From 6750d54cf787ce56ecbdfcbe3740e13d62932df0 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 27 Jan 2023 06:52:08 +0000 Subject: [PATCH 001/133] better buildkitd support --- Pollyfile | 17 +-- bin/polly | 241 ++++++++++++++++++++++++++++++++----------- lib/polly/execute.rb | 13 ++- 3 files changed, 196 insertions(+), 75 deletions(-) diff --git a/Pollyfile b/Pollyfile index a16e0b4..19df6b8 100644 --- a/Pollyfile +++ b/Pollyfile @@ -36,7 +36,7 @@ run %q{usermod -a -G $(grep docker /etc/group | cut -d: -f3) app} run %q{usermod -a -G $(grep docker /etc/group | cut -d: -f3) runner} - run %q{mkdir /tmp/buildkit && curl -sL -o buildkit.tar.gz "https://github.com/moby/buildkit/releases/download/v0.11.1/buildkit-v0.11.1.linux-amd64.tar.gz" && tar zxf buildkit.tar.gz && mv bin/buildctl /usr/local/bin && rm -Rf /tmp/buildkit} + run %q{mkdir /tmp/buildkit && cd /tmp/buildkit && curl -sL -o buildkit.tar.gz "https://github.com/moby/buildkit/releases/download/v0.11.1/buildkit-v0.11.1.linux-amd64.tar.gz" && tar zxf buildkit.tar.gz && mv bin/buildctl /usr/local/bin && cd && rm -Rf /tmp/buildkit} } # image declares container artifacts @@ -101,18 +101,21 @@ #description("For pollyci") -workflow_image = "ghcr.io/unhookd/polly:3.0-rc1" -#TODO: !!!! make this make sense to configure workflow_image = "polly:latest" +#workflow_image = "ghcr.io/unhookd/polly:3.0-rc1" +#TODO: !!!! make this make sense to configure +workflow_image = "polly:latest" @plain_workflow = plan { job("primary", [{"image"=>workflow_image}], [ {"run"=>{"name"=>"demo","command"=>"echo DEMO!!!!"}}, - {"run"=>{"name"=>"config","command"=>"bundle config set --local path vendor/bundle"}}, - {"run"=>{"name"=>"bundler","command"=>"bundle install"}}, - {"run"=>{"name"=>"rspec","command"=>"bundle exec rspec"}}, - {"run"=>{"name"=>"build","command"=>"buildctl --addr kube-pod://buildkitd build --frontend dockerfile.v0 --local context=. --local dockerfile=."}} + #{"run"=>{"name"=>"demo","command"=>"sleep 3600"}}, + #{"run"=>{"name"=>"config","command"=>"bundle config set --local path vendor/bundle"}}, + #{"run"=>{"name"=>"bundler","command"=>"bundle install"}}, + #{"run"=>{"name"=>"rspec","command"=>"bundle exec rspec"}}, + #{"run"=>{"name"=>"build","command"=>"buildctl --addr kube-pod://polly-buildkitd-0 build --frontend dockerfile.v0 --local context=. --local dockerfile=."}} + {"run"=>{"name"=>"build","command"=>"buildctl --timeout "120" --addr tcp://polly-buildkitd:1234 --tlsservername polly-buildkitd --tlscacert /certs/client/ca.pem --tlscert /certs/client/cert.pem --tlskey /certs/client/key.pem build --frontend dockerfile.v0 --local context=. --local dockerfile=."}} ],{},"/home/app/polly" ) } diff --git a/bin/polly b/bin/polly index d2672dc..c689d3a 100755 --- a/bin/polly +++ b/bin/polly @@ -619,6 +619,38 @@ HEREDOC cert.add_extension(ef.create_extension("subjectAltName", "DNS:#{cname},IP:#{cname_two}", false)) cert.sign(root_key, OpenSSL::Digest::SHA256.new) + key2 = OpenSSL::PKey::RSA.new 2048 + cert2 = OpenSSL::X509::Certificate.new + cert2.version = 2 + cert2.serial = 2 + cert2.subject = OpenSSL::X509::Name.parse "/DC=org/DC=unhookd/CN=polly-buildkitd" + cert2.issuer = root_ca.subject # root CA is the issuer + cert2.public_key = key2.public_key + cert2.not_before = Time.now + cert2.not_after = cert2.not_before + 2 * 365 * 24 * 60 * 60 # 2 years validity + ef = OpenSSL::X509::ExtensionFactory.new + ef.subject_certificate = cert2 + ef.issuer_certificate = root_ca + cert2.add_extension(ef.create_extension("keyUsage", "digitalSignature", true)) + cert2.add_extension(ef.create_extension("subjectKeyIdentifier", "hash", false)) + cert2.add_extension(ef.create_extension("subjectAltName", "DNS:polly-buildkitd,IP:127.0.0.1", false)) + cert2.sign(root_key, OpenSSL::Digest::SHA256.new) + + key3 = OpenSSL::PKey::RSA.new 2048 + cert3 = OpenSSL::X509::Certificate.new + cert3.version = 2 + cert3.serial = 2 + cert3.subject = OpenSSL::X509::Name.parse "/DC=org/DC=unhookd/CN=polly-buildctl" + cert3.issuer = root_ca.subject # root CA is the issuer + cert3.public_key = key3.public_key + cert3.not_before = Time.now + cert3.not_after = cert3.not_before + 2 * 365 * 24 * 60 * 60 # 2 years validity + ef = OpenSSL::X509::ExtensionFactory.new + ef.subject_certificate = cert3 + ef.issuer_certificate = root_ca + cert3.add_extension(ef.create_extension("keyUsage", "digitalSignature", true)) + cert3.sign(root_key, OpenSSL::Digest::SHA256.new) + #key = File.read("/usr/local/etc/openssl/misc/workstation-key.pem") #cert = File.read("/usr/local/etc/openssl/misc/workstation-cert.pem") @@ -683,6 +715,28 @@ data: ca.polly.crt: #{Base64.strict_encode64(b)} ca-certificates.crt: #{Base64.strict_encode64(c)} ... +--- +apiVersion: v1 +kind: Secret +metadata: + name: "buildkit-daemon-certs" +type: Opaque +data: + ca.pem: #{Base64.strict_encode64(b)} + cert.pem: #{Base64.strict_encode64(cert2.to_pem)} + key.pem: #{Base64.strict_encode64(key2.to_pem)} +... +--- +apiVersion: v1 +kind: Secret +metadata: + name: "buildkit-client-certs" +type: Opaque +data: + ca.pem: #{Base64.strict_encode64(b)} + cert.pem: #{Base64.strict_encode64(cert3.to_pem)} + key.pem: #{Base64.strict_encode64(key3.to_pem)} +... HEREDOC obv = ::Polly::Observe.new @@ -814,6 +868,23 @@ spec: hostPath: path: /var/tmp/polly-safe ... +HEREDOC + + polly_services << <<-HEREDOC +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: buildkitd + name: polly-buildkitd +spec: + ports: + - port: 1234 + protocol: TCP + selector: + app: buildkitd +... HEREDOC # polly_services << <<-HEREDOC @@ -903,9 +974,9 @@ metadata: app: buildkitd name: polly-buildkitd spec: - serviceName: buildkitd - podManagementPolicy: Parallel + serviceName: polly-buildkitd replicas: 1 + podManagementPolicy: Parallel selector: matchLabels: app: buildkitd @@ -915,46 +986,96 @@ spec: app: buildkitd annotations: container.apparmor.security.beta.kubernetes.io/buildkitd: unconfined - # see buildkit/docs/rootless.md for caveats of rootless mode + container.seccomp.security.alpha.kubernetes.io/buildkitd: unconfined spec: + terminationGracePeriodSeconds: 180 containers: - - name: buildkitd - image: moby/buildkit:master-rootless - args: - - --oci-worker-no-process-sandbox - readinessProbe: - exec: - command: - - buildctl - - debug - - workers - initialDelaySeconds: 5 - periodSeconds: 30 - livenessProbe: - exec: - command: - - buildctl - - debug - - workers - initialDelaySeconds: 5 - periodSeconds: 30 - securityContext: - # Needs Kubernetes >= 1.19 - seccompProfile: - type: Unconfined - # To