tyler.durden
/
compose
mirror of https://github.com/docker/compose.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #537 from aanand/tls 

TLS support
This commit is contained in:
Ben Firshman 2014-10-16 18:53:59 +01:00
parent 1820306d0a 0f58b9f6b4
commit a07c83659d
16 changed files with 759 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
docs/cli.md
View File

@ -101,6 +101,8 @@ By default if there are existing containers for a service, `fig up` will stop an
Several environment variables can be used to configure Fig's behaviour.
Variables starting with `DOCKER_` are the same as those used to configure the Docker command-line client. If you're using boot2docker, `$(boot2docker shellinit)` will set them to their correct values.
### FIG\_PROJECT\_NAME
Set the project name, which is prepended to the name of every container started by Fig. Defaults to the `basename` of the current working directory.
@ -112,3 +114,11 @@ Set the path to the `fig.yml` to use. Defaults to `fig.yml` in the current worki
### DOCKER\_HOST
Set the URL to the docker daemon. Defaults to `unix:///var/run/docker.sock`, as with the docker client.
### DOCKER\_TLS\_VERIFY
When set to anything other than an empty string, enables TLS communication with the daemon.
### DOCKER\_CERT\_PATH
Configure the path to the `ca.pem`, `cert.pem` and `key.pem` files used for TLS verification. Defaults to `~/.docker`.

6
docs/install.md
View File

@ -8,11 +8,11 @@ Installing Fig
First, install Docker version 1.3 or greater.
If you're on OS X, you can use the [OS X installer](https://docs.docker.com/installation/mac/). You'll also need to set an environment variable to point at the Boot2Docker virtual machine:
If you're on OS X, you can use the [OS X installer](https://docs.docker.com/installation/mac/) to install both Docker and boot2docker. Once boot2docker is running, set the environment variables that'll configure Docker and Fig to talk to it:
$ export DOCKER_HOST=tcp://`boot2docker ip`:2375
$(boot2docker shellinit)
If you want this to persist across shell sessions, you can add it to your `~/.bashrc` file.
To persist the environment variables across shell sessions, you can add that line to your `~/.bashrc` file.
There are also guides for [Ubuntu](https://docs.docker.com/installation/ubuntulinux/) and [other platforms](https://docs.docker.com/installation/) in Dockers documentation.

10
fig/cli/command.py
View File

@ -1,7 +1,6 @@
from __future__ import unicode_literals
from __future__ import absolute_import
from docker import Client
from requests.exceptions import ConnectionError
from requests.exceptions import ConnectionError, SSLError
import errno
import logging
import os
@ -12,7 +11,8 @@ import six
from ..project import Project
from ..service import ConfigError
from .docopt_command import DocoptCommand
from .utils import docker_url, call_silently, is_mac, is_ubuntu
from .utils import call_silently, is_mac, is_ubuntu
from .docker_client import docker_client
from . import verbose_proxy
from . import errors
from .. import __version__
@ -26,6 +26,8 @@ class Command(DocoptCommand):
def dispatch(self, *args, **kwargs):
try:
super(Command, self).dispatch(*args, **kwargs)
except SSLError, e:
raise errors.UserError('SSL error: %s' % e)
except ConnectionError:
if call_silently(['which', 'docker']) != 0:
if is_mac():
@ -49,7 +51,7 @@ class Command(DocoptCommand):
handler(project, command_options)
def get_client(self, verbose=False):
client = Client(docker_url())
client = docker_client()
if verbose:
version_info = six.iteritems(client.version())
log.info("Fig version %s", __version__)

34
fig/cli/docker_client.py Normal file
View File

@ -0,0 +1,34 @@
from docker import Client
from docker import tls
import ssl
import os
def docker_client():
"""
Returns a docker-py client configured using environment variables
according to the same logic as the official Docker client.
"""
cert_path = os.environ.get('DOCKER_CERT_PATH', '')
if cert_path == '':
cert_path = os.path.join(os.environ.get('HOME'), '.docker')
base_url = os.environ.get('DOCKER_HOST')
tls_config = None
if os.environ.get('DOCKER_TLS_VERIFY', '') != '':
parts = base_url.split('://', 1)
base_url = '%s://%s' % ('https', parts[1])
client_cert = (os.path.join(cert_path, 'cert.pem'), os.path.join(cert_path, 'key.pem'))
ca_cert = os.path.join(cert_path, 'ca.pem')
tls_config = tls.TLSConfig(
ssl_version=ssl.PROTOCOL_TLSv1,
verify=True,
assert_hostname=False,
client_cert=client_cert,
ca_cert=ca_cert,
)
return Client(base_url=base_url, tls=tls_config)

