kamal 2.8.1 → 2.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fd8b2329effde7405d2a1b8d60f394d1da81faaf5e8bcd6980c83f8bb590f988
-  data.tar.gz: 5543d21fbe88acf86a24fcf1f44dff30e0aaf410b3ead0293b0f005b15fa2cbb
+  metadata.gz: bd7c6e6e18ca7cc95712642dfdb5ec45c33e06b6a02750e5ee7a3f1ac3428ea2
+  data.tar.gz: 1a8acfe5ec44636827ca70da1263289e6082359c58601acce9870d1d46ba750b
 SHA512:
-  metadata.gz: bdae637114b1ad0630d5b1bbc0e76be5ebb3817d370d1f3f5a4222024f13fa3546a24806ad812e9d6d14735c2be23ed6956702723e75cc27c5ec34ebe87d72f9
-  data.tar.gz: 8db206acbeb707f3a0d3267720b9d248cb2566517d340a61072777e0fdbbf237701d42e203d2d96b21fb7c04596896d6039c4ba9d59eb1515d47de0f85148248
+  metadata.gz: d1fb62392ddafc5b1fe6b54055121654bd73625eaf9808848ed60d7d40fdadf2938675b0bc881fca1297ee089f78b3768eefb96f5c10e9e8346265f20d9663e2
+  data.tar.gz: 6fc4f87a3ea64ebdee5c3c666cdafa5b15a0f7b243f575b402d82a2c8eec5b3802a05c0b5a80f6856eb92c24647b65a7bbdb8a68fd208dc873f1cd55d725894e

data/lib/kamal/cli/accessory.rb

@@ -128,12 +128,13 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
 
   desc "details [NAME]", "Show details about accessory on host (use NAME=all to show all accessories)"
   def details(name)
+    quiet = options[:quiet]
     if name == "all"
       KAMAL.accessory_names.each { |accessory_name| details(accessory_name) }
     else
       type = "Accessory #{name}"
       with_accessory(name) do |accessory, hosts|
-        on(hosts) { puts_by_host host, capture_with_info(*accessory.info), type: type }
+        on(hosts) { puts_by_host host, capture_with_info(*accessory.info), type: type, quiet: quiet }
       end
     end
   end
@@ -145,6 +146,8 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
     pre_connect_if_required
 
     cmd = Kamal::Utils.join_commands(cmd)
+    quiet = options[:quiet]
+
     with_accessory(name) do |accessory, hosts|
       case
       when options[:interactive] && options[:reuse]
@@ -160,7 +163,7 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
         say "Launching command from existing container...", :magenta
         on(hosts) do |host|
           execute *KAMAL.auditor.record("Executed cmd '#{cmd}' on #{name} accessory"), verbosity: :debug
-          puts_by_host host, capture_with_info(*accessory.execute_in_existing_container(cmd))
+          puts_by_host host, capture_with_info(*accessory.execute_in_existing_container(cmd)), quiet: quiet
         end
 
       else
@@ -168,7 +171,7 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
         on(hosts) do |host|
           execute *KAMAL.registry.login
           execute *KAMAL.auditor.record("Executed cmd '#{cmd}' on #{name} accessory"), verbosity: :debug
-          puts_by_host host, capture_with_info(*accessory.execute_in_new_container(cmd))
+          puts_by_host host, capture_with_info(*accessory.execute_in_new_container(cmd)), quiet: quiet
         end
       end
     end

data/lib/kamal/cli/app.rb

@@ -92,11 +92,12 @@ class Kamal::Cli::App < Kamal::Cli::Base
   # FIXME: Drop in favor of just containers?
   desc "details", "Show details about app containers"
   def details
+    quiet = options[:quiet]
     on(KAMAL.app_hosts) do |host|
       roles = KAMAL.roles_on(host)
 
       roles.each do |role|
-        puts_by_host host, capture_with_info(*KAMAL.app(role: role, host: host).info)
+        puts_by_host host, capture_with_info(*KAMAL.app(role: role, host: host).info), quiet: quiet
       end
     end
   end
@@ -120,6 +121,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
     cmd = Kamal::Utils.join_commands(cmd)
     env = options[:env]
     detach = options[:detach]
+    quiet = options[:quiet]
     case
     when options[:interactive] && options[:reuse]
       say "Get current version of running container...", :magenta unless options[:version]
@@ -148,7 +150,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
 
           roles.each do |role|
             execute *KAMAL.auditor.record("Executed cmd '#{cmd}' on app version #{version}", role: role), verbosity: :debug
-            puts_by_host host, capture_with_info(*KAMAL.app(role: role, host: host).execute_in_existing_container(cmd, env: env))
+            puts_by_host host, capture_with_info(*KAMAL.app(role: role, host: host).execute_in_existing_container(cmd, env: env)), quiet: quiet
           end
         end
       end
@@ -164,7 +166,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
 
