Merge pull request 'Fix #17096: support secrets in Docker swarm' (#59) from feature/17096/swarm_secrets into develop

Author: LEDfan

pom.xml

@@ -240,14 +240,29 @@
 		</dependency>
 		<!-- Jersey, a dependency of docker-client with wonky version constraints -->
 		<dependency>
-			<groupId>org.glassfish.jersey.inject</groupId>
-			<artifactId>jersey-hk2</artifactId>
-			<version>2.26</version>
+			<groupId>org.glassfish.jersey.core</groupId>
+			<artifactId>jersey-client</artifactId>
+			<version>2.22</version>
 		</dependency>
 		<dependency>
-			<groupId>org.glassfish.jersey.bundles.repackaged</groupId>
-			<artifactId>jersey-guava</artifactId>
-			<version>2.26-b03</version>
+			<groupId>org.glassfish.jersey.core</groupId>
+			<artifactId>jersey-common</artifactId>
+			<version>2.22</version>
+		</dependency>
+		<dependency>
+			<groupId>org.glassfish.jersey.connectors</groupId>
+			<artifactId>jersey-apache-connector</artifactId>
+			<version>2.22</version>
+		</dependency>
+		<dependency>
+			<groupId>org.glassfish.jersey.media</groupId>
+			<artifactId>jersey-media-json-jackson</artifactId>
+			<version>2.22</version>
+		</dependency>
+		<dependency>
+			<groupId>org.glassfish.hk2</groupId>
+			<artifactId>hk2-api</artifactId>
+			<version>2.4.0-b31</version>
 		</dependency>
 
 		<!-- MonetDB, for gathering usage stats (optional) -->

src/main/java/eu/openanalytics/containerproxy/backend/docker/DockerEngineBackend.java

@@ -22,13 +22,16 @@
 
 import com.spotify.docker.client.DockerClient.ListContainersParam;
 import com.spotify.docker.client.DockerClient.RemoveContainerParam;
+import com.spotify.docker.client.exceptions.DockerException;
+import com.spotify.docker.client.exceptions.NotFoundException;
 import com.spotify.docker.client.messages.Container.PortMapping;
 import com.spotify.docker.client.messages.ContainerConfig;
 import com.spotify.docker.client.messages.ContainerCreation;
 import com.spotify.docker.client.messages.ContainerInfo;
 import com.spotify.docker.client.messages.HostConfig;
 import com.spotify.docker.client.messages.HostConfig.Builder;
 import com.spotify.docker.client.messages.PortBinding;
+import com.spotify.docker.client.messages.RegistryAuth;
 import eu.openanalytics.containerproxy.model.runtime.Container;
 import eu.openanalytics.containerproxy.model.runtime.ExistingContainerInfo;
 import eu.openanalytics.containerproxy.model.runtime.Proxy;
@@ -37,6 +40,8 @@
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.RuntimeValueKey;
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.UserIdKey;
 import eu.openanalytics.containerproxy.model.spec.ContainerSpec;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.net.URI;
 import java.net.URL;
@@ -49,10 +54,27 @@
 
 public class DockerEngineBackend extends AbstractDockerBackend {
 
+	private static final String PROPERTY_IMG_PULL_POLICY = "image-pull-policy";
+
+	private ImagePullPolicy imagePullPolicy;
+	private final Logger logger = LoggerFactory.getLogger(getClass());
+
+	@Override
+	public void initialize() {
+		super.initialize();
+		imagePullPolicy = environment.getProperty(getPropertyPrefix() + PROPERTY_IMG_PULL_POLICY, ImagePullPolicy.class, ImagePullPolicy.IfNotPresent);
+	}
+
 	@Override
 	protected Container startContainer(ContainerSpec spec, Proxy proxy) throws Exception {
 		Builder hostConfigBuilder = HostConfig.builder();
-		
+
+		if (imagePullPolicy == ImagePullPolicy.Always
+			|| (imagePullPolicy == ImagePullPolicy.IfNotPresent && !isImagePresent(spec))) {
+			logger.info("Pulling image {}", spec.getImage());
+			pullImage(spec);
+		}
+
 		Map<String, List<PortBinding>> portBindings = new HashMap<>();
 		if (isUseInternalNetwork()) {
 			// In internal networking mode, we can access container ports directly, no need to bind on host.
@@ -203,6 +225,36 @@ public List<ExistingContainerInfo> scanExistingContainers() throws Exception {
 
