summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--global/overlay/etc/puppet/cosmos-rules.yaml2
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp42
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp54
-rwxr-xr-xglobal/overlay/etc/puppet/modules/sunet/templates/dockerhost/20unbound.erb78
-rw-r--r--global/overlay/etc/puppet/modules/sunet/templates/dockerhost/logrotate_docker-containers.erb7
-rw-r--r--global/overlay/etc/puppet/modules/sunet/templates/dockerhost/unbound_docker.conf.erb5
6 files changed, 187 insertions, 1 deletions
diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index 4b93245..396a110 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -43,7 +43,7 @@ md-master.reep.refeds.org:
www2.eduid.se:
dockerhost:
'^web-.+\.sunet\.se$':
- dockerhost:
+ sunet::dockerhost:
'^web-a[0-9]+\.sunet\.se$':
webappserver:
'^web-f[0-9]+\.sunet\.se$':
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
new file mode 100644
index 0000000..8df416b
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
@@ -0,0 +1,42 @@
+# Common use of docker::run
+define sunet::docker_run(
+ $image,
+ $imagetag = hiera('sunet_docker_default_tag', 'latest'),
+ $volumes = [],
+ $ports = [],
+ $env = [],
+ $net = 'bridge',
+ $extra_parameters = [],
+) {
+
+ # Make container use unbound resolver on dockerhost
+ # If docker was just installed, facter will not know the IP of docker0. Thus the pick.
+ $dns = $net ? {
+ 'host' => [], # docker refuses --dns with --net host
+ default => [pick($::ipaddress_docker0, '172.17.42.1')],
+ }
+
+ $image_tag = "${image}:${imagetag}"
+ docker::image { $image_tag : } ->
+
+ docker::run {$name :
+ use_name => true,
+ image => $image_tag,
+ volumes => flatten([$volumes,
+ '/etc/passwd:/etc/passwd:ro', # uid consistency
+ '/etc/group:/etc/group:ro', # gid consistency
+ ]),
+ ports => $ports,
+ env => $env,
+ net => $net,
+ extra_parameters => flatten([$extra_parameters,
+ '--rm',
+ ]),
+ dns => $dns,
+ verify_checksum => false, # Rely on registry security for now. eduID risk #31.
+ pre_start => 'run-parts /usr/local/etc/docker.d',
+ post_start => 'run-parts /usr/local/etc/docker.d',
+ pre_stop => 'run-parts /usr/local/etc/docker.d',
+ }
+
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp b/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp
new file mode 100644
index 0000000..9dec034
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp
@@ -0,0 +1,54 @@
+# Install docker from https://get.docker.com/ubuntu
+class sunet::dockerhost {
+ apt::source {'docker_official':
+ location => 'https://get.docker.com/ubuntu',
+ release => 'docker',
+ repos => 'main',
+ key => 'A88D21E9',
+ include_src => false
+ }
+ package {'lxc-docker':
+ ensure => latest,
+ }
+
+ class {'docker':
+ manage_package => false,
+ }
+
+ package { 'unbound': ensure => 'latest' }
+
+ file { '/usr/local/etc/docker.d/20unbound':
+ ensure => file,
+ path => '/usr/local/etc/docker.d/20unbound',
+ mode => '0755',
+ content => template('sunet/dockerhost/20unbound.erb'),
+ }
+
+ file { '/etc/logrotate.d/docker-containers':
+ ensure => file,
+ path => '/etc/logrotate.d/docker-containers',
+ mode => '0644',
+ content => template('sunet/dockerhost/logrotate_docker-containers.erb'),
+ }
+
+ file { '/etc/unbound/unbound.conf.d/docker.conf':
+ ensure => file,
+ path => '/etc/unbound/unbound.conf.d/docker.conf',
+ mode => '0644',
+ notify => Service['unbound'],
+ }
+
+ ufw::allow { 'allow-docker-resolving_udp':
+ port => '53',
+ ip => $::ipaddress_docker0, # both IPv4 and IPv6
+ from => '172.16.0.0/12',
+ proto => 'udp',
+ }
+ ufw::allow { 'allow-docker-resolving_tcp':
+ port => '53',
+ ip => $::ipaddress_docker0, # both IPv4 and IPv6
+ from => '172.16.0.0/12',
+ proto => 'tcp',
+ }
+
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/20unbound.erb b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/20unbound.erb
new file mode 100755
index 0000000..204e97c
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/20unbound.erb
@@ -0,0 +1,78 @@
+#!/bin/bash
+#
+# This script registers/removes docker containers IP addresses
+# from the local unbound resolver in the post-start / pre-stop actions.
