(container_id: nil, timestamps: true, since: nil, lines: nil, grep: nil, grep_options: nil)
     pipe \
-      version ? container_id_for_version(version) : current_running_container_id,
+      container_id_command(container_id),
       "xargs docker logs#{" --timestamps" if timestamps}#{" --since #{since}" if since}#{" --tail #{lines}" if lines} 2>&1",
       ("grep '#{grep}'#{" #{grep_options}" if grep_options}" if grep)
   end
 
-  def follow_logs(host:, timestamps: true, lines: nil, grep: nil, grep_options: nil)
+  def follow_logs(host:, container_id: nil, timestamps: true, lines: nil, grep: nil, grep_options: nil)
     run_over_ssh \
       pipe(
-        current_running_container_id,
+        container_id_command(container_id),
         "xargs docker logs#{" --timestamps" if timestamps}#{" --tail #{lines}" if lines} --follow 2>&1",
         (%(grep "#{grep}"#{" #{grep_options}" if grep_options}) if grep)
       ),
       host: host
   end
+
+  private
+
+  def container_id_command(container_id)
+    case container_id
+    when Array then container_id
+    when String, Symbol then "echo #{container_id}"
+    else current_running_container_id
+    end
+  end
 end

data/lib/kamal/commands/app.rb

@@ -47,7 +47,7 @@ class Kamal::Commands::App < Kamal::Commands::Base
   end
 
   def info
-    docker :ps, *filter_args
+    docker :ps, *container_filter_args
   end
 
 
@@ -67,7 +67,7 @@ class Kamal::Commands::App < Kamal::Commands::Base
 
   def list_versions(*docker_args, statuses: nil)
     pipe \
-      docker(:ps, *filter_args(statuses: statuses), *docker_args, "--format", '"{{.Names}}"'),
+      docker(:ps, *container_filter_args(statuses: statuses), *docker_args, "--format", '"{{.Names}}"'),
       extract_version_from_name
   end
 
@@ -91,11 +91,15 @@ class Kamal::Commands::App < Kamal::Commands::Base
     end
 
     def latest_container(format:, filters: nil)
-      docker :ps, "--latest", *format, *filter_args(statuses: ACTIVE_DOCKER_STATUSES), argumentize("--filter", filters)
+      docker :ps, "--latest", *format, *container_filter_args(statuses: ACTIVE_DOCKER_STATUSES), argumentize("--filter", filters)
     end
 
-    def filter_args(statuses: nil)
-      argumentize "--filter", filters(statuses: statuses)
+    def container_filter_args(statuses: nil)
+      argumentize "--filter", container_filters(statuses: statuses)
+    end
+
+    def image_filter_args
+      argumentize "--filter", image_filters
     end
 
     def extract_version_from_name
@@ -103,13 +107,17 @@ class Kamal::Commands::App < Kamal::Commands::Base
       %(while read line; do echo ${line##{role.container_prefix}-}; done)
     end
 
-    def filters(statuses: nil)
+    def container_filters(statuses: nil)
       [ "label=service=#{config.service}" ].tap do |filters|
-        filters << "label=destination=#{config.destination}" if config.destination
+        filters << "label=destination=#{config.destination}"
         filters << "label=role=#{role}" if role
         statuses&.each do |status|
           filters << "status=#{status}"
         end
       end
     end
+
+    def image_filters
+      [ "label=service=#{config.service}" ]
+    end
 end

data/lib/kamal/commands/base.rb

@@ -11,7 +11,7 @@ module Kamal::Commands
     end
 
     def run_over_ssh(*command, host:)
-      "ssh#{ssh_proxy_args} -t #{config.ssh.user}@#{host} -p #{config.ssh.port} '#{command.join(" ").gsub("'", "'\\\\''")}'"
+      "ssh#{ssh_proxy_args}#{ssh_keys_args} -t #{config.ssh.user}@#{host} -p #{config.ssh.port} '#{command.join(" ").gsub("'", "'\\\\''")}'"
     end
 
     def container_id_for(container_name:, only_running: false)
@@ -34,6 +34,12 @@ module Kamal::Commands
       [ :rm, path ]
     end
 
