moby-derp 0.1.0

data/lib/moby_derp/mount.rb

@@ -0,0 +1,56 @@
+module MobyDerp
+	class Mount
+		attr_reader :source, :target, :readonly
+
+		def initialize(source:, target:, readonly: false)
+			@source, @target, @readonly = source, target, readonly
+
+			validate_source
+			validate_target
+			validate_readonly
+		end
+
+		private
+
+		def validate_source
+			unless @source.is_a?(String)
+				raise ConfigurationError,
+				      "mount source must be a string (got #{@source.inspect})"
+			end
+
+			if @source =~ %r{(^|/)\.\.($|/)}
+				raise ConfigurationError,
+				      "path traversal detected -- nice try, buddy"
+			end
+
+			if @source =~ %r{^(/|~)}
+				raise ConfigurationError,
+				      "mount sources can only be relative paths"
+			end
+		end
+
+		def validate_target
+			unless @target.is_a?(String)
+				raise ConfigurationError,
+				      "mount target must be a string (got #{@target.inspect})"
+			end
+
+			if @target =~ %r{(^|/)\.\.($|/)}
+				raise ConfigurationError,
+				      "target path must not contain '../'"
+			end
+
+			if @target !~ %r{^/}
+				raise ConfigurationError,
+				      "mount target must be an absolute path"
+			end
+		end
+
+		def validate_readonly
+			unless @readonly == true || @readonly == false
+				raise ConfigurationError,
+				      "readonly flag must be either true or false (got #{@readonly.inspect})"
+			end
+		end
+	end
+end

data/lib/moby_derp/pod.rb

@@ -0,0 +1,89 @@
+require_relative "./container"
+require_relative "./logging_helpers"
+
+module MobyDerp
+	class Pod
+		include LoggingHelpers
+
+		attr_reader :logger
+
+		def initialize(pod_config)
+			@config = pod_config
+			@logger = pod_config.logger
+		end
+
+		def run
+			@logger.info(logloc) { "Checking root container" }
+			@root_container_id = root_container.run
+
+			@logger.debug(logloc) { "Root container ID is #{@root_container_id}" }
+
+			@config.containers.each do |cfg|
+				@logger.info(logloc) { "Checking container #{cfg.name}" }
+
+				begin
+					MobyDerp::Container.new(pod: self, container_config: cfg).run
+				rescue MobyDerp::ContainerError => ex
+					raise MobyDerp::ContainerError,
+					      "error while running container #{cfg.name}: #{ex.message}",
+							ex.backtrace
+				end
+			end
+		end
+
+		def name
+			@config.name
+		end
+
+		def root_container_id
+			if @root_container_id.nil?
+				raise MobyDerp::BugError,
+				      "root_container_id requested before root container was spawned"
+			else
+				@root_container_id
+			end
+		end
+
+		def common_labels
+			@config.common_labels
+		end
+
+		def common_environment
+			@config.common_environment
+		end
+
+		def common_mounts
+			@config.common_mounts
+		end
+
+		def mount_root
+			@config.mount_root
+		end
+
+		def network_name
+			@config.network_name
+		end
+
+		def hostname
+			@config.hostname
+		end
+
+		private
+
+		def root_container
+			MobyDerp::Container.new(pod: self, container_config: root_container_config, root_container: true)
+		end
+
+		def root_container_config
+			MobyDerp::ContainerConfig.new(
+				system_config:  @config.system_config,
+				pod_config:     @config,
+				container_name: "root",
+				image:          "gcr.io/google_containers/pause-amd64:3.0",
+				labels:         @config.root_labels,
+				readonly:       true,
+				restart:        "always",
+			)
+		end
+	end
+end

