/// <summary> /// Creates or updates a hive Docker binary config. /// </summary> /// <param name="configName">The config name.</param> /// <param name="value">The config value.</param> /// <param name="options">Optional command run options.</param> /// <exception cref="HiveException">Thrown if the operation failed.</exception> public void Set(string configName, byte[] value, RunOptions options = RunOptions.None) { Covenant.Requires <ArgumentException>(HiveDefinition.IsValidName(configName)); Covenant.Requires <ArgumentNullException>(value != null); var bundle = new CommandBundle("./create-config.sh"); bundle.AddFile("config.dat", value); bundle.AddFile("create-config.sh", $@"#!/bin/bash if docker config inspect {configName} ; then echo ""Config already exists; not setting it again."" else cat config.dat | docker config create {configName} - # It appears that Docker configs may not be available # immediately after they are created. So, we're going # poll for a while until we can inspect the new config. count=0 while [ $count -le 30 ] do if docker config inspect {configName} ; then exit 0 fi sleep 1 count=$(( count + 1 )) done echo ""Created config [{configName}] is not ready after 30 seconds."" >&2 exit 1 fi ", isExecutable: true); var response = hive.GetReachableManager().SudoCommand(bundle, options); if (response.ExitCode != 0) { throw new HiveException(response.ErrorSummary); } }
/// <summary> /// Ensures that the Docker <b>config.json</b> file for the node's root /// user matches that for the sysadmin user. /// </summary> private void SyncDockerConf(SshProxy <NodeDefinition> node) { // We also need to manage the login for the [root] account due // to issue // // https://github.com/jefflill/NeonForge/issues/265 // $hack(jeff.lill): // // We're simply going ensure that the [/root/.docker/config.json] // file matches the equivalent file for the node sysadmin account, // removing the root file if this was deleted for sysadmin. // // This is a bit of a hack because it assumes that the Docker config // for the root and sysadmin account never diverge, which is probably // a reasonable assumption given that these are managed hosts. // // We're also going to ensure that these directories and files have the // correct owners and permissions. var bundle = new CommandBundle("./sync.sh"); bundle.AddFile("sync.sh", $@"#!/bin/bash if [ ! -d /root/.docker ] ; then mkdir -p /root/.docker fi if [ -f /home/{node.Username}/.docker/config.json ] ; then cp /home/{node.Username}/.docker/config.json /root/.docker/config.json else if [ -f /root/.docker/config.json ] ; then rm /root/.docker/config.json fi fi if [ -d /root/.docker ] ; then chown -R root:root /root/.docker chmod 660 /root/.docker/* fi if [ -d /home/{node.Username}/.docker ] ; then chown -R {node.Username}:{node.Username} /home/{node.Username}/.docker chmod 660 /home/{node.Username}/.docker/* fi ", isExecutable: true); var response = node.SudoCommand(bundle); if (response.ExitCode != 0) { throw new HiveException(response.ErrorSummary); } }
/// <summary> /// Sets a Vault access control policy. /// </summary> /// <param name="policy">The policy.</param> /// <returns>The command response.</returns> public CommandResponse SetPolicy(VaultPolicy policy) { Covenant.Requires <ArgumentNullException>(policy != null); VerifyToken(); var bundle = new CommandBundle("./create-vault-policy.sh"); bundle.AddFile("create-vault-policy.sh", $@"#!/bin/bash export VAULT_TOKEN={hive.HiveLogin.VaultCredentials.RootToken} vault policy-write {policy.Name} policy.hcl ", isExecutable: true); bundle.AddFile("policy.hcl", policy); var response = hive.GetReachableManager().SudoCommand(bundle, hive.SecureRunOptions | RunOptions.FaultOnError); response.BashCommand = bundle.ToBash(); return(response); }
