spacebar/kamal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' into fix/ssh-auth-methods

Browse Source
This commit is contained in:
Donal McBreen
2023-09-07 10:21:28 +01:00
committed by GitHub
parent 9a539ffc86 aa9999809c
commit cccf79ed94
48 changed files with 784 additions and 250 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
lib/kamal/cli/app.rb
View File

@@ -18,8 +18,9 @@ class Kamal::Cli::App < Kamal::Cli::Base
roles.each do |role|
app = KAMAL.app(role: role)
auditor = KAMAL.auditor(role: role)
role_config = KAMAL.config.role(role)
if capture_with_info(*app.container_id_for_version(version, only_running: true), raise_on_non_zero_exit: false).present?
if capture_with_info(*app.container_id_for_version(version), raise_on_non_zero_exit: false).present?
tmp_version = "#{version}_replaced_#{SecureRandom.hex(8)}"
info "Renaming container #{version} to #{tmp_version} as already deployed on #{host}"
execute *auditor.record("Renaming container #{version} to #{tmp_version}"), verbosity: :debug
@@ -29,11 +30,25 @@ class Kamal::Cli::App < Kamal::Cli::Base
execute *auditor.record("Booted app version #{version}"), verbosity: :debug
old_version = capture_with_info(*app.current_running_version, raise_on_non_zero_exit: false).strip
execute *app.start_or_run(hostname: "#{host}-#{SecureRandom.hex(6)}")
if role_config.uses_cord?
execute *app.tie_cord(role_config.cord_host_file)
end
execute *app.run(hostname: "#{host}-#{SecureRandom.hex(6)}")
Kamal::Utils::HealthcheckPoller.wait_for_healthy(pause_after_ready: true) { capture_with_info(*app.status(version: version)) }
execute *app.stop(version: old_version), raise_on_non_zero_exit: false if old_version.present?
if old_version.present?
if role_config.uses_cord?
cord = capture_with_info(*app.cord(version: old_version), raise_on_non_zero_exit: false).strip
if cord.present?
execute *app.cut_cord(cord)
Kamal::Utils::HealthcheckPoller.wait_for_unhealthy(pause_after_ready: true) { capture_with_info(*app.status(version: old_version)) }
end
end
execute *app.stop(version: old_version), raise_on_non_zero_exit: false
end
end
end
end

8
lib/kamal/cli/base.rb
View File

@@ -79,6 +79,8 @@ module Kamal::Cli
run_hook "pre-connect"
ensure_run_directory
acquire_lock
begin
@@ -167,5 +169,11 @@ module Kamal::Cli
def first_invocation
instance_variable_get("@_invocations").first
end
def ensure_run_directory
on(KAMAL.hosts) do
execute(*KAMAL.server.ensure_run_directory)
end
end
end
end

52
lib/kamal/cli/env.rb Normal file
View File

@@ -0,0 +1,52 @@
require "tempfile"
class Kamal::Cli::Env < Kamal::Cli::Base
desc "push", "Push the env file to the remote hosts"
def push
mutating do
on(KAMAL.hosts) do
KAMAL.roles_on(host).each do |role|
role_config = KAMAL.config.role(role)
execute *KAMAL.app(role: role).make_env_directory
upload! StringIO.new(role_config.env_file), role_config.host_env_file_path, mode: 400
end
end
on(KAMAL.traefik_hosts) do
execute *KAMAL.traefik.make_env_directory
upload! StringIO.new(KAMAL.traefik.env_file), KAMAL.traefik.host_env_file_path, mode: 400
end
on(KAMAL.accessory_hosts) do
KAMAL.accessories_on(host).each do |accessory|
accessory_config = KAMAL.config.accessory(accessory)
execute *KAMAL.accessory(accessory).make_env_directory
upload! StringIO.new(accessory_config.env_file), accessory_config.host_env_file_path, mode: 400
end
end
end
end
desc "delete", "Delete the env file from the remote hosts"
def delete
mutating do
on(KAMAL.hosts) do
KAMAL.roles_on(host).each do |role|
role_config = KAMAL.config.role(role)
execute *KAMAL.app(role: role).remove_env_file
end
end
on(KAMAL.traefik_hosts) do
execute *KAMAL.traefik.remove_env_file
end
on(KAMAL.accessory_hosts) do
KAMAL.accessories_on(host).each do |accessory|
accessory_config = KAMAL.config.accessory(accessory)
execute *KAMAL.accessory(accessory).remove_env_file
end
end
end
end
end

