moby-derp 0.7.2 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e1d04c23ce729679e9e1cd34fa7fbb63dac8672a2212cbed442cdaef698ac20e
-  data.tar.gz: f7cfa0d0fa9f21e6f02766669cd2a763614828a75e60ba6b35146c9c2b3d5877
+  metadata.gz: f655f86d8be3982dcf24c11734361071cb040093e22ca89fb59bfb7ac786a8ad
+  data.tar.gz: 39a54635e4cebed9f54a2eaeb5124e0b62435a582b3ef3d52e018530c9683efb
 SHA512:
-  metadata.gz: 877ef1db2ccb0f5b32cdb2bca422edc2bb3995fa650d65fad0fa581fc89c5ae4b3873759f2da706700c0a3a2b8b8392cc315659d4cf58b480efd5fcc1e91fc18
-  data.tar.gz: bf4261f7c31c01628df29e43cc42b84346525802225999e790e0268c6246b2730f9716dc087c8270cde96a75730a345276cb176e78a5d38603517532fd9c07ee
+  metadata.gz: d3209066a78a89998bd549568d65345e8ec86c26f31b1860084cfe4d1325f1e8a8388c392915a701ff54fe1949c572de4d2ac7ec2efd2285670a1ba789eba4c5
+  data.tar.gz: b964a1d45ebb633437fb29e656ae48e9743cda5bc768605098289b10a0a12a13ec5c6ed142397a14bc08b6b0c3bb94bef4255f0b9f911863abb0db9a04e17774

data/.github/workflows/ci.yml

@@ -0,0 +1,40 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - master
+  pull_request: {}
+
+jobs:
+  build:
+    name: "moby-derp-test"
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 60
+
+    strategy:
+      fail-fast: false
+
+      matrix:
+        os: [ubuntu-latest]
+        ruby: ["2.7"]
+
+    steps:
+      - uses: actions/checkout@master
+        with:
+          fetch-depth: 1
+
+      - name: Setup ruby
+        uses: actions/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+
+      - name: Setup bundler
+        run: |
+          gem install bundler -v 2.1.4 --no-doc
+
+      - name: Setup gems
+        run: bundle install --jobs 4
+
+      - name: RSpec
+        run: bundle exec rspec

data/README.md

@@ -124,6 +124,12 @@ The keys are:
   "localhost"; so pointing to your local caching resolver using `127.0.0.1`
   will not end in happiness and puppies.
 
+* **`host_hostname`**: the hostname to use when generating the container
+  hostname. This might be useful, for example, if moby-derp is running
+  in a container by itself, with a hostname that reflects its management
+  function, but the containers that are managed conceptually belong to
+  the host.
+
 If you wish to modify the location of the `moby-derp` system-wide configuration
 file, you can do so by setting the `MOBY_DERP_SYSTEM_CONFIG_FILE` environment
 variable.  Note, however, that it is a terrible idea to let ordinary users control
@@ -169,7 +175,8 @@ caveats:
 # Security
 
 This section discusses the security model and guarantees of `moby-derp`.  It
-isn't necessary to simply use `moby-derp` in most circumstances.
+isn't necessary to understand this section if you simply want to use
+`moby-derp` in most circumstances.
 
 The fundamental principle of `moby-derp` is that users are given control over
 a certain portion of the container and filesystem namespace, by virtue of their
@@ -233,7 +240,7 @@ See [`CONTRIBUTING.md`](CONTRIBUTING.md).
 Unless otherwise stated, everything in this repo is covered by the following
 copyright notice:
 
-    Copyright (C) 2019  Matt Palmer <matt@hezmatt.org>
+    Copyright (C) 2019, 2023, 2024  Matt Palmer <matt@hezmatt.org>
 
     This program is free software: you can redistribute it and/or modify it
     under the terms of the GNU General Public License version 3, as

data/example.yml

@@ -48,24 +48,60 @@ containers:
     #
     command: '--foo=bar --wombat'
 