data/lib/moby_derp/pod_config.rb

@@ -0,0 +1,235 @@
+require_relative "./config_file"
+require_relative "./container_config"
+require_relative "./logging_helpers"
+require_relative "./mount"
+
+require "safe_yaml"
+require "socket"
+
+module MobyDerp
+	class PodConfig < ConfigFile
+		include LoggingHelpers
+
+		attr_reader :name,
+		            :containers,
+		            :hostname,
+		            :common_environment,
+		            :common_labels,
+		            :root_labels,
+		            :common_mounts,
+		            :expose,
+		            :publish,
+		            :publish_all,
+		            :mount_root,
+						:system_config,
+						:logger
+
+		def initialize(filename, system_config)
+			@logger = system_config.logger
+
+			super(filename)
+
+			@system_config = system_config
+
+			@name = File.basename(filename, ".*")
+			validate_name
+
+
+			unless @config.has_key?("containers")
+				raise ConfigurationError,
+				      "no containers defined"
+			end
+			@containers = @config.fetch("containers")
+			validate_containers
+
+			@logger.debug(logloc) { "Hostname is #{Socket.gethostname}" }
+			@hostname = @config.fetch("hostname", "#{@name.gsub("_", "-")}-#{Socket.gethostname}")
+
+			@common_environment = @config.fetch("common_environment", {})
+			@common_labels      = @config.fetch("common_labels", {})
+			@root_labels        = @config.fetch("root_labels", {})
+			validate_common_environment
+			validate_hash(:common_labels)
+			validate_hash(:root_labels)
+
+			@common_mounts = @config.fetch("common_mounts", [])
+			@expose        = @config.fetch("expose", [])
+			@publish       = @config.fetch("publish", [])
+			validate_common_mounts
+			validate_expose
+			validate_publish
+
+			@publish_all = @config.fetch("publish_all", false)
+			validate_publish_all
+
+			@mount_root = File.join(system_config.mount_root, @name)
+		end
+
+		def network_name
+			@system_config.network_name
+		end
+
+		private
+
+		def validate_name
+			@logger.debug(logloc) { "@name: #{@name.inspect}" }
+			unless @name =~ /\A[A-Za-z0-9][A-Za-z0-9_-]*\z/
+				raise ConfigurationError,
+				      "pod name is invalid (must start with an alphanumeric character, and only contain alphanumerics, underscores, and hyphens)"
+			end
+		end
+
+		def validate_containers
+			@logger.debug(logloc) { "@containers: #{@containers.inspect}" }
+			unless @containers.is_a?(Hash)
+				raise ConfigurationError,
+				      "containers must be a map of container names and container data"
+			end
+
+			@containers.each do |name, data|
+				unless name =~ /\A[A-Za-z0-9_-]+\z/
+					raise ConfigurationError,
+						"container name #{name.inspect} is invalid (must contain only alphanumerics, underscores, and hyphens)"
+				end
+			end
+
+			begin
+				@containers = @containers.map { |k, v| ContainerConfig.new(system_config: @system_config, pod_config: self, container_name: k, **symbolize_keys(v)) }
+			rescue ArgumentError => ex
+				case ex.message
+				when /unknown keywords?: (.*)$/
+					raise ConfigurationError,
+						   "unknown mount option(s): #{$1}"
+				when /missing keywords?: (.*)$/
+					raise ConfigurationError,
+					      "missing mount option(s): #{$1}"
+				else
+					#:nocov:
+					raise
+					#:nocov:
+				end
+			end
+		end
+
+		def validate_common_environment
+			validate_hash(:common_environment)
+
+			if (bad_vars = @common_environment.keys.select { |k| k =~ /=/ }) != []
+				raise ConfigurationError,
+				      "environment variable names cannot include equals signs: #{bad_vars.inspect}"
+			end
+		end
+
+		def validate_hash(name)
+			h = instance_variable_get(:"@#{name}")
+			@logger.debug(logloc) { "@#{name}: #{h.inspect}" }
+
+			unless h.is_a?(Hash)
+				raise ConfigurationError,
+				      "#{h} is not a map"
+			end
+
+			unless (bad_keys = h.keys.select { |k| !k.is_a?(String) }) == []
+				raise ConfigurationError,
+				      "#{h} contains non-string key(s): #{bad_keys.inspect}"
+			end
+
+			unless (bad_values = h.values.select { |v| !v.is_a?(String) }) == []
+				raise ConfigurationError,
+				      "#{h} contains non-string value(s): #{bad_values.inspect}"
+			end
+		end
+
+		def validate_common_mounts
+			@logger.debug(logloc) { "@common_mounts: #{@common_mounts.inspect}" }
+			unless @common_mounts.is_a?(Array)
+				raise ConfigurationError,
+				      "common_mounts must be an array"
+			end
+
+			begin
+				@common_mounts.map! { |m| Mount.new(**symbolize_keys(m)) }
+			rescue ArgumentError => ex
+				case ex.message
+				when /unknown keywords?: (.*)$/
+					raise ConfigurationError,
+						   "unknown mount option(s): #{$1}"
+				when /missing keywords?: (.*)$/
+					raise ConfigurationError,
+					      "missing mount option(s): #{$1}"
+				else
+					#:nocov:
+					raise
+					#:nocov:
+				end
+			end
+		end
+
+		def validate_expose
+			@logger.debug(logloc) { "@expose: #{@expose.inspect}" }
+			unless @expose.is_a?(Array)
+				raise ConfigurationError,
+				      "expose must be an array"
+			end
+
+			@expose.map!(&:to_s)
+
+			@expose.each do |e|
+				unless e.is_a?(String) && e =~ %r{\A\d+(/(tcp|udp))?\z}
+					raise ConfigurationError,
+					      "exposed ports must be integers, with an optional protocol specifier (got #{e.inspect})"
+				end
+
+				if e.to_i < 1 || e.to_i > 65535
+					raise ConfigurationError,
+					      "exposed port #{e} is out of range (expected 1-65535)"
+				end
+			end
+		end
+
+		def validate_publish
+			@logger.debug(logloc) { "@publish: #{@publish.inspect}" }
+			unless @publish.is_a?(Array)
+				raise ConfigurationError,
+				      "publish must be an array"
+			end
+
+			unless @publish.all? { |p| String === p }
+				raise ConfigurationError,
+				      "publish elements must be strings"
+			end
+
+			@publish.each do |e|
+				unless e =~ %r{\A(\d+(?:-\d+)?)?:(\d+)(?:-\d+)?(/(tcp|udp))?\z}
+					raise ConfigurationError,
+					      "invalid publish port spec #{e.inspect}"
+				end
+
+				if $2.to_i < 1 || $2.to_i > 65535
+					raise ConfigurationError,
+					      "publish port spec #{e} is out of range (expected 1-65535)"
+				end
+
+				if $1 && @system_config.port_whitelist[$1] != @name
+					raise ConfigurationError,
+					      "cannot bind to a non-whitelisted host port"
+				end
+			end
+		end
+
+		def validate_publish_all
+			unless @publish_all == true || @publish_all == false
+				raise ConfigurationError,
+				      "publish_all must be either true or false"
+			end
+		end
+
+		def symbolize_keys(h)
+			{}.tap do |res|
+				h.keys.each do |k|
+					res[k.to_sym] = h[k]
+				end
+			end
+		end
+	end
+end