           roles.each do |role|
             execute *KAMAL.auditor.record("Executed cmd '#{cmd}' on app version #{version}"), verbosity: :debug
-            puts_by_host host, capture_with_info(*KAMAL.app(role: role, host: host).execute_in_new_container(cmd, env: env, detach: detach))
+            puts_by_host host, capture_with_info(*KAMAL.app(role: role, host: host).execute_in_new_container(cmd, env: env, detach: detach)), quiet: quiet
           end
         end
       end
@@ -173,12 +175,14 @@ class Kamal::Cli::App < Kamal::Cli::Base
 
   desc "containers", "Show app containers on servers"
   def containers
-    on(KAMAL.app_hosts) { |host| puts_by_host host, capture_with_info(*KAMAL.app.list_containers) }
+    quiet = options[:quiet]
+    on(KAMAL.app_hosts) { |host| puts_by_host host, capture_with_info(*KAMAL.app.list_containers), quiet: quiet }
   end
 
   desc "stale_containers", "Detect app stale containers"
   option :stop, aliases: "-s", type: :boolean, default: false, desc: "Stop the stale containers found"
   def stale_containers
+    quiet = options[:quiet]
     stop = options[:stop]
 
     with_lock_if_stopping do
@@ -192,10 +196,10 @@ class Kamal::Cli::App < Kamal::Cli::Base
 
           versions.each do |version|
             if stop
-              puts_by_host host, "Stopping stale container for role #{role} with version #{version}"
+              puts_by_host host, "Stopping stale container for role #{role} with version #{version}", quiet: quiet
               execute *app.stop(version: version), raise_on_non_zero_exit: false
             else
-              puts_by_host host,  "Detected stale container for role #{role} with version #{version} (use `kamal app stale_containers --stop` to stop)"
+              puts_by_host host,  "Detected stale container for role #{role} with version #{version} (use `kamal app stale_containers --stop` to stop)", quiet: quiet
             end
           end
         end
@@ -205,7 +209,8 @@ class Kamal::Cli::App < Kamal::Cli::Base
 
   desc "images", "Show app images on servers"
   def images
-    on(KAMAL.app_hosts) { |host| puts_by_host host, capture_with_info(*KAMAL.app.list_images) }
+    quiet = options[:quiet]
+    on(KAMAL.app_hosts) { |host| puts_by_host host, capture_with_info(*KAMAL.app.list_images), quiet: quiet }
   end
 
   desc "logs", "Show log lines from app on servers (use --help to show options)"
@@ -224,6 +229,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
     since = options[:since]
     container_id = options[:container_id]
     timestamps = !options[:skip_timestamps]
+    quiet = options[:quiet]
 
     if options[:follow]
       lines = options[:lines].presence || ((since || grep) ? nil : 10) # Default to 10 lines if since or grep isn't set
@@ -246,9 +252,9 @@ class Kamal::Cli::App < Kamal::Cli::Base
 
         roles.each do |role|
           begin
-            puts_by_host host, capture_with_info(*KAMAL.app(role: role, host: host).logs(container_id: container_id, timestamps: timestamps, since: since, lines: lines, grep: grep, grep_options: grep_options))
+            puts_by_host host, capture_with_info(*KAMAL.app(role: role, host: host).logs(container_id: container_id, timestamps: timestamps, since: since, lines: lines, grep: grep, grep_options: grep_options)), quiet: quiet
           rescue SSHKit::Command::Failed
-            puts_by_host host, "Nothing found"
+            puts_by_host host, "Nothing found", quiet: quiet
           end
         end
       end
@@ -352,9 +358,10 @@ class Kamal::Cli::App < Kamal::Cli::Base
 
   desc "version", "Show app version currently running on servers"
   def version
+    quiet = options[:quiet]
     on(KAMAL.app_hosts) do |host|
       role = KAMAL.roles_on(host).first
-      puts_by_host host, capture_with_info(*KAMAL.app(role: role, host: host).current_running_version).strip
+      puts_by_host host, capture_with_info(*KAMAL.app(role: role, host: host).current_running_version).strip, quiet: quiet
     end
   end
 

data/lib/kamal/cli/build/clone.rb

@@ -1,5 +1,3 @@
-require "uri"
-
 class Kamal::Cli::Build::Clone
   attr_reader :sshkit
   delegate :info, :error, :execute, :capture_with_info, to: :sshkit

data/lib/kamal/cli/build/port_forwarding.rb

@@ -0,0 +1,66 @@
+require "concurrent/atomic/count_down_latch"
+
+class Kamal::Cli::Build::PortForwarding
+  attr_reader :hosts, :port, :ssh_options
+
+  def initialize(hosts, port, **ssh_options)
+    @hosts = hosts
+    @port = port
+    @ssh_options = ssh_options
+  end
+
+  def forward
+    @done = false
+    forward_ports
+
+    yield
+  ensure
+    stop
+  end
+
+  private
+    def stop
+      @done = true
+      @threads.to_a.each(&:join)
+    end
+
+    def forward_ports
+      ready = Concurrent::CountDownLatch.new(hosts.size)
+
+      @threads = hosts.map do |host|
+        Thread.new do
+          begin
+            Net::SSH.start(host, ssh_options[:user], **ssh_options.except(:user)) do |ssh|
+              ssh.forward.remote(port, "localhost", port, "127.0.0.1") do |remote_port, bind_address|
+                if remote_port == :error
+                  raise "Failed to establish port forward on #{host}"
+                else
+                  ready.count_down
+                end
+              end
+
+              ssh.loop(0.1) do
+                if @done
+                  ssh.forward.cancel_remote(port, "127.0.0.1")
+                  break
+                else
+                  true
+                end
+              end
+            end
+          rescue Exception => e
+            error "Error setting up port forwarding to #{host}: #{e.class}: #{e.message}"
+            error e.backtrace.join("\n")
+
+            raise
+          end
+        end
+      end
+
+      raise "Timed out waiting for port forwarding to be established" unless ready.wait(30)
+    end
+
+    def error(message)
+      SSHKit.config.output.error(message)
+    end
+end