+    # Occasionally a container image will have defined an entrypoint that isn't
+    # appropriate for your situation.  Although fixing the image is the preferable
+    # option, if that isn't feasible, you can instead override the image's
+    # entrypoint here.
+    entrypoint: '/usr/local/bin/alternate-init'
+
     # The 12-factor app concept says that all configuration should be passed
     # via the environment.  If that is your bag, then this section will make
     # you very happy.
     #
     environment:
-      # The environment is specified as a map of variable name to variable
-      # values.  For passing big strings, you may want to get familiar with
-      # YAML's many string quoting and escaping modes.
+      # The environment is specified as a map of environment variable names to
+      # environment variable values.
       #
       APP_ENV: production
-      # Embedding your private key like this isn't necessarily a particularly
-      # good idea, but as an example of where you might need multiline strings,
-      # it works very well.
+
+      # Environment variable values must be strings by the time YAML has
+      # finished with them.  That means that values YAML would normally interpret
+      # as other types must be quoted.
+      HAS_BUGS: 'false'
+      FINAL_ANSWER: '42'
+
+      # For passing big strings, you may want to get familiar with
+      # YAML's many string quoting and escaping modes.
+      #
+      COMPLEX_CONFIG: |
+        {
+          "foo": "bar",
+          "baz": [1, 1, 2, 3, 5, 8, 13]
+        }
+
+    # Read an environment variable value from a file.
+    #
+    # The keys are environment variable names, like any other, but the values
+    # those environment variables will have are read from the file given as the
+    # value of the entry, specified relative to the pod root directory on the host.
+    #
+    # The intended use case for this feature is for injecting secrets, where the
+    # value of the secret is written to a file on the host by some means outside the
+    # usual deployment mechanisms (so the data never goes into the repo), but can
+    # be accessed at runtime via the environment.
+    #
+    # Note that if you specify the same environment variable name both in here and
+    # in the `environment` map, the results are undefined.  So don't do that.
+    #
+    # These environment files are read when `moby-derp` runs, and so only need be
+    # readable by the user that `moby-derp` runs as (typically `root`).
+    #
+    environment_files:
+      # This will set an environment variable named `PRIVATE_KEY` with the value
+      # read from `$pod_root/secret/private.key`, which presumably an administrator
+      # has previously written.
       #
-      PRIVATE_KEY: |
-        -----BEGIN PRIVATE KEY-----
-        AAAAsd...
-        -----END PRIVATE KEY-----
+      PRIVATE_KEY: secrets/private.key
 
     # Persisting data past the lifetime of a particular container is the job
     # of mounts.  Here you can specify filesystem locations on the host

data/lib/moby_derp/container.rb

@@ -19,7 +19,7 @@ module MobyDerp
 
 		def run
 			container_name = @root_container ? @pod.name : @config.name
-			@logger.debug(logloc) { "Calculated container name is #{container_name} (@root_container: #{@root_container.inspect}, @config.name: #{@config.name}, @pod.name: #{@pod.name}" }
+			@logger.debug(logloc) { "Calculated container name is #{container_name} (@root_container: #{@root_container.inspect}, @config.name: #{@config.name}, @pod.name: #{@pod.name})" }
 
 			begin
 				existing_container = Docker::Container.get(container_name)
@@ -29,6 +29,12 @@ module MobyDerp
 				if existing_container.info["Config"]["Labels"]["org.hezmatt.moby-derp.config-hash"] == params_hash(container_creation_parameters)
 					# Container is up-to-date
 					@logger.info(logloc) { "Container #{container_name} is up-to-date" }
+					@logger.debug(logloc) { "Container #{container_name} has restart=#{@config.restart}, state is #{existing_container.info.dig("State", "Status")}" }
+
+					if @config.restart == "always" && existing_container.info.dig("State", "Status") != "running"
+						existing_container.start
+					end
+
 					return existing_container.id
 				end
 
@@ -85,9 +91,11 @@ module MobyDerp
 		def container_creation_parameters
 			{}.tap do |params|
 				if @root_container
+					params["Hostname"] = @pod.hostname
 					params["HostConfig"] = {
 						"NetworkMode" => @pod.network_name,
 						"Init"        => true,
+						"IpcMode"     => "shareable"
 					}
 					params["MacAddress"] = container_mac_address
 					if network_uses_ipv6? && user_defined_network?
@@ -113,7 +121,7 @@ module MobyDerp
 				params["HostConfig"]["RestartPolicy"] = parsed_restart_policy
 				params["HostConfig"]["Mounts"]        = merged_mounts.map { |mount| mount_structure(mount) }
 