15
lib/kamal/cli/lock.rb
View File

@@ -2,7 +2,10 @@ class Kamal::Cli::Lock < Kamal::Cli::Base
desc "status", "Report lock status"
def status
handle_missing_lock do
on(KAMAL.primary_host) { puts capture_with_debug(*KAMAL.lock.status) }
on(KAMAL.primary_host) do
execute *KAMAL.server.ensure_run_directory
puts capture_with_debug(*KAMAL.lock.status)
end
end
end
@@ -11,7 +14,10 @@ class Kamal::Cli::Lock < Kamal::Cli::Base
def acquire
message = options[:message]
raise_if_locked do
on(KAMAL.primary_host) { execute *KAMAL.lock.acquire(message, KAMAL.config.version), verbosity: :debug }
on(KAMAL.primary_host) do
execute *KAMAL.server.ensure_run_directory
execute *KAMAL.lock.acquire(message, KAMAL.config.version), verbosity: :debug
end
say "Acquired the deploy lock"
end
end
@@ -19,7 +25,10 @@ class Kamal::Cli::Lock < Kamal::Cli::Base
desc "release", "Release the deploy lock"
def release
handle_missing_lock do
on(KAMAL.primary_host) { execute *KAMAL.lock.release, verbosity: :debug }
on(KAMAL.primary_host) do
execute *KAMAL.server.ensure_run_directory
execute *KAMAL.lock.release, verbosity: :debug
end
say "Released the deploy lock"
end
end

6
lib/kamal/cli/main.rb
View File

@@ -175,6 +175,9 @@ class Kamal::Cli::Main < Kamal::Cli::Base
end
File.write(env_path, ERB.new(File.read(env_template_path)).result, perm: 0600)
load_envs # reload new file
invoke "kamal:cli:env:push", options
end
desc "remove", "Remove Traefik, app, accessories, and registry session from servers"
@@ -204,6 +207,9 @@ class Kamal::Cli::Main < Kamal::Cli::Base
desc "build", "Build application image"
subcommand "build", Kamal::Cli::Build
desc "env", "Manage environment files"
subcommand "env", Kamal::Cli::Env
desc "healthcheck", "Healthcheck application"
subcommand "healthcheck", Kamal::Cli::Healthcheck

4
lib/kamal/cli/server.rb
View File

@@ -14,6 +14,10 @@ class Kamal::Cli::Server < Kamal::Cli::Base
end
end
on(KAMAL.hosts) do
execute(*KAMAL.server.ensure_run_directory)
end
if missing.any?
raise "Docker is not installed on #{missing.join(", ")} and can't be automatically installed without having root access and the `curl` command available. Install Docker manually: https://docs.docker.com/engine/install/"
end

8
lib/kamal/commander.rb
View File

@@ -75,6 +75,10 @@ class Kamal::Commander
config.accessories&.collect(&:name) || []
end
def accessories_on(host)
config.accessories.select { |accessory| accessory.hosts.include?(host.to_s) }.map(&:name)
end
def app(role: nil)
Kamal::Commands::App.new(config, role: role)
@@ -116,6 +120,10 @@ class Kamal::Commander
@registry ||= Kamal::Commands::Registry.new(config)
end
def server
@server ||= Kamal::Commands::Server.new(config)
end
def traefik
@traefik ||= Kamal::Commands::Traefik.new(config)
end

16
lib/kamal/commands/accessory.rb
View File

@@ -86,14 +86,6 @@ class Kamal::Commands::Accessory < Kamal::Commands::Base
end
end
def make_directory_for(remote_file)
make_directory Pathname.new(remote_file).dirname.to_s
end
def make_directory(path)
[ :mkdir, "-p", path ]
end
def remove_service_directory
[ :rm, "-rf", service_name ]
end
@@ -106,6 +98,14 @@ class Kamal::Commands::Accessory < Kamal::Commands::Base
docker :image, :rm, "--force", image
end
def make_env_directory
make_directory accessory_config.host_env_directory
end
def remove_env_file
[:rm, "-f", accessory_config.host_env_file_path]
end
private
def service_filter
[ "--filter", "label=service=#{service_name}" ]