2
fig/cli/main.py
View File

@ -7,7 +7,7 @@ import signal
from operator import attrgetter
from inspect import getdoc
import dockerpty
from fig.packages import dockerpty
from .. import __version__
from ..project import NoSuchService, ConfigurationError

4
fig/cli/utils.py
View File

@ -62,10 +62,6 @@ def mkdir(path, permissions=0o700):
return path
def docker_url():
return os.environ.get('DOCKER_HOST')
def split_buffer(reader, separator):
"""
Given a generator which yields strings and a separator string,

0
fig/packages/__init__.py Normal file
View File

27
fig/packages/dockerpty/__init__.py Normal file
View File

@ -0,0 +1,27 @@
# dockerpty.
#
# Copyright 2014 Chris Corbyn <chris@w3style.co.uk>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from .pty import PseudoTerminal
def start(client, container):
"""
Present the PTY of the container inside the current process.
This is just a wrapper for PseudoTerminal(client, container).start()
"""
PseudoTerminal(client, container).start()

294
fig/packages/dockerpty/io.py Normal file
View File

@ -0,0 +1,294 @@
# dockerpty: io.py
#
# Copyright 2014 Chris Corbyn <chris@w3style.co.uk>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import os
import fcntl
import errno
import struct
import select as builtin_select
def set_blocking(fd, blocking=True):
"""
Set the given file-descriptor blocking or non-blocking.
Returns the original blocking status.
"""
old_flag = fcntl.fcntl(fd, fcntl.F_GETFL)
if blocking:
new_flag = old_flag &~ os.O_NONBLOCK
else:
new_flag = old_flag | os.O_NONBLOCK
fcntl.fcntl(fd, fcntl.F_SETFL, new_flag)
return not bool(old_flag & os.O_NONBLOCK)
def select(read_streams, timeout=0):
"""
Select the streams from `read_streams` that are ready for reading.
Uses `select.select()` internally but returns a flat list of streams.
"""
write_streams = []
exception_streams = []
try:
return builtin_select.select(
read_streams,
write_streams,
exception_streams,
timeout,
)[0]
except builtin_select.error as e:
# POSIX signals interrupt select()
if e[0] == errno.EINTR:
return []
else:
raise e
class Stream(object):
"""
Generic Stream class.
This is a file-like abstraction on top of os.read() and os.write(), which
add consistency to the reading of sockets and files alike.
"""
"""
Recoverable IO/OS Errors.
"""
ERRNO_RECOVERABLE = [
errno.EINTR,
errno.EDEADLK,
errno.EWOULDBLOCK,
]
def __init__(self, fd):
"""
Initialize the Stream for the file descriptor `fd`.
The `fd` object must have a `fileno()` method.
"""
self.fd = fd
def fileno(self):
"""
Return the fileno() of the file descriptor.
"""
return self.fd.fileno()
def set_blocking(self, value):
if hasattr(self.fd, 'setblocking'):
self.fd.setblocking(value)
return True
else:
return set_blocking(self.fd, value)
def read(self, n=4096):
"""
Return `n` bytes of data from the Stream, or None at end of stream.
"""
try:
if hasattr(self.fd, 'recv'):
return self.fd.recv(n)
return os.read(self.fd.fileno(), n)
except EnvironmentError as e:
if e.errno not in Stream.ERRNO_RECOVERABLE:
raise e
def write(self, data):
"""
Write `data` to the Stream.
"""
if not data:
return None
while True:
try:
if hasattr(self.fd, 'send'):
self.fd.send(data)
return len(data)
os.write(self.fd.fileno(), data)
return len(data)
except EnvironmentError as e:
if e.errno not in Stream.ERRNO_RECOVERABLE:
raise e
def __repr__(self):
return "{cls}({fd})".format(cls=type(self).__name__, fd=self.fd)
class Demuxer(object):
"""
Wraps a multiplexed Stream to read in data demultiplexed.
Docker multiplexes streams together when there is no PTY attached, by
sending an 8-byte header, followed by a chunk of data.
The first 4 bytes of the header denote the stream from which the data came
(i.e. 0x01 = stdout, 0x02 = stderr). Only the first byte of these initial 4
bytes is used.
The next 4 bytes indicate the length of the following chunk of data as an
integer in big endian format. This much data must be consumed before the
next 8-byte header is read.
"""
def __init__(self, stream):
"""
Initialize a new Demuxer reading from `stream`.
"""
self.stream = stream
self.remain = 0
def fileno(self):
"""
Returns the fileno() of the underlying Stream.
This is useful for select() to work.
"""
return self.stream.fileno()
def set_blocking(self, value):
return self.stream.set_blocking(value)
def read(self, n=4096):
"""
Read up to `n` bytes of data from the Stream, after demuxing.
Less than `n` bytes of data may be returned depending on the available
payload, but the number of bytes returned will never exceed `n`.
Because demuxing involves scanning 8-byte headers, the actual amount of
data read from the underlying stream may be greater than `n`.
"""
size = self._next_packet_size(n)
if size <= 0:
return
else:
return self.stream.read(size)
def write(self, data):
"""
Delegates the the underlying Stream.
"""
return self.stream.write(data)
def _next_packet_size(self, n=0):
size = 0
if self.remain > 0:
size = min(n, self.remain)
self.remain -= size
else:
data = self.stream.read(8)
if data is None:
return 0
if len(data) == 8:
__, actual = struct.unpack('>BxxxL', data)
size = min(n, actual)
self.remain = actual - size
return size
def __repr__(self):
return "{cls}({stream})".format(cls=type(self).__name__,
stream=self.stream)
class Pump(object):
"""
Stream pump class.
A Pump wraps two Streams, reading from one and and writing its data into
the other, much like a pipe but manually managed.
This abstraction is used to facilitate piping data between the file
descriptors associated with the tty and those associated with a container's
allocated pty.
Pumps are selectable based on the 'read' end of the pipe.
"""
def __init__(self, from_stream, to_stream):
"""
Initialize a Pump with a Stream to read from and another to write to.
"""
self.from_stream = from_stream
self.to_stream = to_stream
def fileno(self):
"""
Returns the `fileno()` of the reader end of the Pump.
This is useful to allow Pumps to function with `select()`.
"""
return self.from_stream.fileno()
def set_blocking(self, value):
return self.from_stream.set_blocking(value)
def flush(self, n=4096):
"""
Flush `n` bytes of data from the reader Stream to the writer Stream.
Returns the number of bytes that were actually flushed. A return value
of zero is not an error.
If EOF has been reached, `None` is returned.
"""
try:
return self.to_stream.write(self.from_stream.read(n))
except OSError as e:
if e.errno != errno.EPIPE:
raise e
def __repr__(self):
return "{cls}(from={from_stream}, to={to_stream})".format(
cls=type(self).__name__,
from_stream=self.from_stream,
to_stream=self.to_stream)

