def manage_docker_opts(opts, remove=False):
"""
Add or remove docker daemon options.
Options here will be merged with configured docker-opts when layer-docker
processes a daemon restart.
:param opts: Dictionary keys/values; use None value if the key is a flag
:param remove: Boolean True to remove the options; False to add them
:return: None
"""
try:
docker_opts = DockerOpts()
except Exception as e:
hookenv.log(e)
return
for k, v in opts.items():
# Always remove existing option
if docker_opts.exists(k):
docker_opts.pop(k)
if not remove:
docker_opts.add(k, v)
hookenv.log('DockerOpts daemon options changed. Requesting a restart.')
# State will be removed by layer-docker after restart
set_state('docker.restart')
def ingest_network_config():
''' When flannel configures itself on first boot, it generates an
environment file (subnet.env).
We will parse the data we need from this and cache in unitdata so we
can hand it off between layers, and place in the dockeropts databag
to configure the workload docker daemon
'''
db = unitdata.kv()
opts = DockerOpts()
if not os.path.isfile('subnet.env'):
status_set('waiting', 'No subnet file to ingest.')
return
with open('subnet.env') as f:
flannel_config = f.readlines()
for f in flannel_config:
if "FLANNEL_SUBNET" in f:
value = f.split('=')[-1].strip()
db.set('sdn_subnet', value)
opts.add('bip', value)
if "FLANNEL_MTU" in f:
value = f.split('=')[1].strip()
db.set('sdn_mtu', value)
opts.add('mtu', value)
set_state('sdn.available')
set_state('flannel.configuring')
def container_sdn_setup(sdn):
''' Receive the information from the SDN plugin, and render the docker
engine options. '''
sdn_config = sdn.get_sdn_config()
bind_ip = sdn_config['subnet']
mtu = sdn_config['mtu']
if data_changed('bip', bind_ip) or data_changed('mtu', mtu):
status_set('maintenance', 'Configuring container runtime with SDN.')
opts = DockerOpts()
# This is a great way to misconfigure a docker daemon. Remove the
# existing bind ip and mtu values of the SDN
if opts.exists('bip'):
opts.pop('bip')
if opts.exists('mtu'):
opts.pop('mtu')
opts.add('bip', bind_ip)
opts.add('mtu', mtu)
_remove_docker_network_bridge()
set_state('docker.sdn.configured')
def bind_docker_daemon(connection_string):
""" Bind the docker daemon to a TCP socket with TLS credentials """
status_set("maintenance", "Configuring Docker for TCP connections")
opts = DockerOpts()
private_address = unit_private_ip()
opts.add("host", "tcp://{}:2376".format(private_address))
opts.add("host", "unix:///var/run/docker.sock")
opts.add("cluster-advertise", "{}:2376".format(private_address))
opts.add("cluster-store", connection_string, strict=True)
render("docker.defaults", "/etc/default/docker", {"opts": opts.to_s()})
service_restart("docker")
open_port(2376)
def bind_docker_daemon(connection_string):
""" Bind the docker daemon to a TCP socket with TLS credentials """
status_set('maintenance', 'Configuring Docker for TCP connections')
opts = DockerOpts()
private_address = unit_private_ip()
opts.add('host', 'tcp://{}:2376'.format(private_address))
opts.add('host', 'unix:///var/run/docker.sock')
opts.add('cluster-advertise', '{}:2376'.format(private_address))
opts.add('cluster-store', connection_string, strict=True)
render('docker.defaults', '/etc/default/docker', {'opts': opts.to_s()})
service_restart('docker')
open_port(2376)
def container_sdn_setup(sdn):
''' Receive the information from the SDN plugin, and render the docker
engine options. '''
sdn_config = sdn.get_sdn_config()
bind_ip = sdn_config['subnet']
mtu = sdn_config['mtu']
if data_changed('bip', bind_ip) or data_changed('mtu', mtu):
status_set('maintenance', 'Configuring container runtime with SDN.')
opts = DockerOpts()
# This is a great way to misconfigure a docker daemon. Remove the
# existing bind ip and mtu values of the SDN
if opts.exists('bip'):
opts.pop('bip')
if opts.exists('mtu'):
opts.pop('mtu')
opts.add('bip', bind_ip)
opts.add('mtu', mtu)
_remove_docker_network_bridge()
set_state('docker.sdn.configured')
def manage_docker_opts(opts, remove=False):
'''Add or remove docker daemon options.