50
lib/kamal/commands/app.rb
View File

@@ -1,34 +1,29 @@
class Kamal::Commands::App < Kamal::Commands::Base
ACTIVE_DOCKER_STATUSES = [ :running, :restarting ]
attr_reader :role
attr_reader :role, :role_config
def initialize(config, role: nil)
super(config)
@role = role
end
def start_or_run(hostname: nil)
combine start, run(hostname: hostname), by: "||"
@role_config = config.role(self.role)
end
def run(hostname: nil)
role = config.role(self.role)
docker :run,
"--detach",
"--restart unless-stopped",
"--name", container_name,
*(["--hostname", hostname] if hostname),
"-e", "KAMAL_CONTAINER_NAME=\"#{container_name}\"",
*role.env_args,
*role.health_check_args,
*role_config.env_args,
*role_config.health_check_args,
*config.logging_args,
*config.volume_args,
*role.label_args,
*role.option_args,
*role_config.label_args,
*role_config.option_args,
config.absolute_image,
role.cmd
role_config.cmd
end
def start
@@ -76,14 +71,12 @@ class Kamal::Commands::App < Kamal::Commands::Base
end
def execute_in_new_container(*command, interactive: false)
role = config.role(self.role)
docker :run,
("-it" if interactive),
"--rm",
*config.env_args,
*role_config&.env_args,
*config.volume_args,
*role&.option_args,
*role_config&.option_args,
config.absolute_image,
*command
end
@@ -112,7 +105,7 @@ class Kamal::Commands::App < Kamal::Commands::Base
def list_versions(*docker_args, statuses: nil)
pipe \
docker(:ps, *filter_args(statuses: statuses), *docker_args, "--format", '"{{.Names}}"'),
%(while read line; do echo ${line##{service_role_dest}-}; done) # Extract SHA from "service-role-dest-SHA"
%(while read line; do echo ${line##{role_config.full_name}-}; done) # Extract SHA from "service-role-dest-SHA"
end
def list_containers
@@ -149,10 +142,31 @@ class Kamal::Commands::App < Kamal::Commands::Base
docker :tag, config.absolute_image, config.latest_image
end
def make_env_directory
make_directory role_config.host_env_directory
end
def remove_env_file
[:rm, "-f", role_config.host_env_file_path]
end
def cord(version:)
pipe \
docker(:inspect, "-f '{{ range .Mounts }}{{ .Source }} {{ .Destination }} {{ end }}'", container_name(version)),
[:awk, "'$2 == \"#{role_config.cord_container_directory}\" {print $1}'"]
end
def tie_cord(cord)
create_empty_file(cord)
end
def cut_cord(cord)
remove_directory(cord)
end
private
def container_name(version = nil)
[ config.service, role, config.destination, version || config.version ].compact.join("-")
[ role_config.full_name, version || config.version ].compact.join("-")
end
def filter_args(statuses: nil)

4
lib/kamal/commands/auditor.rb
View File

@@ -19,7 +19,9 @@ class Kamal::Commands::Auditor < Kamal::Commands::Base
private
def audit_log_file
[ "kamal", config.service, config.destination, "audit.log" ].compact.join("-")
file = [ config.service, config.destination, "audit.log" ].compact.join("-")
"#{config.run_directory}/#{file}"
end
def audit_tags(**details)

18
lib/kamal/commands/base.rb
View File

@@ -26,6 +26,18 @@ module Kamal::Commands
docker :container, :ls, *("--all" unless only_running), "--filter", "name=^#{container_name}$", "--quiet"
end
def make_directory_for(remote_file)
make_directory Pathname.new(remote_file).dirname.to_s
end
def make_directory(path)
[ :mkdir, "-p", path ]
end
def remove_directory(path)
[ :rm, "-r", path ]
end
private
def combine(*commands, by: "&&")
commands
@@ -61,5 +73,11 @@ module Kamal::Commands
def tags(**details)
Kamal::Tags.from_config(config, **details)
end
def create_empty_file(file)
chain \
make_directory_for(file),
[:touch, file]
end
end
end