data/lib/kamal/cli/build.rb

@@ -1,5 +1,3 @@
-require "uri"
-
 class Kamal::Cli::Build < Kamal::Cli::Base
   class BuildError < StandardError; end
 
@@ -38,29 +36,31 @@ class Kamal::Cli::Build < Kamal::Cli::Base
       say "Building with uncommitted changes:\n #{uncommitted_changes}", :yellow
     end
 
-    with_env(KAMAL.config.builder.secrets) do
-      run_locally do
-        begin
-          execute *KAMAL.builder.inspect_builder
-        rescue SSHKit::Command::Failed => e
-          if e.message =~ /(context not found|no builder|no compatible builder|does not exist)/
-            warn "Missing compatible builder, so creating a new one first"
-            begin
-              cli.remove
-            rescue SSHKit::Command::Failed
-              raise unless e.message =~ /(context not found|no builder|does not exist)/
+    forward_local_registry_port_for_remote_builder do
+      with_env(KAMAL.config.builder.secrets) do
+        run_locally do
+          begin
+            execute *KAMAL.builder.inspect_builder
+          rescue SSHKit::Command::Failed => e
+            if e.message =~ /(context not found|no builder|no compatible builder|does not exist)/
+              warn "Missing compatible builder, so creating a new one first"
+              begin
+                cli.remove
+              rescue SSHKit::Command::Failed
+                raise unless e.message =~ /(context not found|no builder|does not exist)/
+              end
+              cli.create
+            else
+              raise
             end
-            cli.create
-          else
-            raise
           end
-        end
 
-        # Get the command here to ensure the Dir.chdir doesn't interfere with it
-        push = KAMAL.builder.push(cli.options[:output], no_cache: cli.options[:no_cache])
+          # Get the command here to ensure the Dir.chdir doesn't interfere with it
+          push = KAMAL.builder.push(cli.options[:output], no_cache: cli.options[:no_cache])
 
-        KAMAL.with_verbosity(:debug) do
-          Dir.chdir(KAMAL.config.builder.build_directory) { execute *push, env: KAMAL.builder.push_env }
+          KAMAL.with_verbosity(:debug) do
+            Dir.chdir(KAMAL.config.builder.build_directory) { execute *push, env: KAMAL.builder.push_env }
+          end
         end
       end
     end
@@ -70,7 +70,7 @@ class Kamal::Cli::Build < Kamal::Cli::Base
   def pull
     login_to_registry_remotely unless KAMAL.registry.local?
 
-    forward_local_registry_port do
+    forward_local_registry_port(KAMAL.hosts, **KAMAL.config.ssh.options) do
       if (first_hosts = mirror_hosts).any?
         #  Pull on a single host per mirror first to seed them
         say "Pulling image on #{first_hosts.join(", ")} to seed the #{"mirror".pluralize(first_hosts.count)}...", :magenta
@@ -210,13 +210,30 @@ class Kamal::Cli::Build < Kamal::Cli::Base
       end
     end
 
-    def forward_local_registry_port(&block)
+    def forward_local_registry_port_for_remote_builder(&block)
+      if KAMAL.builder.remote?
+        remote_uri = URI(KAMAL.config.builder.remote)
+        forward_local_registry_port([ remote_uri.host ], **remote_builder_ssh_options(remote_uri), &block)
+      else
+        yield
+      end
+    end
+
+    def forward_local_registry_port(hosts, **ssh_options, &block)
       if KAMAL.config.registry.local?
-        Kamal::Cli::PortForwarding.
-          new(KAMAL.hosts, KAMAL.config.registry.local_port).
-          forward(&block)
+        say "Setting up local registry port forwarding to #{hosts.join(', ')}..."
+        PortForwarding.new(hosts, KAMAL.config.registry.local_port, **ssh_options).forward(&block)
       else
         yield
       end
     end
+
+    def remote_builder_ssh_options(remote_uri)
+      { user: remote_uri.user,
+        port: remote_uri.port,
+        keepalive: KAMAL.config.ssh.options[:keepalive],
+        keepalive_interval: KAMAL.config.ssh.options[:keepalive_interval],
+        logger: KAMAL.config.ssh.options[:logger]
+      }.compact
+    end
 end