Options here will be merged with configured docker-opts when layer-docker
processes a daemon restart.
:param: dict opts: option keys/values; use None value if the key is a flag
:param: bool remove: True to remove the options; False to add them
'''
docker_opts = DockerOpts()
for k, v in opts.items():
# Always remove existing option
if docker_opts.exists(k):
docker_opts.pop(k)
if not remove:
docker_opts.add(k, v)
hookenv.log('DockerOpts daemon options changed. Requesting a restart.')
# State will be removed by layer-docker after restart
set_state('docker.restart')
def enable_client_tls():
"""
Copy the TLS certificates in place and generate mount points for the swarm
manager to mount the certs. This enables client-side TLS security on the
TCP service.
"""
if not path.exists("/etc/docker"):
makedirs("/etc/docker")
kv = unitdata.kv()
cert = kv.get("tls.server.certificate")
with open("/etc/docker/server.pem", "w+") as f:
f.write(cert)
with open("/etc/docker/ca.pem", "w+") as f:
f.write(leader_get("certificate_authority"))
# schenanigans
keypath = "easy-rsa/easyrsa3/pki/private/{}.key"
server = getenv("JUJU_UNIT_NAME").replace("/", "_")
if path.exists(keypath.format(server)):
copyfile(keypath.format(server), "/etc/docker/server-key.pem")
else:
copyfile(keypath.format(unit_get("public-address")), "/etc/docker/server-key.pem")
opts = DockerOpts()
config_dir = "/etc/docker"
cert_path = "{}/server.pem".format(config_dir)
ca_path = "{}/ca.pem".format(config_dir)
key_path = "{}/server-key.pem".format(config_dir)
opts.add("tlscert", cert_path)
opts.add("tlscacert", ca_path)
opts.add("tlskey", key_path)
opts.add("tlsverify", None)
render("docker.defaults", "/etc/default/docker", {"opts": opts.to_s()})
def enable_client_tls():
"""
Copy the TLS certificates in place and generate mount points for the swarm
manager to mount the certs. This enables client-side TLS security on the
TCP service.
"""
if not path.exists('/etc/docker'):
makedirs('/etc/docker')
kv = unitdata.kv()
cert = kv.get('tls.server.certificate')
with open('/etc/docker/server.pem', 'w+') as f:
f.write(cert)
with open('/etc/docker/ca.pem', 'w+') as f:
f.write(leader_get('certificate_authority'))
# schenanigans
keypath = 'easy-rsa/easyrsa3/pki/private/{}.key'
server = getenv('JUJU_UNIT_NAME').replace('/', '_')
if path.exists(keypath.format(server)):
copyfile(keypath.format(server), '/etc/docker/server-key.pem')
else:
copyfile(keypath.format(unit_get('public-address')),
'/etc/docker/server-key.pem')
opts = DockerOpts()
config_dir = '/etc/docker'
cert_path = '{}/server.pem'.format(config_dir)
ca_path = '{}/ca.pem'.format(config_dir)
key_path = '{}/server-key.pem'.format(config_dir)
opts.add('tlscert', cert_path)
opts.add('tlscacert', ca_path)
opts.add('tlskey', key_path)
opts.add('tlsverify', None)
render('docker.defaults', '/etc/default/docker', {'opts': opts.to_s()})
def container_sdn_setup(sdn):
"""
Receive the information from the SDN plugin, and render the docker
engine options.