11
lib/kamal/commands/healthcheck.rb
View File

@@ -1,5 +1,4 @@
class Kamal::Commands::Healthcheck < Kamal::Commands::Base
EXPOSED_PORT = 3999
def run
web = config.role(:web)
@@ -7,11 +6,11 @@ class Kamal::Commands::Healthcheck < Kamal::Commands::Base
docker :run,
"--detach",
"--name", container_name_with_version,
"--publish", "#{EXPOSED_PORT}:#{config.healthcheck["port"]}",
"--publish", "#{exposed_port}:#{config.healthcheck["port"]}",
"--label", "service=#{container_name}",
"-e", "KAMAL_CONTAINER_NAME=\"#{container_name}\"",
*web.env_args,
*web.health_check_args,
*web.health_check_args(cord: false),
*config.volume_args,
*web.option_args,
config.absolute_image,
@@ -52,6 +51,10 @@ class Kamal::Commands::Healthcheck < Kamal::Commands::Base
end
def health_url
"http://localhost:#{EXPOSED_PORT}#{config.healthcheck["path"]}"
"http://localhost:#{exposed_port}#{config.healthcheck["path"]}"
end
def exposed_port
config.healthcheck["exposed_port"]
end
end

2
lib/kamal/commands/lock.rb
View File

@@ -40,7 +40,7 @@ class Kamal::Commands::Lock < Kamal::Commands::Base
end
def lock_dir
"kamal_lock-#{config.service}"
"#{config.run_directory}/lock-#{config.service}"
end
def lock_details_file

5
lib/kamal/commands/server.rb Normal file
View File

@@ -0,0 +1,5 @@
class Kamal::Commands::Server < Kamal::Commands::Base
def ensure_run_directory
[:mkdir, "-p", config.run_directory]
end
end

28
lib/kamal/commands/traefik.rb
View File

@@ -1,5 +1,5 @@
class Kamal::Commands::Traefik < Kamal::Commands::Base
delegate :argumentize, :argumentize_env_with_secrets, :optionize, to: Kamal::Utils
delegate :argumentize, :env_file_with_secrets, :optionize, to: Kamal::Utils
DEFAULT_IMAGE = "traefik:v2.9"
CONTAINER_PORT = 80
@@ -63,6 +63,22 @@ class Kamal::Commands::Traefik < Kamal::Commands::Base
"#{host_port}:#{CONTAINER_PORT}"
end
def env_file
env_file_with_secrets config.traefik.fetch("env", {})
end
def host_env_file_path
File.join host_env_directory, "traefik.env"
end
def make_env_directory
make_directory(host_env_directory)
end
def remove_env_file
[:rm, "-f", host_env_file_path]
end
private
def publish_args
argumentize "--publish", port unless config.traefik["publish"] == false
@@ -73,13 +89,11 @@ class Kamal::Commands::Traefik < Kamal::Commands::Base
end
def env_args
env_config = config.traefik["env"] || {}
argumentize "--env-file", host_env_file_path
end
if env_config.present?
argumentize_env_with_secrets(env_config)
else
[]
end
def host_env_directory
File.join config.host_env_directory, "traefik"
end
def labels