+    def ensure_docker_installed
+      combine \
+        ensure_local_docker_installed,
+        ensure_local_buildx_installed
+    end
+
     private
       def combine(*commands, by: "&&")
         commands
@@ -94,5 +100,23 @@ module Kamal::Commands
           " -o ProxyCommand='#{config.ssh.proxy.command_line_template}'"
         end
       end
+
+      def ssh_keys_args
+        "#{ ssh_keys.join("") if ssh_keys}" + "#{" -o IdentitiesOnly=yes" if config.ssh&.keys_only}"
+      end
+
+      def ssh_keys
+        config.ssh.keys&.map do |key|
+          " -i #{key}"
+        end
+      end
+
+      def ensure_local_docker_installed
+        docker "--version"
+      end
+
+      def ensure_local_buildx_installed
+        docker :buildx, "version"
+      end
   end
 end

data/lib/kamal/commands/builder/base.rb

@@ -6,18 +6,19 @@ class Kamal::Commands::Builder::Base < Kamal::Commands::Base
   delegate :argumentize, to: Kamal::Utils
   delegate \
     :args, :secrets, :dockerfile, :target, :arches, :local_arches, :remote_arches, :remote,
-    :cache_from, :cache_to, :ssh, :provenance, :driver, :docker_driver?,
+    :cache_from, :cache_to, :ssh, :provenance, :sbom, :driver, :docker_driver?,
     to: :builder_config
 
   def clean
     docker :image, :rm, "--force", config.absolute_image
   end
 
-  def push
+  def push(export_action = "registry", tag_as_dirty: false)
     docker :buildx, :build,
-      "--push",
+      "--output=type=#{export_action}",
       *platform_options(arches),
       *([ "--builder", builder_name ] unless docker_driver?),
+      *build_tag_options(tag_as_dirty: tag_as_dirty),
       *build_options,
       build_context
   end
@@ -37,7 +38,7 @@ class Kamal::Commands::Builder::Base < Kamal::Commands::Base
   end
 
   def build_options
-    [ *build_tags, *build_cache, *build_labels, *build_args, *build_secrets, *build_dockerfile, *build_target, *build_ssh, *builder_provenance ]
+    [ *build_cache, *build_labels, *build_args, *build_secrets, *build_dockerfile, *build_target, *build_ssh, *builder_provenance, *builder_sbom ]
   end
 
   def build_context
@@ -58,8 +59,14 @@ class Kamal::Commands::Builder::Base < Kamal::Commands::Base
   end
 
   private
-    def build_tags
-      [ "-t", config.absolute_image, "-t", config.latest_image ]
+    def build_tag_names(tag_as_dirty: false)
+      tag_names = [ config.absolute_image, config.latest_image ]
+      tag_names.map! { |t| "#{t}-dirty" } if tag_as_dirty
+      tag_names
+    end
+
+    def build_tag_options(tag_as_dirty: false)
+      build_tag_names(tag_as_dirty: tag_as_dirty).flat_map { |name| [ "-t", name ] }
     end
 
     def build_cache
@@ -101,6 +108,10 @@ class Kamal::Commands::Builder::Base < Kamal::Commands::Base
       argumentize "--provenance", provenance unless provenance.nil?
     end
 
+    def builder_sbom
+      argumentize "--sbom", sbom unless sbom.nil?
+    end
+
     def builder_config
       config.builder
     end

data/lib/kamal/commands/builder/cloud.rb

@@ -0,0 +1,22 @@
+class Kamal::Commands::Builder::Cloud < Kamal::Commands::Builder::Base
+  # Expects `driver` to be of format "cloud docker-org-name/builder-name"
+
+  def create
+    docker :buildx, :create, "--driver", driver
+  end
+
+  def remove
+    docker :buildx, :rm, builder_name
+  end
+
+  private
+    def builder_name
+      driver.gsub(/[ \/]/, "-")
+    end
+
+    def inspect_buildx
+      pipe \
+        docker(:buildx, :inspect, builder_name),
+        grep("-q", "Endpoint:.*cloud://.*")
+    end
+end

data/lib/kamal/commands/builder.rb

@@ -1,8 +1,8 @@
 require "active_support/core_ext/string/filters"
 