235
fig/packages/dockerpty/pty.py Normal file
View File

@ -0,0 +1,235 @@
# dockerpty: pty.py
#
# Copyright 2014 Chris Corbyn <chris@w3style.co.uk>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import sys
import signal
from ssl import SSLError
from . import io
from . import tty
class WINCHHandler(object):
"""
WINCH Signal handler to keep the PTY correctly sized.
"""
def __init__(self, pty):
"""
Initialize a new WINCH handler for the given PTY.
Initializing a handler has no immediate side-effects. The `start()`
method must be invoked for the signals to be trapped.
"""
self.pty = pty
self.original_handler = None
def __enter__(self):
"""
Invoked on entering a `with` block.
"""
self.start()
return self
def __exit__(self, *_):
"""
Invoked on exiting a `with` block.
"""
self.stop()
def start(self):
"""
Start trapping WINCH signals and resizing the PTY.
This method saves the previous WINCH handler so it can be restored on
`stop()`.
"""
def handle(signum, frame):
if signum == signal.SIGWINCH:
self.pty.resize()
self.original_handler = signal.signal(signal.SIGWINCH, handle)
def stop(self):
"""
Stop trapping WINCH signals and restore the previous WINCH handler.
"""
if self.original_handler is not None:
signal.signal(signal.SIGWINCH, self.original_handler)
class PseudoTerminal(object):
"""
Wraps the pseudo-TTY (PTY) allocated to a docker container.
The PTY is managed via the current process' TTY until it is closed.
Example:
import docker
from dockerpty import PseudoTerminal
client = docker.Client()
container = client.create_container(
image='busybox:latest',
stdin_open=True,
tty=True,
command='/bin/sh',
)
# hijacks the current tty until the pty is closed
PseudoTerminal(client, container).start()
Care is taken to ensure all file descriptors are restored on exit. For
example, you can attach to a running container from within a Python REPL
and when the container exits, the user will be returned to the Python REPL
without adverse effects.
"""
def __init__(self, client, container):
"""
Initialize the PTY using the docker.Client instance and container dict.
"""
self.client = client
self.container = container
self.raw = None
def start(self, **kwargs):
"""
Present the PTY of the container inside the current process.
This will take over the current process' TTY until the container's PTY
is closed.
"""
pty_stdin, pty_stdout, pty_stderr = self.sockets()
mappings = [
(io.Stream(sys.stdin), pty_stdin),
(pty_stdout, io.Stream(sys.stdout)),
(pty_stderr, io.Stream(sys.stderr)),
]
pumps = [io.Pump(a, b) for (a, b) in mappings if a and b]
if not self.container_info()['State']['Running']:
self.client.start(self.container, **kwargs)
flags = [p.set_blocking(False) for p in pumps]
try:
with WINCHHandler(self):
self._hijack_tty(pumps)
finally:
if flags:
for (pump, flag) in zip(pumps, flags):
io.set_blocking(pump, flag)
def israw(self):
"""
Returns True if the PTY should operate in raw mode.
If the container was not started with tty=True, this will return False.
"""
if self.raw is None:
info = self.container_info()
self.raw = sys.stdout.isatty() and info['Config']['Tty']
return self.raw
def sockets(self):
"""
Returns a tuple of sockets connected to the pty (stdin,stdout,stderr).
If any of the sockets are not attached in the container, `None` is
returned in the tuple.
"""
info = self.container_info()
def attach_socket(key):