data/lib/moby_derp/system_config.rb

@@ -0,0 +1,52 @@
+require_relative "./config_file"
+
+require "safe_yaml"
+
+module MobyDerp
+	class SystemConfig < ConfigFile
+		attr_reader :mount_root, :port_whitelist, :network_name, :cpu_count, :cpu_bits
+
+		def initialize(filename, moby_info, logger)
+			@logger = logger
+
+			super(filename)
+
+			@mount_root     = @config["mount_root"]
+			@port_whitelist = stringify_keys(@config["port_whitelist"] || {})
+			@network_name   = @config["network_name"] || "bridge"
+
+			@cpu_count = moby_info["NCPU"]
+			# As far as I can tell, the only 32-bit platform Moby supports is
+			# armhf; if that turns out to be incorrect, amend the list below.
+			@cpu_bits  = %w{armhf}.include?(moby_info["Architecture"]) ? 32 : 64
+
+			unless @mount_root.is_a?(String)
+				raise ConfigurationError,
+				      "mount_root must be a string"
+			end
+
+			unless @mount_root =~ /\A\//
+				raise ConfigurationError,
+				      "mount_root must be an absolute path"
+			end
+
+			unless @network_name.is_a?(String)
+				raise ConfigurationError,
+				      "network_name must be a string"
+			end
+
+			unless File.directory?(@mount_root)
+				raise ConfigurationError,
+				      "mount_root #{@mount_root} must exist and be a directory"
+			end
+		end
+
+		private
+
+		def stringify_keys(h)
+			{}.tap do |res|
+				h.keys.each { |k| res[k.to_s] = h[k] }
+			end
+		end
+	end
+end