 class Kamal::Commands::Builder < Kamal::Commands::Base
-  delegate :create, :remove, :push, :clean, :pull, :info, :inspect_builder, :validate_image, :first_mirror, to: :target
-  delegate :local?, :remote?, to: "config.builder"
+  delegate :create, :remove, :dev, :push, :clean, :pull, :info, :inspect_builder, :validate_image, :first_mirror, to: :target
+  delegate :local?, :remote?, :cloud?, to: "config.builder"
 
   include Clone
 
@@ -17,6 +17,8 @@ class Kamal::Commands::Builder < Kamal::Commands::Base
       else
         remote
       end
+    elsif cloud?
+      cloud
     else
       local
     end
@@ -34,23 +36,7 @@ class Kamal::Commands::Builder < Kamal::Commands::Base
     @hybrid ||= Kamal::Commands::Builder::Hybrid.new(config)
   end
 
-
-  def ensure_local_dependencies_installed
-    if name.native?
-      ensure_local_docker_installed
-    else
-      combine \
-        ensure_local_docker_installed,
-        ensure_local_buildx_installed
-    end
+  def cloud
+    @cloud ||= Kamal::Commands::Builder::Cloud.new(config)
   end
-
-  private
-    def ensure_local_docker_installed
-      docker "--version"
-    end
-
-    def ensure_local_buildx_installed
-      docker :buildx, "version"
-    end
 end

data/lib/kamal/commands/registry.rb

@@ -1,14 +1,16 @@
 class Kamal::Commands::Registry < Kamal::Commands::Base
-  delegate :registry, to: :config
+  def login(registry_config: nil)
+    registry_config ||= config.registry
 
-  def login
     docker :login,
-      registry.server,
-      "-u", sensitive(Kamal::Utils.escape_shell_value(registry.username)),
-      "-p", sensitive(Kamal::Utils.escape_shell_value(registry.password))
+      registry_config.server,
+      "-u", sensitive(Kamal::Utils.escape_shell_value(registry_config.username)),
+      "-p", sensitive(Kamal::Utils.escape_shell_value(registry_config.password))
   end
 
-  def logout
-    docker :logout, registry.server
+  def logout(registry_config: nil)
+    registry_config ||= config.registry
+
+    docker :logout, registry_config.server
   end
 end

data/lib/kamal/configuration/accessory.rb

@@ -5,7 +5,7 @@ class Kamal::Configuration::Accessory
 
   delegate :argumentize, :optionize, to: Kamal::Utils
 
-  attr_reader :name, :accessory_config, :env
+  attr_reader :name, :env, :proxy, :registry
 
   def initialize(name, config:)
     @name, @config, @accessory_config = name.inquiry, config, config.raw_config["accessories"][name]
@@ -16,10 +16,11 @@ class Kamal::Configuration::Accessory
       context: "accessories/#{name}",
       with: Kamal::Configuration::Validator::Accessory
 
-    @env = Kamal::Configuration::Env.new \
-      config: accessory_config.fetch("env", {}),
-      secrets: config.secrets,
-      context: "accessories/#{name}/env"
+    ensure_valid_roles
+
+    @env = initialize_env
+    @proxy = initialize_proxy if running_proxy?
+    @registry = initialize_registry if accessory_config["registry"].present?
   end
 
   def service_name
@@ -27,7 +28,7 @@ class Kamal::Configuration::Accessory
   end
 
   def image
-    accessory_config["image"]
+    [ registry&.server, accessory_config["image"] ].compact.join("/")
   end
 
   def hosts
@@ -106,8 +107,33 @@ class Kamal::Configuration::Accessory
     accessory_config["cmd"]
   end
 
+  def running_proxy?
+    accessory_config["proxy"].present?
+  end
+
   private
-    attr_accessor :config
+    attr_reader :config, :accessory_config
+
+    def initialize_env
+      Kamal::Configuration::Env.new \
+        config: accessory_config.fetch("env", {}),
+        secrets: config.secrets,
+        context: "accessories/#{name}/env"
+    end
+
+    def initialize_proxy
+      Kamal::Configuration::Proxy.new \
+        config: config,
+        proxy_config: accessory_config["proxy"],
+        context: "accessories/#{name}/proxy"
+    end
+
+    def initialize_registry
+      Kamal::Configuration::Registry.new \
+        config: accessory_config,
+        secrets: config.secrets,
+        context: "accessories/#{name}/registry"
+    end
 
     def default_labels
       { "service" => service_name }
@@ -129,7 +155,7 @@ class Kamal::Configuration::Accessory
     end
 