data/lib/kamal/cli/main.rb

@@ -112,8 +112,9 @@ class Kamal::Cli::Main < Kamal::Cli::Base
 
   desc "audit", "Show audit log from servers"
   def audit
+    quiet = options[:quiet]
     on(KAMAL.hosts) do |host|
-      puts_by_host host, capture_with_info(*KAMAL.auditor.reveal)
+      puts_by_host host, capture_with_info(*KAMAL.auditor.reveal), quiet: quiet
     end
   end
 

data/lib/kamal/cli/proxy.rb

@@ -197,7 +197,8 @@ class Kamal::Cli::Proxy < Kamal::Cli::Base
 
   desc "details", "Show details about proxy container from servers"
   def details
-    on(KAMAL.proxy_hosts) { |host| puts_by_host host, capture_with_info(*KAMAL.proxy.info), type: "Proxy" }
+    quiet = options[:quiet]
+    on(KAMAL.proxy_hosts) { |host| puts_by_host host, capture_with_info(*KAMAL.proxy.info), type: "Proxy", quiet: quiet }
   end
 
   desc "logs", "Show log lines from proxy on servers"

data/lib/kamal/cli/registry.rb

@@ -24,4 +24,26 @@ class Kamal::Cli::Registry < Kamal::Cli::Base
       on(KAMAL.hosts) { execute *KAMAL.registry.logout } unless options[:skip_remote]
     end
   end
+
+  desc "login", "Log in to remote registry locally and remotely"
+  option :skip_local, aliases: "-L", type: :boolean, default: false, desc: "Skip local login"
+  option :skip_remote, aliases: "-R", type: :boolean, default: false, desc: "Skip remote login"
+  def login
+    if KAMAL.registry.local?
+      raise "Cannot use login command with a local registry. Use `kamal registry setup` instead."
+    end
+
+    setup
+  end
+
+  desc "logout", "Log out of remote registry locally and remotely"
+  option :skip_local, aliases: "-L", type: :boolean, default: false, desc: "Skip local login"
+  option :skip_remote, aliases: "-R", type: :boolean, default: false, desc: "Skip remote login"
+  def logout
+    if KAMAL.registry.local?
+      raise "Cannot use logout command with a local registry. Use `kamal registry remove` instead."
+    end
+
+    remove
+  end
 end

data/lib/kamal/cli/server.rb

@@ -6,6 +6,7 @@ class Kamal::Cli::Server < Kamal::Cli::Base
 
     cmd = Kamal::Utils.join_commands(cmd)
     hosts = KAMAL.hosts
+    quiet = options[:quiet]
 
     case
     when options[:interactive]
@@ -19,7 +20,7 @@ class Kamal::Cli::Server < Kamal::Cli::Base
 
       on(hosts) do |host|
         execute *KAMAL.auditor.record("Executed cmd '#{cmd}' on #{host}"), verbosity: :debug
-        puts_by_host host, capture_with_info(cmd)
+        puts_by_host host, capture_with_info(cmd), quiet: quiet
       end
     end
   end

data/lib/kamal/cli/templates/secrets

@@ -7,6 +7,7 @@
 
 # Option 2: Read secrets via a command
 # RAILS_MASTER_KEY=$(cat config/master.key)
+# KAMAL_REGISTRY_PASSWORD=$(rails credentials:fetch kamal.registry_password)
 
 # Option 3: Read secrets via kamal secrets helpers
 # These will handle logging in and fetching the secrets in as few calls as possible

data/lib/kamal/commander.rb

@@ -155,6 +155,7 @@ class Kamal::Commander
       SSHKit::Backend::Netssh.pool.idle_timeout = config.sshkit.pool_idle_timeout
       SSHKit::Backend::Netssh.configure do |sshkit|
         sshkit.max_concurrent_starts = config.sshkit.max_concurrent_starts
+        sshkit.dns_retries = config.sshkit.dns_retries
         sshkit.ssh_options = config.ssh.options
       end
       SSHKit.config.command_map[:docker] = "docker" # No need to use /usr/bin/env, just clogs up the logs

data/lib/kamal/commands/app/execution.rb

@@ -12,6 +12,7 @@ module Kamal::Commands::App::Execution
       (docker_interactive_args if interactive),
       ("--detach" if detach),
       ("--rm" unless detach),
+      "--name", container_name_for_exec,
       "--network", "kamal",
       *role&.env_args(host),
       *argumentize("--env", env),
@@ -22,11 +23,16 @@ module Kamal::Commands::App::Execution
       *command
   end
 
-  def execute_in_existing_container_over_ssh(*command,  env:)
+  def execute_in_existing_container_over_ssh(*command, env:)
     run_over_ssh execute_in_existing_container(*command, interactive: true, env: env), host: host
   end
 
   def execute_in_new_container_over_ssh(*command, env:)
     run_over_ssh execute_in_new_container(*command, interactive: true, env: env), host: host
   end
+
+  private
+    def container_name_for_exec
+      [ role.container_prefix, "exec", config.version, SecureRandom.hex(3) ].compact.join("-")
+    end
 end

data/lib/kamal/commands/builder/base.rb

@@ -127,6 +127,16 @@ class Kamal::Commands::Builder::Base < Kamal::Commands::Base
       config.builder
     end
 