36
lib/kamal/configuration.rb
View File

@@ -7,7 +7,7 @@ require "net/ssh/proxy/jump"
class Kamal::Configuration
delegate :service, :image, :servers, :env, :labels, :registry, :stop_wait_time, :hooks_path, to: :raw_config, allow_nil: true
delegate :argumentize, :argumentize_env_with_secrets, :optionize, to: Kamal::Utils
delegate :argumentize, :optionize, to: Kamal::Utils
attr_accessor :destination
attr_accessor :raw_config
@@ -57,6 +57,18 @@ class Kamal::Configuration
Kamal::Utils.abbreviate_version(version)
end
def run_directory
raw_config.run_directory || ".kamal"
end
def run_directory_as_docker_volume
if Pathname.new(run_directory).absolute?
run_directory
else
File.join "$(pwd)", run_directory
end
end
def roles
@roles ||= role_names.collect { |role_name| Role.new(role_name, config: self) }
@@ -109,14 +121,6 @@ class Kamal::Configuration
end
def env_args
if raw_config.env.present?
argumentize_env_with_secrets(raw_config.env)
else
[]
end
end
def volume_args
if raw_config.volumes.present?
argumentize "--volume", raw_config.volumes
@@ -145,7 +149,7 @@ class Kamal::Configuration
def healthcheck
{ "path" => "/up", "port" => 3000, "max_attempts" => 7 }.merge(raw_config.healthcheck || {})
{ "path" => "/up", "port" => 3000, "max_attempts" => 7, "exposed_port" => 3999, "cord" => "/tmp/kamal-cord" }.merge(raw_config.healthcheck || {})
end
def readiness_delay
@@ -170,7 +174,6 @@ class Kamal::Configuration
repository: repository,
absolute_image: absolute_image,
service_with_version: service_with_version,
env_args: env_args,
volume_args: volume_args,
ssh_options: ssh.to_h,
sshkit: sshkit.to_h,
@@ -195,12 +198,19 @@ class Kamal::Configuration
# Will raise KeyError if any secret ENVs are missing
def ensure_env_available
env_args
roles.each(&:env_args)
roles.each(&:env_file)
true
end
def host_env_directory
"#{run_directory}/env"
end
def run_id
@run_id ||= SecureRandom.hex(16)
end
private
# Will raise ArgumentError if any required config keys are missing
def ensure_required_keys_present

16
lib/kamal/configuration/accessory.rb
View File

@@ -1,5 +1,5 @@
class Kamal::Configuration::Accessory
delegate :argumentize, :argumentize_env_with_secrets, :optionize, to: Kamal::Utils
delegate :argumentize, :env_file_with_secrets, :optionize, to: Kamal::Utils
attr_accessor :name, :specifics
@@ -45,8 +45,20 @@ class Kamal::Configuration::Accessory
specifics["env"] || {}
end
def env_file
env_file_with_secrets env
end
def host_env_directory
File.join config.host_env_directory, "accessories"
end
def host_env_file_path
File.join host_env_directory, "#{service_name}.env"
end
def env_args
argumentize_env_with_secrets env
argumentize "--env-file", host_env_file_path
end
def files

73
lib/kamal/configuration/role.rb
View File

@@ -1,5 +1,6 @@
class Kamal::Configuration::Role
delegate :argumentize, :argumentize_env_with_secrets, :optionize, to: Kamal::Utils
CORD_FILE = "cord"
delegate :argumentize, :env_file_with_secrets, :optionize, to: Kamal::Utils
attr_accessor :name
@@ -31,32 +32,68 @@ class Kamal::Configuration::Role
end
end
def env_args
argumentize_env_with_secrets env
def env_file
env_file_with_secrets env
end
def health_check_args
def host_env_directory
File.join config.host_env_directory, "roles"
end
def host_env_file_path
File.join host_env_directory, "#{[config.service, name, config.destination].compact.join("-")}.env"
end
def env_args
argumentize "--env-file", host_env_file_path
end
def health_check_args(cord: true)
if health_check_cmd.present?
optionize({ "health-cmd" => health_check_cmd, "health-interval" => health_check_interval })
if cord && uses_cord?
optionize({ "health-cmd" => health_check_cmd_with_cord, "health-interval" => health_check_interval })
.concat(["--volume", "#{cord_host_directory}:#{cord_container_directory}"])
else
optionize({ "health-cmd" => health_check_cmd, "health-interval" => health_check_interval })
end
else
[]
end
end
def health_check_cmd
options = specializations["healthcheck"] || {}
options = config.healthcheck.merge(options) if running_traefik?
health_check_options["cmd"] || http_health_check(port: health_check_options["port"], path: health_check_options["path"])
end
options["cmd"] || http_health_check(port: options["port"], path: options["path"])
def health_check_cmd_with_cord
"(#{health_check_cmd}) && (stat #{cord_container_file} > /dev/null || exit 1)"
end
def health_check_interval
options = specializations["healthcheck"] || {}
options = config.healthcheck.merge(options) if running_traefik?
options["interval"] || "1s"
health_check_options["interval"] || "1s"
end
def uses_cord?
running_traefik? && cord_container_directory.present? && health_check_cmd.present?
end
def cord_host_directory
File.join config.run_directory_as_docker_volume, "cords", [full_name, config.run_id].join("-")
end
def cord_host_file
File.join cord_host_directory, CORD_FILE
end
def cord_container_directory
health_check_options.fetch("cord", nil)
end
def cord_container_file
File.join cord_container_directory, CORD_FILE
end
def cmd
specializations["cmd"]
end
@@ -73,6 +110,10 @@ class Kamal::Configuration::Role
name.web? || specializations["traefik"]
end
def full_name
[ config.service, name, config.destination ].compact.join("-")
end
private
attr_accessor :config
@@ -152,4 +193,12 @@ class Kamal::Configuration::Role
def http_health_check(port:, path:)
"curl -f #{URI.join("http://localhost:#{port}", path)} || exit 1" if path.present? || port.present?
end
def health_check_options
@health_check_options ||= begin
options = specializations["healthcheck"] || {}
options = config.healthcheck.merge(options) if running_traefik?
options
end
end
end