     def read_dynamic_file(local_file)
-      StringIO.new(ERB.new(IO.read(local_file)).result)
+      StringIO.new(ERB.new(File.read(local_file)).result)
     end
 
     def expand_remote_file(remote_file)
@@ -176,11 +202,17 @@ class Kamal::Configuration::Accessory
 
     def hosts_from_roles
       if accessory_config.key?("roles")
-        accessory_config["roles"].flat_map { |role| config.role(role).hosts }
+        accessory_config["roles"].flat_map { |role| config.role(role)&.hosts }
       end
     end
 
     def network
       accessory_config["network"] || DEFAULT_NETWORK
     end
+
+    def ensure_valid_roles
+      if accessory_config["roles"] && (missing_roles = accessory_config["roles"] - config.roles.map(&:name)).any?
+        raise Kamal::ConfigurationError, "accessories/#{name}: unknown roles #{missing_roles.join(", ")}"
+      end
+    end
 end

data/lib/kamal/configuration/builder.rb

@@ -53,6 +53,10 @@ class Kamal::Configuration::Builder
     !local_disabled? && (arches.empty? || local_arches.any?)
   end
 
+  def cloud?
+    driver.start_with? "cloud"
+  end
+
   def cached?
     !!builder_config["cache"]
   end
@@ -115,6 +119,10 @@ class Kamal::Configuration::Builder
     builder_config["provenance"]
   end
 
+  def sbom
+    builder_config["sbom"]
+  end
+
   def git_clone?
     Kamal::Git.used? && builder_config["context"].nil?
   end

data/lib/kamal/configuration/docs/accessory.yml

@@ -23,9 +23,27 @@ accessories:
 
     # Image
     #
-    # The Docker image to use, prefix it with a registry if not using Docker Hub:
+    # The Docker image to use.
+    # Prefix it with its server when using root level registry different from Docker Hub.
+    # Define registry directly or via anchors when it differs from root level registry.
     image: mysql:8.0
 
+    # Registry
+    #
+    # By default accessories use Docker Hub registry.
+    # You can specify different registry per accessory with this option.
+    # Don't prefix image with this registry server.
+    # Use anchors if you need to set the same specific registry for several accessories.
+    #
+    # ```yml
+    # registry:
+    #   <<: *specific-registry
+    # ```
+    #
+    # See kamal docs registry for more information:
+    registry:
+      ...
+
     # Accessory hosts
     #
     # Specify one of `host`, `hosts`, or `roles`:
@@ -43,8 +61,8 @@ accessories:
 
     # Port mappings
     #
-    # See https://docs.docker.com/network/, and especially note the warning about the security
-    # implications of exposing ports publicly.
+    # See [https://docs.docker.com/network/](https://docs.docker.com/network/), and
+    # especially note the warning about the security implications of exposing ports publicly.
     port: "127.0.0.1:3306:3306"
 
     # Labels
@@ -98,3 +116,8 @@ accessories:
     # Defaults to kamal:
     network: custom
 
+    # Proxy
+    #
+    # You can run your accessory behind the Kamal proxy. See kamal docs proxy for more information
+    proxy:
+      ...

data/lib/kamal/configuration/docs/alias.yml

@@ -5,12 +5,12 @@
 # For example, for a Rails app, you might open a console with:
 #
 # ```shell
-# kamal app exec -i -r console "rails console"
+# kamal app exec -i --reuse "bin/rails console"
 # ```
 #
 # By defining an alias, like this:
 aliases:
-  console: app exec -r console -i "rails console"
+  console: app exec -i --reuse "bin/rails console"
 # You can now open the console with:
 #
 # ```shell

data/lib/kamal/configuration/docs/builder.yml

@@ -102,9 +102,18 @@ builder:
   #
   # The build driver to use, defaults to `docker-container`:
   driver: docker
+  #
+  # If you want to use Docker Build Cloud (https://www.docker.com/products/build-cloud/), you can set the driver to:
+  driver: cloud org-name/builder-name
 