-				params["Env"]        = @pod.common_environment.merge(@config.environment).map { |k, v| "#{k}=#{v}" }
+				params["Env"]        = @pod.common_environment.merge(read_environment_files).merge(@config.environment).map { |k, v| "#{k}=#{v}" }
 				params["Volumes"]    = {}
 
 				params["name"]  = @root_container ? @pod.name : @config.name
@@ -123,6 +131,10 @@ module MobyDerp
 				params["StopSignal"]  = @config.stop_signal
 				params["StopTimeout"] = @config.stop_timeout
 
+				if !@config.entrypoint.nil?
+					params["Entrypoint"] = [@config.entrypoint]
+				end
+
 				if @config.user
 					params["User"] = @config.user
 				end
@@ -165,6 +177,12 @@ module MobyDerp
 			end
 		end
 
+		def read_environment_files
+			@config.environment_files.map do |var, filename|
+				[var, File.read(File.join(@pod.mount_root, filename))]
+			end.to_h
+		end
+
 		def hash_labelled(params)
 			params.tap do |params|
 				config_hash = params_hash(params)

data/lib/moby_derp/container_config.rb

@@ -7,8 +7,8 @@ require "shellwords"
 
 module MobyDerp
 	class ContainerConfig
-		attr_reader :name, :image, :update_image, :command, :environment, :mounts,
-		            :labels, :readonly, :stop_signal, :stop_timeout, :user, :restart, :limits,
+		attr_reader :name, :image, :update_image, :command, :entrypoint, :environment, :environment_files,
+		            :mounts, :labels, :readonly, :stop_signal, :stop_timeout, :user, :restart, :limits,
 		            :startup_health_check
 
 		def initialize(system_config:,
@@ -17,7 +17,9 @@ module MobyDerp
 		               image:,
 		               update_image: true,
 		               command: [],
+		               entrypoint: nil,
 		               environment: {},
+		               environment_files: {},
 		               mounts: [],
 		               labels: {},
 		               readonly: false,
@@ -30,14 +32,16 @@ module MobyDerp
 		              )
 			@system_config, @pod_config, @name, @image = system_config, pod_config, "#{pod_config.name}.#{container_name}", image
 
-			@update_image, @command, @environment, @mounts, @labels = update_image, command, environment, mounts, labels
+			@update_image, @command, @entrypoint, @environment, @environment_files, @mounts, @labels = update_image, command, entrypoint, environment, environment_files, mounts, labels
 			@readonly, @stop_signal, @stop_timeout, @user, @restart = readonly, stop_signal, stop_timeout, user, restart
 			@limits, @startup_health_check = limits, startup_health_check
 
 			validate_image
 			validate_update_image
 			validate_command
+			validate_entrypoint
 			validate_environment
+			validate_environment_files
 			validate_mounts
 			validate_labels
 			validate_readonly
@@ -88,6 +92,13 @@ module MobyDerp
 			end
 		end
 
+		def validate_entrypoint
+			unless @entrypoint.nil? || @entrypoint.is_a?(String)
+				raise ConfigurationError,
+					   "entrypoint must be a string"
+			end
+		end
+
 		def validate_environment
 			validate_hash(:environment)
 
@@ -97,6 +108,27 @@ module MobyDerp
 			end
 		end
 
+		def validate_environment_files
+			validate_hash(:environment_files)
+
+			if (bad_vars = @environment_files.keys.select { |k| k =~ /=/ }) != []
+				raise ConfigurationError,
+				      "environment variable names cannot include equals signs: #{bad_vars.inspect}"
+			end
+
+			@environment_files.each do |k, v|
+				if v =~ %r{(\A|/)\.\.($|/)}
+					raise ConfigurationError,
+					      "path traversal detected in #{k} -- this ain't a Fortinet, mate!"
+				end
+
+				if v =~ %r{\A(/|~)}
+					raise ConfigurationError,
+					      "environment file for #{k} can only be a relative path"
+				end
+			end
+		end
+
 		def validate_mounts
 			unless @mounts.is_a?(Array)
 				raise ConfigurationError,