:param sdn: SDNPluginProvider
:return: None
"""
sdn_config = sdn.get_sdn_config()
bind_ip = sdn_config["subnet"]
mtu = sdn_config["mtu"]
if data_changed("bip", bind_ip) or data_changed("mtu", mtu):
status.maintenance("Configuring container runtime with SDN.")
opts = DockerOpts()
# This is a great way to misconfigure a docker daemon. Remove the
# existing bind ip and mtu values of the SDN
if opts.exists("bip"):
opts.pop("bip")
if opts.exists("mtu"):
opts.pop("mtu")
opts.add("bip", bind_ip)
opts.add("mtu", mtu)
_remove_docker_network_bridge()
set_state("docker.sdn.configured")
def swarm_etcd_cluster_setup(etcd):
"""
Expose the Docker TCP port, and begin swarm cluster configuration. Always
leading with the agent, connecting to the discovery service, then follow
up with the manager container on the leader node.
"""
opts = DockerOpts()
# capture and place etcd TLS certificates
certs = etcd.get_client_credentials()
unit_name = getenv("JUJU_UNIT_NAME").replace("/", "-")
cert_path = "/etc/ssl/{}".format(unit_name)
# if we have all the keys required, save them on disk
if certs["client_ca"] and certs["client_key"] and certs["client_cert"]:
if not path.exists(cert_path):
makedirs(cert_path)
ca = "{}/client-ca.pem".format(cert_path)
cert = "{}/client-cert.pem".format(cert_path)
key = "{}/client-key.pem".format(cert_path)
etcd.save_client_credentials(key, cert, ca)
# format the connection string based on presence of encryption in the
# connection string. Docker is the only known suite of tooling to use
# the etcd:// protocol uri... dubious
secure_discovery = "https" in etcd.connection_string()
if secure_discovery:
con_string = etcd.connection_string().replace("https", "etcd")
ccert = "kv.certfile={}".format(cert)
ckey = "kv.keyfile={}".format(key)
cca = "kv.cacertfile={}".format(ca)
opts.add("cluster-store-opt", ccert)
opts.add("cluster-store-opt", ckey)
opts.add("cluster-store-opt", cca)
else:
con_string = etcd.connection_string().replace("http", "etcd")
bind_docker_daemon(con_string)
if secure_discovery:
start_swarm(con_string, cert_path)
else:
start_swarm(con_string)
status_set("active", "Swarm configured. Happy swarming")
def swarm_etcd_cluster_setup(etcd):
"""
Expose the Docker TCP port, and begin swarm cluster configuration. Always
leading with the agent, connecting to the discovery service, then follow
up with the manager container on the leader node.
"""
opts = DockerOpts()
# capture and place etcd TLS certificates
certs = etcd.get_client_credentials()
unit_name = getenv('JUJU_UNIT_NAME').replace('/', '-')
cert_path = '/etc/ssl/{}'.format(unit_name)
# if we have all the keys required, save them on disk
if certs['client_ca'] and certs['client_key'] and certs['client_cert']:
if not path.exists(cert_path):
makedirs(cert_path)
ca = "{}/client-ca.pem".format(cert_path)
cert = "{}/client-cert.pem".format(cert_path)
key = "{}/client-key.pem".format(cert_path)
etcd.save_client_credentials(key, cert, ca)
# format the connection string based on presence of encryption in the
# connection string. Docker is the only known suite of tooling to use
# the etcd:// protocol uri... dubious
secure_discovery = 'https' in etcd.connection_string()
if secure_discovery:
con_string = etcd.connection_string().replace('https', 'etcd')
ccert = 'kv.certfile={}'.format(cert)
ckey = 'kv.keyfile={}'.format(key)
cca = 'kv.cacertfile={}'.format(ca)
opts.add('cluster-store-opt', ccert)
opts.add('cluster-store-opt', ckey)
opts.add('cluster-store-opt', cca)
else:
con_string = etcd.connection_string().replace('http', 'etcd')
bind_docker_daemon(con_string)
if secure_discovery:
start_swarm(con_string, cert_path)
else:
start_swarm(con_string)
status_set('active', 'Swarm configured. Happy swarming')