 		return containers;
 	}
-	
+
+	private boolean isImagePresent(ContainerSpec spec) throws DockerException, InterruptedException {
+		try {
+			dockerClient.inspectImage(spec.getImage());
+			return true;
+		} catch (NotFoundException ex) {
+			return false;
+		}
+	}
+
+	private void pullImage(ContainerSpec spec) throws DockerException, InterruptedException {
+		if (spec.getDockerRegistryDomain() != null
+				&& spec.getDockerRegistryUsername() != null
+				&& spec.getDockerRegistryPassword() != null) {
+
+			RegistryAuth registryAuth = RegistryAuth.builder()
+					.serverAddress(spec.getDockerRegistryDomain())
+					.username(spec.getDockerRegistryUsername())
+					.password(spec.getDockerRegistryPassword())
+					.build();
+			dockerClient.pull(spec.getImage(), registryAuth, message -> {});
+		} else {
+			dockerClient.pull(spec.getImage(), message -> {});
+		}
+	}
+
+	public enum ImagePullPolicy {
+		Never,
+		Always,
+		IfNotPresent
+	}
 
 }

src/main/java/eu/openanalytics/containerproxy/backend/docker/DockerSwarmBackend.java

@@ -21,11 +21,18 @@
 package eu.openanalytics.containerproxy.backend.docker;
 
 import com.spotify.docker.client.DockerClient;
+import com.spotify.docker.client.exceptions.DockerException;
+import com.spotify.docker.client.messages.RegistryAuth;
 import com.spotify.docker.client.messages.mount.Mount;
 import com.spotify.docker.client.messages.swarm.DnsConfig;
 import com.spotify.docker.client.messages.swarm.EndpointSpec;
 import com.spotify.docker.client.messages.swarm.NetworkAttachmentConfig;
 import com.spotify.docker.client.messages.swarm.PortConfig;
+import com.spotify.docker.client.messages.swarm.ResourceRequirements;
+import com.spotify.docker.client.messages.swarm.Resources;
+import com.spotify.docker.client.messages.swarm.Secret;
+import com.spotify.docker.client.messages.swarm.SecretBind;
+import com.spotify.docker.client.messages.swarm.SecretFile;
 import com.spotify.docker.client.messages.swarm.Service;
 import com.spotify.docker.client.messages.swarm.ServiceSpec;
 import com.spotify.docker.client.messages.swarm.Task;
@@ -39,6 +46,7 @@
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.RuntimeValueKey;
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.UserIdKey;
 import eu.openanalytics.containerproxy.model.spec.ContainerSpec;
+import eu.openanalytics.containerproxy.model.spec.DockerSwarmSecret;
 import eu.openanalytics.containerproxy.util.Retrying;
 
 import java.net.URI;
@@ -84,6 +92,11 @@ protected Container startContainer(ContainerSpec spec, Proxy proxy) throws Excep
 			}
 		}
 
+        List<SecretBind> secretBinds = new ArrayList<>();
+        for (DockerSwarmSecret secret : spec.getDockerSwarmSecrets()) {
+            secretBinds.add(convertSecret(secret));
+        }
+
 		com.spotify.docker.client.messages.swarm.ContainerSpec containerSpec =
 				com.spotify.docker.client.messages.swarm.ContainerSpec.builder()
 				.image(spec.getImage())
@@ -92,6 +105,7 @@ protected Container startContainer(ContainerSpec spec, Proxy proxy) throws Excep
 				.env(convertEnv(buildEnv(spec, proxy)))
 				.dnsConfig(DnsConfig.builder().nameServers(spec.getDns()).build())
 				.mounts(mounts)
+                .secrets(secretBinds)
 				.build();
 