   # Provenance
   #
   # It is used to configure provenance attestations for the build result.
   # The value can also be a boolean to enable or disable provenance attestations.
   provenance: mode=max
+
+  # SBOM (Software Bill of Materials)
+  #
+  # It is used to configure SBOM generation for the build result.
+  # The value can also be a boolean to enable or disable SBOM generation.
+  sbom: true

data/lib/kamal/configuration/docs/proxy.yml

@@ -46,9 +46,22 @@ proxy:
   # The host value must point to the server we are deploying to, and port 443 must be
   # open for the Let's Encrypt challenge to succeed.
   #
+  # If you set `ssl` to `true`, `kamal-proxy` will stop forwarding headers to your app,
+  # unless you explicitly set `forward_headers: true`
+  #
   # Defaults to `false`:
   ssl: true
 
+  # Forward headers
+  #
+  # Whether to forward the `X-Forwarded-For` and `X-Forwarded-Proto` headers.
+  #
+  # If you are behind a trusted proxy, you can set this to `true` to forward the headers.
+  #
+  # By default, kamal-proxy will not forward the headers if the `ssl` option is set to `true`, and
+  # will forward them if it is set to `false`.
+  forward_headers: true
+
   # Response timeout
   #
   # How long to wait for requests to complete before timing out, defaults to 30 seconds:
@@ -93,13 +106,3 @@ proxy:
     response_headers:
       - X-Request-ID
       - X-Request-Start
-
-  # Forward headers
-  #
-  # Whether to forward the `X-Forwarded-For` and `X-Forwarded-Proto` headers.
-  #
-  # If you are behind a trusted proxy, you can set this to `true` to forward the headers.
-  #
-  # By default, kamal-proxy will not forward the headers if the `ssl` option is set to `true`, and
-  # will forward them if it is set to `false`.
-  forward_headers: true

data/lib/kamal/configuration/docs/registry.yml

@@ -2,6 +2,10 @@
 #
 # The default registry is Docker Hub, but you can change it using `registry/server`.
 #
+# By default, Docker Hub creates public repositories. To avoid making your images public,
+# set up a private repository before deploying, or change the default repository privacy
+# settings to private in your [Docker Hub settings](https://hub.docker.com/repository-settings/default-privacy).
+#
 # A reference to a secret (in this case, `DOCKER_REGISTRY_TOKEN`) will look up the secret
 # in the local environment:
 registry:

data/lib/kamal/configuration/registry.rb

@@ -1,12 +1,10 @@
 class Kamal::Configuration::Registry
   include Kamal::Configuration::Validation
 
-  attr_reader :registry_config, :secrets
-
-  def initialize(config:)
-    @registry_config = config.raw_config.registry || {}
-    @secrets = config.secrets
-    validate! registry_config, with: Kamal::Configuration::Validator::Registry
+  def initialize(config:, secrets:, context: "registry")
+    @registry_config = config["registry"] || {}
+    @secrets = secrets
+    validate! registry_config, context: context, with: Kamal::Configuration::Validator::Registry
   end
 
   def server
@@ -22,6 +20,8 @@ class Kamal::Configuration::Registry
   end
 
   private
+    attr_reader :registry_config, :secrets
+
     def lookup(key)
       if registry_config[key].is_a?(Array)
         secrets[registry_config[key].first]

data/lib/kamal/configuration/role.rb

@@ -10,7 +10,7 @@ class Kamal::Configuration::Role
   def initialize(name, config:)
     @name, @config = name.inquiry, config
     validate! \
-      specializations,
+      role_config,
       example: validation_yml["servers"]["workers"],
       context: "servers/#{name}",
       with: Kamal::Configuration::Validator::Role
@@ -204,11 +204,11 @@ class Kamal::Configuration::Role
     end
 
     def specializations
-      if config.raw_config.servers.is_a?(Array) || config.raw_config.servers[name].is_a?(Array)
-        {}
-      else
-        config.raw_config.servers[name]
-      end
+      @specializations ||= role_config.is_a?(Array) ? {} : role_config
+    end
+
+    def role_config
+      @role_config ||= config.raw_config.servers.is_a?(Array) ? {} : config.raw_config.servers[name]
     end
 
     def custom_labels

data/lib/kamal/configuration/validator/role.rb

@@ -3,7 +3,7 @@ class Kamal::Configuration::Validator::Role < Kamal::Configuration::Validator
     validate_type! config, Array, Hash
 
     if config.is_a?(Array)
-      validate_servers! "servers", config
+      validate_servers!(config)
     else
       super
     end