ADD dockerd sidecar capability

AnubisLMS · Sep 20, 2022 · 538f807 · 538f807
1 parent ee32af1
commit 538f807
Show file tree

Hide file tree

Showing 13 changed files with 122 additions and 5 deletions.
diff --git a/Makefile b/Makefile
@@ -3,7 +3,7 @@ DEBUG_PERSISTENT_SERVICES := db traefik redis-master
 DEBUG_RESTART_ALWAYS_SERVICES := api web-dev rpc-default rpc-theia rpc-regrade
 
 # docker-compose settings
-DOCKER_COMPOSE_PUSH_SERVICES := api web theia-init theia-sidecar theia-proxy
+DOCKER_COMPOSE_PUSH_SERVICES := api web theia-init theia-sidecar theia-proxy theia-dockerd
 
 # K8S
 K8S_RESTART_DEPLOYMENTS := \

diff --git a/api/anubis/ide/initialize.py b/api/anubis/ide/initialize.py
@@ -134,6 +134,7 @@ def initialize_ide(
     admin: bool = False,
     privileged: bool = False,
     credentials: bool = False,
+    docker: bool = False,
 ) -> TheiaSession:
     from anubis.rpc.enqueue import enqueue_ide_initialize
 
@@ -159,6 +160,7 @@ def initialize_ide(
         admin=admin,
         privileged=privileged,
         credentials=credentials,
+        docker=docker or admin,
     )
     db.session.add(session)
     db.session.commit()

diff --git a/api/anubis/k8s/theia.py b/api/anubis/k8s/theia.py
@@ -287,6 +287,40 @@ def create_theia_k8s_pod_pvc(
         volume_mounts=sidecar_volume_mounts,
     )
 
+    ##################################################################################
+    # DOCKERD CONTAINER
+
+    if theia_session.docker:
+        certs_volume = k8s.V1Volume(name="dockerd-certs", empty_dir={})
+        certs_volume_mount = k8s.V1VolumeMount(name="dockerd-certs", mount_path="/certs")
+
+        pod_volumes.append(certs_volume)
+        theia_volume_mounts.append(certs_volume_mount)
+
+        theia_extra_env.append(k8s.V1EnvVar(name="ANUBIS_RUN_DOCKERD", value="1"))
+
+        dockerd_container = k8s.V1Container(
+            name="dockerd",
+            image="registry.digitalocean.com/anubis/theia-dockerd",
+            image_pull_policy="IfNotPresent",
+            env=[
+                k8s.V1EnvVar(name="ANUBIS_RUN_DOCKERD", value="1")
+            ],
+            # Add a security context to disable privilege escalation
+            security_context=k8s.V1SecurityContext(
+                allow_privilege_escalation=True,
+                run_as_non_root=True,
+                run_as_user=1001,
+                privileged=True,  # Hardcode privileged as it is required for docker (even rootless)
+            ),
+            # Add the shared certs volume
+            volume_mounts=[
+                certs_volume_mount
+            ],
+        )
+
+        pod_containers.append(dockerd_container)
+
     ##################################################################################
     # THEIA CONTAINER
 

diff --git a/api/anubis/models/__init__.py b/api/anubis/models/__init__.py
@@ -714,6 +714,7 @@ class TheiaSession(db.Model):
     credentials: bool = Column(Boolean, default=False)
     persistent_storage: bool = Column(Boolean, default=False)
     admin: bool = Column(Boolean, default=False)
+    docker: bool = Column(Boolean, default=False)
 
     k8s_requested: bool = Column(Boolean, default=False)
 

diff --git a/api/anubis/views/public/playgrounds.py b/api/anubis/views/public/playgrounds.py
@@ -70,6 +70,7 @@ def public_playgrounds_initialize(theia_image: TheiaImage):
         admin=False,
         privileged=False,
         credentials=False,
+        docker=False,
     )
 