34
lib/kamal/utils.rb
View File

@@ -16,14 +16,24 @@ module Kamal::Utils
end
end
# Return a list of shell arguments using the same named argument against the passed attributes,
# but redacts and expands secrets.
def argumentize_env_with_secrets(env)
if (secrets = env["secret"]).present?
argumentize("-e", secrets.to_h { |key| [ key, ENV.fetch(key) ] }, sensitive: true) + argumentize("-e", env["clear"])
else
argumentize "-e", env.fetch("clear", env)
end
def env_file_with_secrets(env)
env_file = StringIO.new.tap do |contents|
if (secrets = env["secret"]).present?
env.fetch("secret", env)&.each do |key|
contents << docker_env_file_line(key, ENV.fetch(key))
end
env["clear"]&.each do |key, value|
contents << docker_env_file_line(key, value)
end
else
env.fetch("clear", env)&.each do |key, value|
contents << docker_env_file_line(key, value)
end
end
end.string
# Ensure the file has some contents to avoid the SSHKIT empty file warning
env_file || "\n"
end
# Returns a list of shell-dashed option arguments. If the value is true, it's treated like a value-less option.
@@ -97,4 +107,12 @@ module Kamal::Utils
def uncommitted_changes
`git status --porcelain`.strip
end
def docker_env_file_line(key, value)
if key.include?("\n") || value.to_s.include?("\n")
raise ArgumentError, "docker env file format does not support newlines in keys or values, key: #{key}"
end
"#{key.to_s}=#{value.to_s}\n"
end
end

29
lib/kamal/utils/healthcheck_poller.rb
View File

@@ -1,5 +1,5 @@
class Kamal::Utils::HealthcheckPoller
TRAEFIK_HEALTHY_DELAY = 2
TRAEFIK_UPDATE_DELAY = 2
class HealthcheckError < StandardError; end
@@ -11,7 +11,7 @@ class Kamal::Utils::HealthcheckPoller
begin
case status = block.call
when "healthy"
sleep TRAEFIK_HEALTHY_DELAY if pause_after_ready
sleep TRAEFIK_UPDATE_DELAY if pause_after_ready
when "running" # No health check configured
sleep KAMAL.config.readiness_delay if pause_after_ready
else
@@ -31,6 +31,31 @@ class Kamal::Utils::HealthcheckPoller
info "Container is healthy!"
end
def wait_for_unhealthy(pause_after_ready: false, &block)
attempt = 1
max_attempts = KAMAL.config.healthcheck["max_attempts"]
begin
case status = block.call
when "unhealthy"
sleep TRAEFIK_UPDATE_DELAY if pause_after_ready
else
raise HealthcheckError, "container not unhealthy (#{status})"
end
rescue HealthcheckError => e
if attempt <= max_attempts
info "#{e.message}, retrying in #{attempt}s (attempt #{attempt}/#{max_attempts})..."
sleep attempt
attempt += 1
retry
else
raise
end
end
info "Container is unhealthy!"
end
private
def info(message)
SSHKit.config.output.info(message)