/// <summary> /// Removes then local Docker registry from the hive. /// </summary> /// <param name="progress">Optional action that will be called with a progress message.</param> /// <exception cref="HiveException">Thrown if no registry is deployed or there was an error removing it.</exception> public void PruneLocalRegistry(Action <string> progress = null) { // We're going to upload a script to one of the managers that handles // putting the [neon-registry] service into READ-ONLY mode, running // the garbage collection container and then restoring [neon-registry] // to READ/WRITE mode. // // The nice thing about this is that the operation will continue to // completion on the manager node even if we lose the SSH connection. var manager = hive.GetReachableManager(); var updateScript = @"#!/bin/bash # Update [neon-registry] to READ-ONLY mode: docker service update --env-rm READ_ONLY --env-add READ_ONLY=true neon-registry # Prune the registry: docker run \ --name neon-registry-prune \ --restart-condition=none \ --mount type=volume,src=neon-registry,volume-driver=neon,dst=/var/lib/neon-registry \ nhive/neon-registry garbage-collect # Restore [neon-registry] to READ/WRITE mode: docker service update --env-rm READ_ONLY --env-add READ_ONLY=false neon-registry "; var bundle = new CommandBundle("./collect.sh"); bundle.AddFile("collect.sh", updateScript, isExecutable: true); progress?.Invoke("Registry prune started."); var pruneResponse = manager.SudoCommand(bundle, RunOptions.None); if (pruneResponse.ExitCode != 0) { throw new HiveException($"The prune operation failed. The registry may be running in READ-ONLY mode: {pruneResponse.ErrorText}"); } progress?.Invoke("Registry prune completed."); }
/// <summary> /// Executes a command on a specific hive manager node using the root Vault token. /// </summary> /// <param name="manager">The target manager.</param> /// <param name="command">The command (including the <b>vault</b>).</param> /// <param name="args">The optional arguments.</param> /// <returns>The command response.</returns> /// <remarks> /// <note> /// This method does not fault or throw an exception if the command returns /// a non-zero exit code. /// </note> /// </remarks> public CommandResponse CommandNoFault(SshProxy <NodeDefinition> manager, string command, params object[] args) { Covenant.Requires <ArgumentNullException>(manager != null); Covenant.Requires <ArgumentNullException>(command != null); VerifyToken(); var scriptBundle = new CommandBundle(command, args); var bundle = new CommandBundle("./vault-command.sh"); bundle.AddFile("vault-command.sh", $@"#!/bin/bash export VAULT_TOKEN={hive.HiveLogin.VaultCredentials.RootToken} {scriptBundle} ", isExecutable: true); var response = manager.SudoCommand(bundle, hive.SecureRunOptions); response.BashCommand = bundle.ToBash(); return(response); }
/// <summary> /// Deletes a hive Docker config. /// </summary> /// <param name="configName">The config name.</param> /// <param name="options">Optional command run options.</param> /// <exception cref="HiveException">Thrown if the operation failed.</exception> public void Remove(string configName, RunOptions options = RunOptions.None) { Covenant.Requires <ArgumentException>(HiveDefinition.IsValidName(configName)); var bundle = new CommandBundle("./delete-config.sh"); bundle.AddFile("delete-config.sh", $@"#!/bin/bash docker config inspect {configName} if [ ""$?"" != ""0"" ] ; then echo ""Config doesn't exist."" else docker config rm {configName} fi ", isExecutable: true); var response = hive.GetReachableManager().SudoCommand(bundle, RunOptions.None); if (response.ExitCode != 0) { throw new HiveException(response.ErrorSummary); } }
/// <summary> /// Adds a text file to be uploaded before executing the command. /// </summary> /// <param name="path">The file path relative to the directory where the command will be executed.</param> /// <param name="text">The file text.</param> /// <param name="isExecutable">Optionally specifies that the file is to be marked as executable.</param> /// <param name="linuxCompatible"> /// Optionally controls whether the text is made Linux compatible by removing carriage returns /// and expanding TABs into spaces. This defaults to <c>true</c>. /// </param> public void AddFile(string path, string text, bool isExecutable = false, bool linuxCompatible = true) { Covenant.Requires <ArgumentNullException>(!string.IsNullOrEmpty(path)); commandBundle.AddFile(path, text, isExecutable, linuxCompatible); }