+    def registry_config
+      config.registry
+    end
+
+    def driver_options
+      if registry_config.local?
+        [ "--driver-opt", "network=host" ]
+      end
+    end
+
     def platform_options(arches)
       argumentize "--platform", arches.map { |arch| "linux/#{arch}" }.join(",") if arches.any?
     end

data/lib/kamal/commands/builder/hybrid.rb

@@ -8,14 +8,14 @@ class Kamal::Commands::Builder::Hybrid < Kamal::Commands::Builder::Remote
 
   private
     def builder_name
-      "kamal-hybrid-#{driver}-#{remote.gsub(/[^a-z0-9_-]/, "-")}"
+      "kamal-hybrid-#{driver}-#{remote_builder_name_suffix}"
     end
 
     def create_local_buildx
-      docker :buildx, :create, *platform_options(local_arches), "--name", builder_name, "--driver=#{driver}"
+      docker :buildx, :create, *platform_options(local_arches), "--name", builder_name, "--driver=#{driver}", *driver_options
     end
 
     def append_remote_buildx
-      docker :buildx, :create, *platform_options(remote_arches), "--append", "--name", builder_name, remote_context_name
+      docker :buildx, :create, *platform_options(remote_arches), "--append", "--name", builder_name, *driver_options, remote_context_name
     end
 end

data/lib/kamal/commands/builder/local.rb

@@ -2,14 +2,7 @@ class Kamal::Commands::Builder::Local < Kamal::Commands::Builder::Base
   def create
     return if docker_driver?
 
-    options =
-      if KAMAL.registry.local?
-        "--driver=#{driver} --driver-opt network=host"
-      else
-        "--driver=#{driver}"
-      end
-
-    docker :buildx, :create, "--name", builder_name, options
+    docker :buildx, :create, "--name", builder_name, "--driver=#{driver}", *driver_options
   end
 
   def remove
@@ -18,7 +11,7 @@ class Kamal::Commands::Builder::Local < Kamal::Commands::Builder::Base
 
   private
     def builder_name
-      if KAMAL.registry.local?
+      if registry_config.local?
         "kamal-local-registry-#{driver}"
       else
         "kamal-local-#{driver}"

data/lib/kamal/commands/builder/remote.rb

@@ -34,13 +34,17 @@ class Kamal::Commands::Builder::Remote < Kamal::Commands::Builder::Base
 
   private
     def builder_name
-      "kamal-remote-#{remote.gsub(/[^a-z0-9_-]/, "-")}"
+      "kamal-remote-#{remote_builder_name_suffix}"
     end
 
     def remote_context_name
       "#{builder_name}-context"
     end
 
+    def remote_builder_name_suffix
+      "#{remote.gsub(/[^a-z0-9_-]/, "-")}#{registry_config.local? ? "-local-registry" : "" }"
+    end
+
     def inspect_buildx
       pipe \
         docker(:buildx, :inspect, builder_name),
@@ -62,7 +66,7 @@ class Kamal::Commands::Builder::Remote < Kamal::Commands::Builder::Base
     end
 
     def create_buildx
-      docker :buildx, :create, "--name", builder_name, remote_context_name
+      docker :buildx, :create, "--name", builder_name, *driver_options, remote_context_name
     end
 
     def remove_buildx

data/lib/kamal/configuration/builder.rb

@@ -177,8 +177,15 @@ class Kamal::Configuration::Builder
       [ server, cache_image ].compact.join("/")
     end
 
+    def cache_options
+      builder_config["cache"]&.fetch("options", nil)
+    end
+
     def cache_from_config_for_gha
-      "type=gha"
+      individual_options = cache_options&.split(",") || []
+      allowed_options = individual_options.select { |option| option =~ /^(url|url_v2|token|scope|timeout)=/ }
+
+      [ "type=gha", *allowed_options ].compact.join(",")
     end
 
     def cache_from_config_for_registry
@@ -186,11 +193,11 @@ class Kamal::Configuration::Builder
     end
 
     def cache_to_config_for_gha
-      [ "type=gha", builder_config["cache"]&.fetch("options", nil) ].compact.join(",")
+      [ "type=gha", cache_options ].compact.join(",")
     end
 
     def cache_to_config_for_registry
-      [ "type=registry", "ref=#{cache_image_ref}", builder_config["cache"]&.fetch("options", nil) ].compact.join(",")
+      [ "type=registry", "ref=#{cache_image_ref}", cache_options ].compact.join(",")
     end
 
     def repo_basename

data/lib/kamal/configuration/docs/configuration.yml

@@ -82,6 +82,12 @@ asset_path: /path/to/assets
 # See https://kamal-deploy.org/docs/hooks for more information:
 hooks_path: /user_home/kamal/hooks
 
+# Secrets path
+#
+# Path to secrets, defaults to `.kamal/secrets`.
+# Kamal will look for `<secrets_path>-common` and `<secrets_path>` (or `<secrets_path>.<destination>` when using destinations):
+secrets_path: /user_home/kamal/secrets
+
 # Error pages
 #
 # A directory relative to the app root to find error pages for the proxy to serve.