data/moby-derp.gemspec

@@ -0,0 +1,39 @@
+begin
+	require 'git-version-bump'
+rescue LoadError
+	nil
+end
+
+Gem::Specification.new do |s|
+	s.name = "moby-derp"
+
+	s.version = GVB.version rescue "0.0.0.1.NOGVB"
+	s.date    = GVB.date    rescue Time.now.strftime("%Y-%m-%d")
+
+	s.platform = Gem::Platform::RUBY
+
+	s.summary  = "A simple management system for a pod of moby containers"
+
+	s.authors  = ["Matt Palmer"]
+	s.email    = ["theshed+moby-derp@hezmatt.org"]
+  s.homepage = "http://github.com/mpalmer/moby-derp"
+
+	s.files = `git ls-files -z`.split("\0").reject { |f| f =~ /^(G|spec|Rakefile)/ }
+
+  s.required_ruby_version = ">= 2.3.0"
+
+  s.add_runtime_dependency "docker-api"
+  s.add_runtime_dependency "json-canonicalization"
+  s.add_runtime_dependency "safe_yaml"
+
+	s.add_development_dependency 'bundler'
+  s.add_development_dependency 'deep_merge'
+	s.add_development_dependency 'github-release'
+  s.add_development_dependency 'git-version-bump'
+	s.add_development_dependency 'guard-rspec'
+	s.add_development_dependency 'rake', '~> 12'
+	s.add_development_dependency 'redcarpet'
+	s.add_development_dependency 'rspec'
+  s.add_development_dependency 'simplecov'
+	s.add_development_dependency 'yard'
+end

data/smoke_tests/minimal.bats

@@ -0,0 +1,18 @@
+load test_helper
+
+@test "Minimal pod creation" {
+	config_file <<-'EOF'
+		containers:
+		  bob:
+		    image: busybox:latest
+		    command: sleep 600
+		common_labels:
+		  moby-derp-smoke-test: ayup
+EOF
+
+	run $MOBY_DERP_BIN $TEST_CONFIG_FILE
+
+	[ "$status" = "0" ]
+	container_running "mdst"
+	container_running "mdst.bob"
+}

data/smoke_tests/no_file.bats

@@ -0,0 +1,7 @@
+load test_helper
+
+@test "No config file specified" {
+	run $MOBY_DERP_BIN
+	[ "$status" = "1" ]
+	[[ "$output" =~ No\ config\ file\ specified ]]
+}

data/smoke_tests/test_helper.bash

@@ -0,0 +1,29 @@
+: "${MOBY_DERP_BIN:=$BATS_TEST_DIRNAME/../bin/moby-derp}"
+
+config_file() {
+	TEST_CONFIG_FILE="$BATS_TMPDIR/mdst.yml"
+	cat >"${BATS_TMPDIR}/mdst.yml"
+}
+
+container_running() {
+	[ "$(docker container inspect "$1" --format='{{.State.Running}}')" = "true" ]
+}
+
+setup() {
+	TEST_SYSTEM_CONFIG_FILE="$BATS_TMPDIR/moby_derp_system_config.yml"
+	mkdir -p $BATS_TMPDIR/docker
+
+	cat <<EOF >"$TEST_SYSTEM_CONFIG_FILE"
+mount_root: $BATS_TMPDIR/docker
+EOF
+
+	export MOBY_DERP_SYSTEM_CONFIG_FILE="$TEST_SYSTEM_CONFIG_FILE"
+}
+
+teardown() {
+	for i in $(docker ps -a --format='{{.Names}}'); do
+		if docker container inspect $i --format='{{.Config.Labels}}' | grep -q moby-derp-smoke-test; then
+			docker rm -f $i
+		fi
+	done
+}