     # Redirect to proxy

diff --git a/api/migrations/versions/2faa37dff9d0_add_theia_session_docker_column.py b/api/migrations/versions/2faa37dff9d0_add_theia_session_docker_column.py
@@ -0,0 +1,32 @@
+"""ADD theia session docker column
+
+Revision ID: 2faa37dff9d0
+Revises: d5de41411043
+Create Date: 2022-09-19 20:59:20.531115
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = "2faa37dff9d0"
+down_revision = "d5de41411043"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column(
+        "theia_session", sa.Column("docker", sa.Boolean(), nullable=True)
+    )
+    conn = op.get_bind()
+    conn.execute('UPDATE `theia_session` SET `docker` = 0;')
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column("theia_session", "docker")
+    # ### end Alembic commands ###
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -29,8 +29,6 @@ services:
     image: registry.digitalocean.com/anubis/api:${GIT_TAG:-latest}
     build: ./api
     command: sh -c "while true; do python3 dev.py; sleep 1; done"
-    ports:
-      - 5000:5000
     environment:
       - "MINDEBUG=0"
       - "DEBUG=1"
@@ -165,6 +163,10 @@ services:
     image: registry.digitalocean.com/anubis/theia-sidecar:${GIT_TAG:-latest}
     build: ./theia/sidecar
 
+  theia-dockerd:
+    image: registry.digitalocean.com/anubis/theia-dockerd:${GIT_TAG:-latest}
+    build: theia/dockerd
+
   theia-base-38:
     image: registry.digitalocean.com/anubis/theia-base:python-3.8
 

diff --git a/k8s/chart/templates/email-cron.yml b/k8s/chart/templates/email-cron.yml
@@ -1,4 +1,4 @@
-{{- if .Values.reaper.enable }}
+{{- if and .Values.reaper.enable (not .Values.debug) }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:

diff --git a/k8s/chart/templates/startup-jobs.yml b/k8s/chart/templates/startup-jobs.yml
@@ -21,6 +21,8 @@ spec:
         env:
         {{- include "api.env" . | nindent 8 }}
 ---
+
+{{- if not .Values.debug }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -44,3 +46,4 @@ spec:
         - name: "JOB"
           value: "1"
         {{- include "api.env" . | nindent 8 }}
+{{- end }}
diff --git a/k8s/debug/restart.sh b/k8s/debug/restart.sh
@@ -18,7 +18,7 @@ eval $(minikube docker-env)
 pushd ..
 # Build services in parallel to speed things up
 export GIT_TAG=latest
-docker-compose build --parallel --pull api web theia-proxy theia-init theia-sidecar
+make build
 popd
 
 ./debug/upgrade.sh

diff --git a/theia/dockerd/Dockerfile b/theia/dockerd/Dockerfile
@@ -0,0 +1,21 @@
+FROM docker:20.10-dind-rootless
+
+ENV DOCKER_HOST="tcp://localhost:2376" \
+    DOCKER_TLS_CERTDIR="/certs" \
+    DOCKER_TLS_VERIFY="1" \
+    DOCKER_CERT_PATH="/certs/client" \
+    ANUBIS_RUN_DOCKERD="0"
+
+USER 0
+RUN set -eux; \
+    adduser -D -u 1001 theia; \
+    apk add --no-cache supervisor; \
+    sed -i 's/rootless/theia/' /etc/subuid /etc/subgid;
+
+VOLUME /certs
+
+COPY supervisord.conf /
+COPY dockerd.sh /anubis/
+
+USER 1001
+ENTRYPOINT ["supervisord", "--nodaemon", "-c", "/supervisord.conf"]
diff --git a/theia/dockerd/dockerd.sh b/theia/dockerd/dockerd.sh
@@ -0,0 +1,11 @@
+#!/bin/sh -ex
+
+if [ "${ANUBIS_RUN_DOCKERD}" = "1" ]; then
+    echo 'Starting dockerd'
+    /usr/local/bin/dockerd-entrypoint.sh
+else
+    echo 'Skipping dockerd'
+    while true; do
+        sleep 3600;
+    done
+fi
diff --git a/theia/dockerd/supervisord.conf b/theia/dockerd/supervisord.conf
@@ -0,0 +1,10 @@
+[supervisord]
+logfile=/tmp/supervisord.log
+
+[program:dockerd]
+directory=/
+command=/anubis/dockerd.sh
+autorestart=true
+redirect_stderr=true
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0