data/lib/kamal/configuration/docs/registry.yml

@@ -1,19 +1,27 @@
 # Registry
 #
 # The default registry is Docker Hub, but you can change it using `registry/server`.
+
+# Using a local container registry
+#
+# If the registry server starts with `localhost`, Kamal will start a local Docker registry
+# on that port and push the app image to it.
+registry:
+  server: localhost:5555
+
+# Using Docker Hub as the container registry
 #
 # By default, Docker Hub creates public repositories. To avoid making your images public,
 # set up a private repository before deploying, or change the default repository privacy
 # settings to private in your [Docker Hub settings](https://hub.docker.com/repository-settings/default-privacy).
 #
-# A reference to a secret (in this case, `DOCKER_REGISTRY_TOKEN`) will look up the secret
+# A reference to a secret (in this case, `KAMAL_REGISTRY_PASSWORD`) will look up the secret
 # in the local environment:
 registry:
-  server: registry.digitalocean.com
   username:
-    - DOCKER_REGISTRY_TOKEN
+    - <your docker hub username>
   password:
-    - DOCKER_REGISTRY_TOKEN
+    - KAMAL_REGISTRY_PASSWORD
 
 # Using AWS ECR as the container registry
 #

data/lib/kamal/configuration/docs/ssh.yml

@@ -67,4 +67,4 @@ ssh:
   # Set to true to load the default OpenSSH config files (~/.ssh/config,
   # /etc/ssh_config), to false ignore config files, or to a file path
   # (or array of paths) to load specific configuration. Defaults to true.
-  config: true
+  config: [ "~/.ssh/myconfig" ]

data/lib/kamal/configuration/docs/sshkit.yml

@@ -21,3 +21,11 @@ sshkit:
   # Kamal sets a long idle timeout of 900 seconds on connections to try to avoid
   # re-connection storms after an idle period, such as building an image or waiting for CI.
   pool_idle_timeout: 300
+
+  # DNS retry settings
+  #
+  # Some resolvers (mDNSResponder, systemd-resolved, Tailscale) can drop lookups during
+  # bursts of concurrent SSH starts. Kamal will retry DNS failures automatically.
+  #
+  # Number of retries after the initial attempt. Set to 0 to disable.
+  dns_retries: 3

data/lib/kamal/configuration/role.rb

@@ -36,7 +36,7 @@ class Kamal::Configuration::Role
   end
 
   def env_tags(host)
-    tagged_hosts.fetch(host).collect { |tag| config.env_tag(tag) }
+    tagged_hosts.fetch(host).collect { |tag| config.env_tag(tag) }.compact
   end
 
   def cmd

data/lib/kamal/configuration/ssh.rb

@@ -38,8 +38,12 @@ class Kamal::Configuration::Ssh
     ssh_config["key_data"]
   end
 
+  def config
+    ssh_config["config"]
+  end
+
   def options
-    { user: user, port: port, proxy: proxy, logger: logger, keepalive: true, keepalive_interval: 30, keys_only: keys_only, keys: keys, key_data: key_data }.compact
+    { user: user, port: port, proxy: proxy, logger: logger, keepalive: true, keepalive_interval: 30, keys_only: keys_only, keys: keys, key_data: key_data, config: config  }.compact
   end
 
   def to_h

data/lib/kamal/configuration/sshkit.rb

@@ -16,6 +16,10 @@ class Kamal::Configuration::Sshkit
     sshkit_config.fetch("pool_idle_timeout", 900)
   end
 
+  def dns_retries
+    Integer(sshkit_config.fetch("dns_retries", 3))
+  end
+
   def to_h
     sshkit_config
   end

data/lib/kamal/configuration/validator.rb

@@ -34,6 +34,8 @@ class Kamal::Configuration::Validator
             elsif example_value.is_a?(Array)
               if key == "arch"
                 validate_array_of_or_type! value, example_value.first.class
+              elsif key.to_s == "config"
+                validate_ssh_config!(value)
               else
                 validate_array_of! value, example_value.first.class
               end
@@ -129,6 +131,16 @@ class Kamal::Configuration::Validator
       end
     end
 
+    def validate_ssh_config!(config)
+      if config.is_a?(Array)
+        validate_array_of! config, String
+      elsif boolean?(config.class) || config.is_a?(String)
+        # Booleans and Strings are allowed
+      else
+        type_error(TrueClass, FalseClass, String, Array)
+      end
+    end
+
     def validate_type!(value, *types)
       type_error(*types) unless types.any? { |type| valid_type?(value, type) }
     end
@@ -138,7 +150,8 @@ class Kamal::Configuration::Validator
     end
 
     def type_error(*expected_types)
-      error "should be #{expected_types.map { |type| type_description(type) }.join(" or ")}"
+      descriptions = expected_types.map { |type| type_description(type) }.uniq
+      error "should be #{descriptions.join(" or ")}"
     end
 
     def unknown_keys_error(unknown_keys)

data/lib/kamal/configuration.rb

@@ -50,7 +50,7 @@ class Kamal::Configuration
 
     validate! raw_config, example: validation_yml.symbolize_keys, context: "", with: Kamal::Configuration::Validator::Configuration
 