change UID/GID, you need to rebuild the image - runAsUser: 1000 - runAsGroup: 1000 - volumeMounts: - # Dockerfile has `VOLUME /home/user/.local/share/buildkit` by default too, - # but the default VOLUME does not work with rootless on Google's Container-Optimized OS - # as it is mounted with `nosuid,nodev`. - # https://github.com/moby/buildkit/issues/879#issuecomment-1240347038 - - mountPath: /home/user/.local/share/buildkit - name: buildkitd + - name: buildkitd + image: moby/buildkit:master-rootless + resources: + requests: + memory: 10Mi + cpu: 10m + limits: + memory: 12000Mi + args: + - --addr + - tcp://0.0.0.0:1234 + - --tlscacert + - /certs/server/ca.pem + - --tlscert + - /certs/server/cert.pem + - --tlskey + - /certs/server/key.pem + - --oci-worker=true + - --oci-worker-rootless=true + - --oci-worker-no-process-sandbox=true + - --oci-worker-gc=true + - --oci-worker-gc-keepstorage=20000 + - --oci-worker-snapshotter=overlayfs + readinessProbe: + exec: + command: + - buildctl + - --addr + - tcp://127.0.0.1:1234 + - --tlscacert + - /certs/client/ca.pem + - --tlscert + - /certs/client/cert.pem + - --tlskey + - /certs/client/key.pem + - debug + - workers + initialDelaySeconds: 30 + periodSeconds: 60 + successThreshold: 1 + failureThreshold: 16 + timeoutSeconds: 30 + livenessProbe: + exec: + command: + - buildctl + - --addr + - tcp://127.0.0.1:1234 + - --tlscacert + - /certs/client/ca.pem + - --tlscert + - /certs/client/cert.pem + - --tlskey + - /certs/client/key.pem + - debug + - workers + initialDelaySeconds: 30 + periodSeconds: 60 + successThreshold: 1 + failureThreshold: 16 + timeoutSeconds: 30 + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + ports: + - containerPort: 1234 + volumeMounts: + - name: "share-dir" + mountPath: /home/user/.local/share/buildkit + - name: buildkit-daemon-certs + readOnly: true + mountPath: /certs/server + - name: buildkit-client-certs + readOnly: true + mountPath: /certs/client + securityContext: + fsGroup: 1000 volumes: - - name: buildkitd - emptyDir: {} + - name: buildkit-daemon-certs + secret: + secretName: buildkit-daemon-certs + - name: buildkit-client-certs + secret: + secretName: buildkit-client-certs + - name: share-dir + emptyDir: {} ... --- apiVersion: apps/v1 @@ -980,12 +1101,15 @@ spec: spec: serviceAccountName: polly volumes: - - name: polly-mount - persistentVolumeClaim: - claimName: polly-mount - - name: registry-certificates - secret: - secretName: registry-certificates + - name: buildkit-client-certs + secret: + secretName: buildkit-client-certs + - name: polly-mount + persistentVolumeClaim: + claimName: polly-mount + - name: registry-certificates + secret: + secretName: registry-certificates securityContext: runAsUser: 1000 fsGroup: 1000 @@ -996,11 +1120,14 @@ spec: securityContext: runAsUser: 1000 volumeMounts: - - mountPath: /polly/safe - name: polly-mount - - mountPath: /etc/ssl/private - name: registry-certificates - readOnly: true + - mountPath: /polly/safe + name: polly-mount + - mountPath: /etc/ssl/private + name: registry-certificates + readOnly: true + - mountPath: /certs/client + name: buildkit-client-certs + readOnly: true image: #{git_image} imagePullPolicy: IfNotPresent env: @@ -1221,19 +1348,7 @@ HEREDOC $stdout.write(generated_circleci_config_yml) when "github" - #set -e - #id app || (export DEBIAN_FRONTEND=noninteractive; export LC_ALL=C.UTF-8; export LANG=en_US; export LANGUAGE=en_US; export ACCEPT_EULA=y; apt-get update; apt-get install -y locales locales-all; apt-get clean; rm -rf /var/lib/apt/lists/*; locale-gen --purge en_US; /bin/echo -e "LANG=$LANG\nLANGUAGE=$LANGUAGE\n" | tee /etc/default/locale; locale-gen $LANGUAGE; dpkg-reconfigure locales; apt-get update; apt-get install -y git curl apt-transport-https aptitude ca-certificates apt-utils software-properties-common docker.io build-essential libyaml-dev ruby2* libruby2* ruby-bundler rubygems-integration rake amazon-ecr-credential-helper; apt-get clean; rm -rf /var/lib/apt/lists/*; curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add; apt-add-repository "deb http://apt.kubernetes.io/ kubernetes-xenial main"; apt-get update; apt-get install -y kubectl; apt-get clean; rm -rf /var/lib/apt/lists/*; groupadd --gid 134 abc-otf; groupadd --gid 999 efg-nnn; useradd --uid 1001 --home-dir /home/app --create-home --shell /bin/bash app --groups docker,abc-otf,efg-nnn; ln -sfv /home/app/polly/bin/polly /usr/local/bin/polly; chown -R app /home/app) - ####export SSH_AUTH_SOCK=/tmp/ssh-auth.sock - ####ssh-agent -a $SSH_AUTH_SOCK > /dev/null - #chown -R app . - #### /home/app - ####su app -s /bin/test -- -w $SSH_AUTH_SOCK || (chmod g+w $SSH_AUTH_SOCK && chgrp 1001 $SSH_AUTH_SOCK && chgrp 1001 $(dirname $SSH_AUTH_SOCK) && chmod g+x $(dirname $SSH_AUTH_SOCK) && su app -s /bin/test -- -w $SSH_AUTH_SOCK) - ####test -z $DOCKER_CERT_PATH || (chown -R 1001 $(dirname $DOCKER_CERT_PATH)) - ####chown root:docker /var/run/docker.sock - ####su app -w SSH_AUTH_SOCK,DOCKER_CERT_PATH,DOCKER_HOST,DOCKER_MACHINE_NAME,DOCKER_TLS_VERIFY,NO_PROXY -s /bin/bash -c 'bundle exec polly build' - #su app -s /bin/bash -c 'bundle config set --local path /home/app/vendor/bundle && bundle config set --local jobs 4 && bundle config set --local retry 3 && bundle config set --local deploment true && bundle config set --local without development && bundle install' - #su app -s /bin/bash -c 'bundle exec polly generate' > Dockerfile - ####docker run --rm=true polly:latest bundle exec rspec + #TODO: re-emit githubrc file when "dockerfile" $stdout.write(Polly::Generate.read_output) diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index 205c9c1..87b9545 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -264,6 +264,7 @@ def start_job!(job) "mountPath" => "/polly/safe/git/#{current_app}", "name" => "git-repo" }, + ] } ], @@ -307,8 +308,9 @@ def start_job!(job) "args" => sleep_cmd_args, "volumeMounts" => [ { - "mountPath" => "/var/run/docker.sock", - "name" => "dood" + "mountPath" => "/certs/client", + "name" => "buildkit-client-certs", + "readOnly" => true }, { "mountPath" => build_manifest_dir, @@ -322,6 +324,7 @@ def start_job!(job) "mountPath" => "/var/tmp/artifacts", "name" => "build-artifacts" }, + #TODO: configurable secrets/mounts certs/ssh/tmp/etc #{ # "mountPath" => "/home/app/.ssh", # "name" => "ssh-key" @@ -332,9 +335,9 @@ def start_job!