 		NetworkAttachmentConfig[] networks = Arrays
@@ -104,12 +118,35 @@ protected Container startContainer(ContainerSpec spec, Proxy proxy) throws Excep
 			networks[networks.length - 1] = NetworkAttachmentConfig.builder().target(spec.getNetwork()).build();
 		}
 
+		Resources.Builder reservationsBuilder = Resources.builder();
+		// reservations are used by the Docker swarm scheduler
+		if (spec.getCpuRequest() != null) {
+			// note: 1 CPU = 1 * 10e8 nanoCpu -> equivalent to --cpus option
+			reservationsBuilder.nanoCpus((long) (Double.parseDouble(spec.getCpuRequest()) * 10e8));
+		}
+		if (spec.getMemoryRequest() != null) {
+			reservationsBuilder.memoryBytes(memoryToBytes(spec.getMemoryRequest()));
+		}
+
+		Resources.Builder limitsBuilder = Resources.builder();
+		if (spec.getCpuLimit() != null) {
+			// note: 1 CPU = 1 * 10e8 nanoCpu -> equivalent to --cpus option
+			limitsBuilder.nanoCpus((long) (Double.parseDouble(spec.getCpuLimit()) * 10e8));
+		}
+		if (spec.getMemoryLimit() != null) {
+			limitsBuilder.memoryBytes(memoryToBytes(spec.getMemoryLimit()));
+		}
+
 		String serviceName = "sp-service-" + UUID.randomUUID().toString();
 		ServiceSpec.Builder serviceSpecBuilder = ServiceSpec.builder()
 				.networks(networks)
 				.name(serviceName)
 				.taskTemplate(TaskSpec.builder()
 						.containerSpec(containerSpec)
+						.resources(ResourceRequirements.builder()
+								.reservations(reservationsBuilder.build())
+								.limits(limitsBuilder.build())
+								.build())
 						.build());
 
 		List<PortConfig> portsToPublish = new ArrayList<>();
@@ -124,7 +161,21 @@ protected Container startContainer(ContainerSpec spec, Proxy proxy) throws Excep
 			serviceSpecBuilder.endpointSpec(EndpointSpec.builder().ports(portsToPublish).build());
 		}
 
-		String serviceId = dockerClient.createService(serviceSpecBuilder.build()).id();
+		String serviceId;
+		if (spec.getDockerRegistryDomain() != null
+				&& spec.getDockerRegistryUsername() != null
+				&& spec.getDockerRegistryPassword() != null) {
+
+			RegistryAuth registryAuth = RegistryAuth.builder()
+					.serverAddress(spec.getDockerRegistryDomain())
+					.username(spec.getDockerRegistryUsername())
+					.password(spec.getDockerRegistryPassword())
+					.build();
+			serviceId = dockerClient.createService(serviceSpecBuilder.build(), registryAuth).id();
+		} else {
+			serviceId = dockerClient.createService(serviceSpecBuilder.build()).id();
+		}
+
 		container.getParameters().put(PARAM_SERVICE_ID, serviceId);
 
 		// Give the service some time to start up and launch a container.
@@ -133,7 +184,9 @@ protected Container startContainer(ContainerSpec spec, Proxy proxy) throws Excep
 				Task serviceTask = dockerClient
 						.listTasks(Task.Criteria.builder().serviceName(serviceName).build())
 						.stream().findAny().orElseThrow(() -> new IllegalStateException("Swarm service has no tasks"));
-				container.setId(serviceTask.status().containerStatus().containerId());
+				if (serviceTask.status().containerStatus() != null) {
+					container.setId(serviceTask.status().containerStatus().containerId());
+				}
 			} catch (Exception e) {
 				throw new RuntimeException("Failed to inspect swarm service tasks", e);
 			}
@@ -181,7 +234,33 @@ protected URI calculateTarget(Container container, int containerPort, int servic
 		return new URI(String.format("%s://%s:%s%s", targetProtocol, targetHostName, targetPort, targetPath));
 	}
 