-    @secrets = Kamal::Secrets.new(destination: destination)
+    @secrets = Kamal::Secrets.new(destination: destination, secrets_path: secrets_path)
 
     # Eager load config to validate it, these are first as they have dependencies later on
     @servers = Servers.new(config: self)
@@ -76,6 +76,7 @@ class Kamal::Configuration
     ensure_no_traefik_reboot_hooks
     ensure_one_host_for_ssl_roles
     ensure_unique_hosts_for_ssl_roles
+    ensure_local_registry_remote_builder_has_ssh_url
   end
 
   def version=(version)
@@ -240,6 +241,10 @@ class Kamal::Configuration
     raw_config.hooks_path || ".kamal/hooks"
   end
 
+  def secrets_path
+    raw_config.secrets_path || ".kamal/secrets"
+  end
+
   def asset_path
     raw_config.asset_path
   end
@@ -363,6 +368,16 @@ class Kamal::Configuration
       true
     end
 
+    def ensure_local_registry_remote_builder_has_ssh_url
+      if registry.local? && builder.remote?
+        unless URI(builder.remote).scheme == "ssh"
+          raise Kamal::ConfigurationError, "Local registry with remote builder requires an SSH URL (e.g., ssh://user@host)"
+        end
+      end
+
+      true
+    end
+
     def role_names
       raw_config.servers.is_a?(Array) ? [ "web" ] : raw_config.servers.keys.sort
     end

data/lib/kamal/secrets/adapters/passbolt.rb

@@ -47,9 +47,8 @@ class Kamal::Secrets::Adapters::Passbolt < Kamal::Secrets::Adapters::Base
       end
 
       filter_condition = filter_conditions.any? ? "--filter '#{filter_conditions.join(" || ")}'" : ""
-      items = `passbolt list resources #{filter_condition} #{folders.map { |item| "--folder #{item["id"]}" }.join(" ")} --json`
+      items = `passbolt list resources #{filter_condition} #{folders.map { |item| "--folder #{item["id"].to_s.shellescape}" }.join(" ")} --json`
       raise RuntimeError, "Could not read #{secrets} from Passbolt" unless $?.success?
-
       items = JSON.parse(items)
       found_names = items.map { |item| item["name"] }
       missing_secrets = secret_names - found_names

data/lib/kamal/secrets.rb

@@ -3,8 +3,9 @@ require "dotenv"
 class Kamal::Secrets
   Kamal::Secrets::Dotenv::InlineCommandSubstitution.install!
 
-  def initialize(destination: nil)
+  def initialize(destination: nil, secrets_path:)
     @destination = destination
+    @secrets_path = secrets_path
     @mutex = Mutex.new
   end
 
@@ -37,6 +38,6 @@ class Kamal::Secrets
     end
 
     def secrets_filenames
-      [ ".kamal/secrets-common", ".kamal/secrets#{(".#{@destination}" if @destination)}" ]
+      [ "#{@secrets_path}-common", "#{@secrets_path}#{(".#{@destination}" if @destination)}" ]
     end
 end

data/lib/kamal/sshkit_with_ext.rb

@@ -3,6 +3,7 @@ require "sshkit/dsl"
 require "net/scp"
 require "active_support/core_ext/hash/deep_merge"
 require "json"
+require "resolv"
 require "concurrent/atomic/semaphore"
 
 class SSHKit::Backend::Abstract
@@ -18,8 +19,11 @@ class SSHKit::Backend::Abstract
     JSON.pretty_generate(JSON.parse(capture(*args, **kwargs)))
   end
 
-  def puts_by_host(host, output, type: "App")
-    puts "#{type} Host: #{host}\n#{output}\n\n"
+  def puts_by_host(host, output, type: "App", quiet: false)
+    unless quiet
+      puts "#{type} Host: #{host}"
+    end
+    puts "#{output}\n\n"
   end
 
   # Our execution pattern is for the CLI execute args lists returned
@@ -58,10 +62,50 @@ class SSHKit::Backend::Abstract
 end
 
 class SSHKit::Backend::Netssh::Configuration
-  attr_accessor :max_concurrent_starts
+  attr_accessor :max_concurrent_starts, :dns_retries
 end
 
 class SSHKit::Backend::Netssh
+  module DnsRetriable
+    DNS_RETRY_BASE = 0.1
+    DNS_RETRY_MAX = 2.0
+    DNS_RETRY_JITTER = 0.1
+    DNS_ERROR_MESSAGE = /getaddrinfo|Temporary failure in name resolution|Name or service not known|nodename nor servname provided|No address associated|failed to look up|resolve/i
+
+    def with_dns_retry(hostname, retries: config.dns_retries, base: DNS_RETRY_BASE, max_sleep: DNS_RETRY_MAX, jitter: DNS_RETRY_JITTER)
+      attempts = 0
+      begin
+        attempts += 1
+        yield
+      rescue => error
+        raise unless retryable_dns_error?(error) && attempts <= retries
+
+        delay = dns_retry_sleep(attempts, base: base, jitter: jitter, max_sleep: max_sleep)
+        SSHKit.config.output.warn("Retrying DNS for #{hostname} (attempt #{attempts}/#{retries}) in #{format("%0.2f", delay)}s: #{error.message}")
+        sleep delay
+        retry
+      end
+    end
+
+    private
+      def retryable_dns_error?(error)
+        case error
+        when Resolv::ResolvError, Resolv::ResolvTimeout
+          true
+        when SocketError
+          error.message =~ DNS_ERROR_MESSAGE
+        else
+          error.cause && retryable_dns_error?(error.cause)
+        end
+      end
+
+      def dns_retry_sleep(attempt, base:, jitter:, max_sleep:)
+        sleep_for = [ base * (2 ** (attempt - 1)), max_sleep ].min
+        sleep_for += Kernel.rand * jitter
+        sleep_for
+      end
+  end
+
   module LimitConcurrentStartsClass
     attr_reader :start_semaphore
 