+#
+# For action pre-start, it checks if there is a CID file that needs to be
+# cleaned away to not prevent the new container from starting.
+#
+
+# sunet_docker_pre-post: CID d05a0842ce1700ee3328d42ccf5c2f29cc3d71fa6dcc6a72f994f8d032453be7
+# sunet_docker_pre-post: ACTION pre-stop
+# sunet_docker_pre-post: IMAGE docker.sunet.se/eduid/eduid-mm-service
+# sunet_docker_pre-post: NAME eduid-mm-service
+#for e in "CID" "ACTION" "IMAGE" "NAME"; do
+# logger -t sunet_docker_pre-post "$e `printenv $e`"
+#done
+
+logtag="sunet_docker_pre-post[$ACTION]"
+logger -t "${logtag}" "$NAME ($IMAGE), CID: '$CID'"
+
+if [ "x$ACTION" = "xpre-start" ]; then
+ if [ -f "${CIDFILE}" ]; then
+ # Clean away the CID file in pre-start if the container is in fact not running
+ docker inspect "${CID}" 2>/dev/null || (
+ logger -t "${logtag}" "Removing left-over CID file '${CIDFILE}' (CID ${CID})";
+ rm -f "${CIDFILE}"
+ )
+ fi
+
+ # Remove any stopped container with this name to prevent the docker start script
+ # from just restarting that one (instead of starting the currently tagged image,
+ # which might be newer than the one used by the old container)
+ docker inspect "${NAME}" && docker rm "${NAME}"
+ exit 0
+fi
+
+if [ "x${CID}" = "x" ]; then
+ CID=$(docker inspect --format '{{ .Id }}' "${NAME}" 2>/dev/null)
+
+ if [ "x${CID}" = "x" ]; then
+ # sometimes containers start slow...
+ for retry in 1 2 3 4 5; do
+ sleep 1
+ logger -t "${logtag}" "Retrying CID lookup for ${NAME}"
+ CID=$(docker inspect --format '{{ .Id }}' "${NAME}" 2>/dev/null)
+ if [ "x${CID}" != "x" ]; then
+ break
+ fi
+ done
+ fi
+
+ if [ "x${CID}" = "x" ]; then
+ logger -t "${logtag}" "No CID provided or found! Aborting."
+ exit 0
+ fi
+
+ logger -t "${logtag}" "Found CID ${CID} using docker inspect on '${NAME}'"
+fi
+
+# Remove registered name.
+# XXX this does NOT handle multiple instances of the same image running on
+# a single Docker host!
+logger -t "${logtag}" "Un-registering ${NAME}.docker"
+unbound-control local_data_remove "${NAME}.docker." > /dev/null
+
+# If it is a container starting up, register it's IP address
+if [ "x$ACTION" = "xpost-start" ]; then
+ ip=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "${CID}" 2>/dev/null)
+ if [ "x${ip}" = "x" ]; then
+ logger -t "${logtag}" "Failed to get IP from CID ${CID}. Aborting."
+ exit 0
+ fi
+ unbound-control local_data "${NAME}.docker. 60 IN A ${ip}" > /dev/null
+ # Register reverse pointer - there is no local_data_ptr command unfortunately
+ ptr=$(echo "${ip}" | awk -F . '{print $4"."$3"."$2"."$1".in-addr.arpa."}')
+ unbound-control local_data "${ptr} 60 IN PTR ${NAME}.docker."
+ logger -t "${logtag}" "Registered ${NAME}.docker at ${ip}"
+fi
diff --git a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/logrotate_docker-containers.erb b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/logrotate_docker-containers.erb
new file mode 100644
index 0000000..6cf5fe9
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/logrotate_docker-containers.erb
@@ -0,0 +1,7 @@
+/var/lib/docker/containers/*/*.log {
+ rotate 7
+ daily
+ compress
+ delaycompress
+ copytruncate
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/unbound_docker.conf.erb b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/unbound_docker.conf.erb
new file mode 100644
index 0000000..f6bb382
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/unbound_docker.conf.erb
@@ -0,0 +1,5 @@
+server:
+ local-zone: docker. static
+ interface: 127.0.0.1
+ interface: 172.17.42.1
+ access-control: 172.16.0.0/12 allow