-	@Override
+    private SecretBind convertSecret(DockerSwarmSecret secret) throws DockerException, InterruptedException {
+        if (secret.getName() == null) {
+            throw new IllegalArgumentException("No name for a Docker swarm secret provided");
+        }
+        return SecretBind.builder()
+                .secretName(secret.getName())
+                .secretId(getSecretId(secret.getName()))
+                .file(
+                        SecretFile.builder()
+                                .name(Optional.ofNullable(secret.getTarget()).orElse(secret.getName()))
+                                .gid(Optional.ofNullable(secret.getGid()).orElse("0"))
+                                .uid(Optional.ofNullable(secret.getUid()).orElse("0"))
+                                .mode(Long.parseLong(Optional.ofNullable(secret.getMode()).orElse("444"), 8))
+                                .build()
+                )
+                .build();
+
+    }
+
+    private String getSecretId(String secretName) throws DockerException, InterruptedException {
+        return dockerClient.listSecrets().stream()
+                .filter(it -> it.secretSpec().name().equals(secretName))
+                .findFirst()
+                .map(Secret::id).orElseThrow(() -> new IllegalArgumentException("Secret not found!"));
+    }
+
+    @Override
 	protected void doStopProxy(Proxy proxy) throws Exception {
 		for (Container container: proxy.getContainers()) {
 			String serviceId = (String) container.getParameters().get(PARAM_SERVICE_ID);

src/main/java/eu/openanalytics/containerproxy/model/spec/ContainerSpec.java

@@ -20,8 +20,10 @@
  */
 package eu.openanalytics.containerproxy.model.spec;
 
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
 public class ContainerSpec {
@@ -43,6 +45,10 @@ public class ContainerSpec {
 	private String targetPath;
 	private Map<String, String> labels = new HashMap<>();
 	private Map<String, String> settings = new HashMap<>();
+	private List<DockerSwarmSecret> dockerSwarmSecrets = new ArrayList();
+	private String dockerRegistryDomain;
+	private String dockerRegistryUsername;
+	private String dockerRegistryPassword;
 
 	public String getImage() {
 		return image;
@@ -153,6 +159,38 @@ public void setTargetPath(String targetPath) {
 		this.targetPath = targetPath;
 	}
 
+	public List<DockerSwarmSecret> getDockerSwarmSecrets() {
+		return dockerSwarmSecrets;
+	}
+
+	public void setDockerSwarmSecrets(List<DockerSwarmSecret> dockerSwarmSecrets) {
+		this.dockerSwarmSecrets = dockerSwarmSecrets;
+	}
+
+	public String getDockerRegistryDomain() {
+		return dockerRegistryDomain;
+	}
+
+	public void setDockerRegistryDomain(String dockerRegistryDomain) {
+		this.dockerRegistryDomain = dockerRegistryDomain;
+	}
+
+	public String getDockerRegistryUsername() {
+		return dockerRegistryUsername;
+	}
+
+	public void setDockerRegistryUsername(String dockerRegistryUsername) {
+		this.dockerRegistryUsername = dockerRegistryUsername;
+	}
+
+	public String getDockerRegistryPassword() {
+		return dockerRegistryPassword;
+	}
+
+	public void setDockerRegistryPassword(String dockerRegistryPassword) {
+		this.dockerRegistryPassword = dockerRegistryPassword;
+	}
+
 	public void copy(ContainerSpec target) {
 		target.setImage(image);
 		if (cmd != null) target.setCmd(Arrays.copyOf(cmd, cmd.length));
@@ -182,7 +220,13 @@ public void copy(ContainerSpec target) {
 			if (target.getSettings() == null) target.setSettings(new HashMap<>());
 			target.getSettings().putAll(settings);
 		}
+		if (dockerSwarmSecrets != null) {
+			if (target.getDockerSwarmSecrets() == null) target.setDockerSwarmSecrets(new ArrayList<>());
+			target.getDockerSwarmSecrets().addAll(dockerSwarmSecrets);
+		}
+		target.setDockerRegistryDomain(dockerRegistryDomain);
+		target.setDockerRegistryUsername(dockerRegistryUsername);
+		target.setDockerRegistryPassword(dockerRegistryPassword);
 		target.setTargetPath(targetPath);
 	}
-
 }