data/lib/moby_derp/pod.rb

@@ -38,9 +38,9 @@ module MobyDerp
 				begin
 					MobyDerp::Container.new(pod: self, container_config: cfg).run
 				rescue MobyDerp::ContainerError => ex
-					raise MobyDerp::ContainerError,
-					      "error while running container #{cfg.name}: #{ex.message}",
-							ex.backtrace
+					@logger.error(logloc) {
+						(["Error while running container #{cfg.name}: #{ex.message}"] + ex.backtrace.map { |l| "  #{l}" }).join("\n")
+					}
 				end
 			end
 		end

data/lib/moby_derp/pod_config.rb

@@ -57,8 +57,8 @@ module MobyDerp
 			@containers = @config.fetch("containers")
 			validate_containers
 
-			@logger.debug(logloc) { "Hostname is #{Socket.gethostname}" }
-			@hostname = @config.fetch("hostname", "#{@name.gsub("_", "-")}-#{Socket.gethostname}")
+			@logger.debug(logloc) { "Hostname is #{@system_config.host_hostname}" }
+			@hostname = @config.fetch("hostname", "#{@name.gsub("_", "-")}-#{@system_config.host_hostname}")
 
 			@common_environment = @config.fetch("common_environment", {})
 			@common_labels      = @config.fetch("common_labels", {})

data/lib/moby_derp/system_config.rb

@@ -1,9 +1,11 @@
 require_relative "./config_file"
 
+require "socket"
+
 module MobyDerp
 	class SystemConfig < ConfigFile
 		attr_reader :mount_root, :port_whitelist, :network_name, :use_host_resolv_conf,
-		            :cpu_count, :cpu_bits
+		            :cpu_count, :cpu_bits, :host_hostname
 
 		def initialize(config_data_or_filename, moby_info, logger)
 			@logger = logger
@@ -17,6 +19,7 @@ module MobyDerp
 				raise ArgumentError, "Unsupported type for config_data_or_filename parameter"
 			end
 
+			@host_hostname        = @config["host_hostname"] || Socket.gethostname
 			@mount_root           = @config["mount_root"]
 			@port_whitelist       = stringify_keys(@config["port_whitelist"] || {})
 			@network_name         = @config["network_name"] || "bridge"
@@ -46,11 +49,6 @@ module MobyDerp
 				raise ConfigurationError,
 				      "use_host_resolv_conf must be true or false"
 			end
-
-			unless File.directory?(@mount_root)
-				raise ConfigurationError,
-				      "mount_root #{@mount_root} must exist and be a directory"
-			end
 		end
 
 		private

data/smoke_tests/restart_always.bats

@@ -0,0 +1,24 @@
+load test_helper
+
+@test "Restart always" {
+	config_file <<-'EOF'
+		containers:
+		  bob:
+		    image: busybox:latest
+		    command: sleep 600
+		    restart: always
+		common_labels:
+		  moby-derp-smoke-test: ayup
+EOF
+
+	run $MOBY_DERP_BIN $TEST_CONFIG_FILE
+
+	[ "$status" = "0" ]
+
+	docker stop mdst.bob
+	run $MOBY_DERP_BIN $TEST_CONFIG_FILE
+
+	echo $output
+	container_running "mdst"
+	container_running "mdst.bob"
+}

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: moby-derp
 version: !ruby/object:Gem::Version
-  version: 0.7.2
+  version: 0.8.0
 platform: ruby
 authors:
 - Matt Palmer
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-07-11 00:00:00.000000000 Z
+date: 2024-05-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: docker-api
@@ -186,6 +186,7 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/ci.yml"
 - ".gitignore"
 - ".travis.yml"
 - ".yardopts"
@@ -210,6 +211,7 @@ files:
 - smoke_tests/exposed.bats
 - smoke_tests/minimal.bats
 - smoke_tests/no_file.bats
+- smoke_tests/restart_always.bats
 - smoke_tests/root_labels.bats
 - smoke_tests/test_helper.bash
 homepage: http://github.com/mpalmer/moby-derp
@@ -230,7 +232,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.2.5
 signing_key: 
 specification_version: 4
 summary: A simple management system for a pod of moby containers