@@ -76,14 +120,31 @@ class SSHKit::Backend::Netssh
 
   class << self
     prepend LimitConcurrentStartsClass
+    prepend DnsRetriable
   end
 
+  module ConnectSsh
+    private
+      def connect_ssh(...)
+        Net::SSH.start(...)
+      end
+  end
+  include ConnectSsh
+
+  module DnsRetriableConnection
+    private
+      def connect_ssh(...)
+        self.class.with_dns_retry(host.hostname) { super }
+      end
+  end
+  prepend DnsRetriableConnection
+
   module LimitConcurrentStartsInstance
     private
       def with_ssh(&block)
         host.ssh_options = self.class.config.ssh_options.merge(host.ssh_options || {})
         self.class.pool.with(
-          method(:start_with_concurrency_limit),
+          method(:connect_ssh),
           String(host.hostname),
           host.username,
           host.netssh_options,
@@ -91,17 +152,18 @@ class SSHKit::Backend::Netssh
         )
       end
 
-      def start_with_concurrency_limit(*args)
+      def connect_ssh(...)
+        with_concurrency_limit { super }
+      end
+
+      def with_concurrency_limit(&block)
         if self.class.start_semaphore
-          self.class.start_semaphore.acquire do
-            Net::SSH.start(*args)
-          end
+          self.class.start_semaphore.acquire(&block)
         else
-          Net::SSH.start(*args)
+          yield
         end
       end
   end
-
   prepend LimitConcurrentStartsInstance
 end
 

data/lib/kamal/version.rb

@@ -1,3 +1,3 @@
 module Kamal
-  VERSION = "2.8.1"
+  VERSION = "2.9.0"
 end

data/lib/kamal.rb

@@ -7,6 +7,7 @@ require "zeitwerk"
 require "yaml"
 require "tmpdir"
 require "pathname"
+require "uri"
 
 loader = Zeitwerk::Loader.for_gem
 loader.ignore(File.join(__dir__, "kamal", "sshkit_with_ext.rb"))

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: kamal
 version: !ruby/object:Gem::Version
-  version: 2.8.1
+  version: 2.9.0
 platform: ruby
 authors:
 - David Heinemeier Hansson
@@ -224,12 +224,12 @@ files:
 - lib/kamal/cli/base.rb
 - lib/kamal/cli/build.rb
 - lib/kamal/cli/build/clone.rb
+- lib/kamal/cli/build/port_forwarding.rb
 - lib/kamal/cli/healthcheck/barrier.rb
 - lib/kamal/cli/healthcheck/error.rb
 - lib/kamal/cli/healthcheck/poller.rb
 - lib/kamal/cli/lock.rb
 - lib/kamal/cli/main.rb
-- lib/kamal/cli/port_forwarding.rb
 - lib/kamal/cli/proxy.rb
 - lib/kamal/cli/prune.rb
 - lib/kamal/cli/registry.rb

data/lib/kamal/cli/port_forwarding.rb

@@ -1,55 +0,0 @@
-require "concurrent/atomic/count_down_latch"
-
-class Kamal::Cli::PortForwarding
-  attr_reader :hosts, :port
-
-  def initialize(hosts, port)
-    @hosts = hosts
-    @port = port
-  end
-
-  def forward
-    @done = false
-    forward_ports
-
-    yield
-  ensure
-    stop
-  end
-
-  private
-
-  def stop
-    @done = true
-    @threads.to_a.each(&:join)
-  end
-
-  def forward_ports
-    ready = Concurrent::CountDownLatch.new(hosts.size)
-
-    @threads = hosts.map do |host|
-      Thread.new do
-        Net::SSH.start(host, KAMAL.config.ssh.user, **{ proxy: KAMAL.config.ssh.proxy }.compact) do |ssh|
-          ssh.forward.remote(port, "localhost", port, "127.0.0.1") do |remote_port, bind_address|
-            if remote_port == :error
-              raise "Failed to establish port forward on #{host}"
-            else
-              ready.count_down
-            end
-          end
-
-          ssh.loop(0.1) do
-            if @done
-              ssh.forward.cancel_remote(port, "127.0.0.1")
-              break
-            else
-              true
-            end
-          end
-        end
-      end
-    end
-
-    raise "Timed out waiting for port forwarding to be established" unless ready.wait(10)
-  end
-end