if info['Config']['Attach{0}'.format(key.capitalize())]:
socket = self.client.attach_socket(
self.container,
{key: 1, 'stream': 1, 'logs': 1},
)
stream = io.Stream(socket)
if info['Config']['Tty']:
return stream
else:
return io.Demuxer(stream)
else:
return None
return map(attach_socket, ('stdin', 'stdout', 'stderr'))
def resize(self, size=None):
"""
Resize the container's PTY.
If `size` is not None, it must be a tuple of (height,width), otherwise
it will be determined by the size of the current TTY.
"""
if not self.israw():
return
size = size or tty.size(sys.stdout)
if size is not None:
rows, cols = size
try:
self.client.resize(self.container, height=rows, width=cols)
except IOError: # Container already exited
pass
def container_info(self):
"""
Thin wrapper around client.inspect_container().
"""
return self.client.inspect_container(self.container)
def _hijack_tty(self, pumps):
with tty.Terminal(sys.stdin, raw=self.israw()):
self.resize()
while True:
_ready = io.select(pumps, timeout=60)
try:
if all([p.flush() is None for p in pumps]):
break
except SSLError as e:
if 'The operation did not complete' not in e.strerror:
raise e

130
fig/packages/dockerpty/tty.py Normal file
View File

@ -0,0 +1,130 @@
# dockerpty: tty.py
#
# Copyright 2014 Chris Corbyn <chris@w3style.co.uk>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from __future__ import absolute_import
import os
import termios
import tty
import fcntl
import struct
def size(fd):
"""
Return a tuple (rows,cols) representing the size of the TTY `fd`.
The provided file descriptor should be the stdout stream of the TTY.
If the TTY size cannot be determined, returns None.
"""
if not os.isatty(fd.fileno()):
return None
try:
dims = struct.unpack('hh', fcntl.ioctl(fd, termios.TIOCGWINSZ, 'hhhh'))
except:
try:
dims = (os.environ['LINES'], os.environ['COLUMNS'])
except:
return None
return dims
class Terminal(object):
"""
Terminal provides wrapper functionality to temporarily make the tty raw.
This is useful when streaming data from a pseudo-terminal into the tty.
Example:
with Terminal(sys.stdin, raw=True):
do_things_in_raw_mode()
"""
def __init__(self, fd, raw=True):
"""
Initialize a terminal for the tty with stdin attached to `fd`.
Initializing the Terminal has no immediate side effects. The `start()`
method must be invoked, or `with raw_terminal:` used before the
terminal is affected.
"""
self.fd = fd
self.raw = raw
self.original_attributes = None
def __enter__(self):
"""
Invoked when a `with` block is first entered.
"""
self.start()
return self
def __exit__(self, *_):
"""
Invoked when a `with` block is finished.
"""
self.stop()
def israw(self):
"""
Returns True if the TTY should operate in raw mode.
"""
return self.raw
def start(self):
"""
Saves the current terminal attributes and makes the tty raw.
This method returns None immediately.
"""
if os.isatty(self.fd.fileno()) and self.israw():
self.original_attributes = termios.tcgetattr(self.fd)
tty.setraw(self.fd)
def stop(self):
"""
Restores the terminal attributes back to before setting raw mode.
If the raw terminal was not started, does nothing.
"""
if self.original_attributes is not None:
termios.tcsetattr(
self.fd,
termios.TCSADRAIN,
self.original_attributes,
)
def __repr__(self):
return "{cls}({fd}, raw={raw})".format(
cls=type(self).__name__,
fd=self.fd,
raw=self.raw)

