-
-
Notifications
You must be signed in to change notification settings - Fork 314
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
added docker support #357
added docker support #357
Conversation
manifests/params.pp
Outdated
@@ -40,7 +41,7 @@ | |||
$ui_package_ensure = 'latest' | |||
$ui_package_name = 'consul_ui' | |||
$user = 'consul' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Many of the complexity in this PR revolves around not using the user
and group
variables.
Can you simply set them to be undef
in params.pp if the install method is docker instead? (then we won't need case statements throughout the codebase, and instead only have them in one place.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same with manage_group and manage_user
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also init_style
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure why I didn't think of doing that in the prams vs trying to remap it in the init.pp ... lost in the moment. But yes: I deliberately attempted to clear user statements as they aren't needed out of the container.
I'll rework it tonight/next few days. Thanks for the input.
manifests/init.pp
Outdated
# | ||
# [*install_method*] | ||
# Valid strings: `package` - install via system package | ||
# Valid strings: `auto` - use docker if available, fallback to url if not |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm going to veto this.
I think it adds complexity and surprise.
Just have a default method in the module and make users set it "automatically" themselves with their own puppet code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh fine, take the fun out of it!
manifests/run_service.pp
Outdated
if $::consul::join_wan { | ||
exec { 'join consul wan': | ||
cwd => $::consul::config_dir, | ||
path => [$::consul::bin_dir,'/bin','/usr/bin'], | ||
command => "consul join -wan ${consul::join_wan}", | ||
onlyif => "/usr/bin/test ! -e ${consul::config_dir}/docker_used", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you get away with a normal if statement here instead of the docker_used
workaround?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
probably need to assemble $command variable then add a prefix if install_method == docker. If you look close, in order to run consul in the container I need to call it slightly differently (prefix it with "docker exec -t consul <...>"). So ... yeah if we "veto auto" we can get away from that.
took way to long to get things to pass, but there you go. |
Running internally at the company against Ubuntu 14, 16, and CentOS 7.9 in both docker and non-docker configs. Found a minor bug where a container env variable was writing a new local.json. Removing to allow the user complete control over config through the module. |
manifests/install.pp
Outdated
@@ -4,16 +4,19 @@ | |||
# | |||
class consul::install { | |||
|
|||
if $::consul::data_dir { | |||
file { $::consul::data_dir: | |||
if ($::consul::data_dir) and ($::consul::install_method != 'docker') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is there no data_dir? I would prefer to have a permanently mounted volume outside the container. That way if I have to nuke docker for some reason, puppet can reproduce the image and run and all it has to do is pickup the data on disk
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mostly because of the nature of consul+puppet itself makes it unnecessary. In a production environment you should have 3/5/n masters so all info will replicate, and with a puppet config all checks and services will populate on first run so it's simply unnecessary to store that information beyond the life-cycle of the container (remember volumes will persists in upgrades, just not when you deliberately rm the container)
I was basically thinking about how to leave the host as "clean" as possible.
@@ -11,7 +11,8 @@ | |||
$config_defaults = {} | |||
$config_dir = '/etc/consul' | |||
$config_hash = {} | |||
$config_mode = '0660' | |||
$config_mode = '0664' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you leave it at 660 to continue to allow potentially sensitive configs unreadable by random users of the system or hacked nobodys or whatever?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this will break container volume mounts as the container itself does not share the users on the host, and thus counts as "other users". It was set as read-only to prevent tweaking. Keep in mind that in a container scenario the surface area of attack will be the containers themselves (that hosts all open ports). I can add a "config_mode_real" so it can be flipped back and forth based on the deployment mode?
manifests/reload_service.pp
Outdated
@@ -19,12 +19,16 @@ | |||
$http_addr = $::consul::http_addr | |||
} | |||
|
|||
case $::consul::install_method { | |||
'docker': { $command = "docker exec -t consul consul reload -http-addr=${http_addr}:${consul::http_port}" } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does docker exec need a -t
here? shouldn't need a tty right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good question. I have it stuck in my head that's run into issues without the TTY enabled ... but honestly I could be completely wrong. Ill give a test internally and see what's up with that.
manifests/run_service.pp
Outdated
$docker_command = 'agent' | ||
} | ||
|
||
# Docker Install |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove the comment, doesn't really provide value here
manifests/check.pp
Outdated
@@ -85,11 +85,12 @@ | |||
|
|||
$escaped_id = regsubst($id,'\/','_','G') | |||
File[$::consul::config_dir] | |||
-> file { "${consul::config_dir}/check_${escaped_id}.json": | |||
-> file { "${consul::config_dir}/check_${escaped_id}.json" : |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unless this is a new change in the style, can you remove the space before the colon?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Formatting habbit brought on from a vscode plugin for puppet. Can be pulled.
manifests/run_service.pp
Outdated
} | ||
|
||
# Docker Install | ||
docker::run { 'consul' : |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
space before the colon
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
manifests/config.pp
Outdated
purge => $purge, | ||
recurse => $purge, | ||
} | ||
-> file { 'consul config.json': | ||
-> file { 'consul config.json' : |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
space
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
manifests/install.pp
Outdated
if $::consul::data_dir { | ||
file { $::consul::data_dir: | ||
if ($::consul::data_dir) and ($::consul::install_method != 'docker') { | ||
file { $::consul::data_dir : |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
space
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
manifests/watch.pp
Outdated
@@ -134,11 +134,12 @@ | |||
} | |||
|
|||
File[$::consul::config_dir] | |||
-> file { "${consul::config_dir}/watch_${id}.json": | |||
-> file { "${consul::config_dir}/watch_${id}.json" : |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
space
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
Spaces removed and data_dir added. |
This should be ready for another review. Please let me know. |
This is still on my radar and I will review. Can you confirm: are you running this code (in the PR) for real in your infrastructure? or is it a variant of it? |
This code is the code deployed at my company. We are using a mix of Ubuntu (14 and 16) as well as a few CentOS boxes, and I deploy both Docker and URL mode so I have a pretty good cross section, but we are a small shop of only ~80 boxes on premise. It's currently used in tandem with Registrator to do most of the service registration, but I do have a few specific service callouts being done. |
Alright, hitting the button... |
Sweet. Ill remove my branch and open a new one If i come up with more ideas. |
added docker support
added two new install_methods: auto and docker (neither set to default).
docker now uses the official docker container to deploy but still calls config_hash and mounts the config_dir for consistency. Image can be chosen, but network and certain key variables are hardcoded per consul recomendations for use in a container by the host. See: https://hub.docker.com/_/consul/
auto will look for the [docker0] network interface. If found, it uses docker, on failure it falls back to the url default.
The default remains at "url", disabling this feature.