3
requirements.txt
View File

@ -1,6 +1,5 @@
PyYAML==3.10
docker-py==0.5.0
dockerpty==0.2.3
docker-py==0.5.3
docopt==0.6.1
requests==2.2.1
six==1.7.3

11
script/test
View File

@ -1,5 +1,12 @@
#!/bin/sh
set -ex
target="tests"
if [[ -n "$@" ]]; then
target="$@"
fi
docker build -t fig .
docker run -v /var/run/docker.sock:/var/run/docker.sock fig flake8 fig
docker run -v /var/run/docker.sock:/var/run/docker.sock fig nosetests $@
docker run -v /var/run/docker.sock:/var/run/docker.sock fig flake8 --exclude=packages fig
docker run -v /var/run/docker.sock:/var/run/docker.sock fig nosetests $target

1
setup.py
View File

@ -30,7 +30,6 @@ install_requires = [
'requests >= 2.2.1, < 3',
'texttable >= 0.8.1, < 0.9',
'websocket-client >= 0.11.0, < 0.12',
'dockerpty >= 0.2.3, < 0.3',
'docker-py >= 0.5, < 0.6',
'six >= 1.3.0, < 2',
]

14
tests/integration/cli_test.py
View File

@ -129,13 +129,13 @@ class CLITestCase(DockerClientTestCase):
self.assertEqual(old_ids, new_ids)
@patch('dockerpty.start')
@patch('fig.packages.dockerpty.start')
def test_run_service_without_links(self, mock_stdout):
self.command.base_dir = 'tests/fixtures/links-figfile'
self.command.dispatch(['run', 'console', '/bin/true'], None)
self.assertEqual(len(self.project.containers()), 0)
@patch('dockerpty.start')
@patch('fig.packages.dockerpty.start')
def test_run_service_with_links(self, __):
self.command.base_dir = 'tests/fixtures/links-figfile'
self.command.dispatch(['run', 'web', '/bin/true'], None)
@ -144,14 +144,14 @@ class CLITestCase(DockerClientTestCase):
self.assertEqual(len(db.containers()), 1)
self.assertEqual(len(console.containers()), 0)
@patch('dockerpty.start')
@patch('fig.packages.dockerpty.start')
def test_run_with_no_deps(self, __):
self.command.base_dir = 'tests/fixtures/links-figfile'
self.command.dispatch(['run', '--no-deps', 'web', '/bin/true'], None)
db = self.project.get_service('db')
self.assertEqual(len(db.containers()), 0)
@patch('dockerpty.start')
@patch('fig.packages.dockerpty.start')
def test_run_does_not_recreate_linked_containers(self, __):
self.command.base_dir = 'tests/fixtures/links-figfile'
self.command.dispatch(['up', '-d', 'db'], None)
@ -167,7 +167,7 @@ class CLITestCase(DockerClientTestCase):
self.assertEqual(old_ids, new_ids)
@patch('dockerpty.start')
@patch('fig.packages.dockerpty.start')
def test_run_without_command(self, __):
self.command.base_dir = 'tests/fixtures/commands-figfile'
self.check_build('tests/fixtures/simple-dockerfile', tag='figtest_test')
@ -191,7 +191,7 @@ class CLITestCase(DockerClientTestCase):
[u'/bin/true'],
)
@patch('dockerpty.start')
@patch('fig.packages.dockerpty.start')
def test_run_service_with_entrypoint_overridden(self, _):
self.command.base_dir = 'tests/fixtures/dockerfile_with_entrypoint'
name = 'service'
@ -206,7 +206,7 @@ class CLITestCase(DockerClientTestCase):
u'/bin/echo helloworld'
)
@patch('dockerpty.start')
@patch('fig.packages.dockerpty.start')
def test_run_service_with_environement_overridden(self, _):
name = 'service'
self.command.base_dir = 'tests/fixtures/environment-figfile'

5
tests/integration/testcases.py
View File

@ -1,8 +1,7 @@
from __future__ import unicode_literals
from __future__ import absolute_import
from docker import Client
from fig.service import Service
from fig.cli.utils import docker_url
from fig.cli.docker_client import docker_client
from fig.progress_stream import stream_output
from .. import unittest
@ -10,7 +9,7 @@ from .. import unittest
class DockerClientTestCase(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.client = Client(docker_url())
cls.client = docker_client()
def setUp(self):
for c in self.client.containers(all=True):