(job) ], "volumes" => [ { - "name" => "dood", - "hostPath" => { - "path" => "/var/run/docker.sock" + "name" => "buildkit-client-certs", + "secret" => { + "secretName" => "buildkit-client-certs" } }, { From 1201021714dd1ea263ce0eb55be05be35620095e Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 27 Jan 2023 06:56:29 +0000 Subject: [PATCH 002/133] repair bits --- Pollyfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Pollyfile b/Pollyfile index 19df6b8..d56180f 100644 --- a/Pollyfile +++ b/Pollyfile @@ -110,12 +110,13 @@ workflow_image = "polly:latest" [{"image"=>workflow_image}], [ {"run"=>{"name"=>"demo","command"=>"echo DEMO!!!!"}}, + {"run"=>{"name"=>"demo","command"=>"polly generate > Dockerfile"}}, #{"run"=>{"name"=>"demo","command"=>"sleep 3600"}}, #{"run"=>{"name"=>"config","command"=>"bundle config set --local path vendor/bundle"}}, #{"run"=>{"name"=>"bundler","command"=>"bundle install"}}, #{"run"=>{"name"=>"rspec","command"=>"bundle exec rspec"}}, #{"run"=>{"name"=>"build","command"=>"buildctl --addr kube-pod://polly-buildkitd-0 build --frontend dockerfile.v0 --local context=. --local dockerfile=."}} - {"run"=>{"name"=>"build","command"=>"buildctl --timeout "120" --addr tcp://polly-buildkitd:1234 --tlsservername polly-buildkitd --tlscacert /certs/client/ca.pem --tlscert /certs/client/cert.pem --tlskey /certs/client/key.pem build --frontend dockerfile.v0 --local context=. --local dockerfile=."}} + {"run"=>{"name"=>"build","command"=>"pwd && ls -l && buildctl --timeout 120 --addr tcp://polly-buildkitd:1234 --tlsservername polly-buildkitd --tlscacert /certs/client/ca.pem --tlscert /certs/client/cert.pem --tlskey /certs/client/key.pem build --frontend dockerfile.v0 --local context=. --local dockerfile=."}} ],{},"/home/app/polly" ) } From 0982999e04b99be5da5087f21ce710fdc823b898 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 27 Jan 2023 07:09:46 +0000 Subject: [PATCH 003/133] cleanup bits --- Pollyfile | 2 -- 1 file changed, 2 deletions(-) diff --git a/Pollyfile b/Pollyfile index d56180f..1a8e3e9 100644 --- a/Pollyfile +++ b/Pollyfile @@ -111,11 +111,9 @@ workflow_image = "polly:latest" [ {"run"=>{"name"=>"demo","command"=>"echo DEMO!!!!"}}, {"run"=>{"name"=>"demo","command"=>"polly generate > Dockerfile"}}, - #{"run"=>{"name"=>"demo","command"=>"sleep 3600"}}, #{"run"=>{"name"=>"config","command"=>"bundle config set --local path vendor/bundle"}}, #{"run"=>{"name"=>"bundler","command"=>"bundle install"}}, #{"run"=>{"name"=>"rspec","command"=>"bundle exec rspec"}}, - #{"run"=>{"name"=>"build","command"=>"buildctl --addr kube-pod://polly-buildkitd-0 build --frontend dockerfile.v0 --local context=. --local dockerfile=."}} {"run"=>{"name"=>"build","command"=>"pwd && ls -l && buildctl --timeout 120 --addr tcp://polly-buildkitd:1234 --tlsservername polly-buildkitd --tlscacert /certs/client/ca.pem --tlscert /certs/client/cert.pem --tlskey /certs/client/key.pem build --frontend dockerfile.v0 --local context=. --local dockerfile=."}} ],{},"/home/app/polly" ) From 6ee2ef0fedc587cb6ff94b1fe694d7b5d71d8530 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Tue, 16 May 2023 04:19:55 -0400 Subject: [PATCH 004/133] add varying platform vertical.yaml configuration --- bin/polly | 87 ++++++++++++++++++++++++++++++++++---------- lib/polly/build.rb | 22 ++++++++++- lib/polly/execute.rb | 35 ++++++++++++++++++ 3 files changed, 123 insertions(+), 21 deletions(-) diff --git a/bin/polly b/bin/polly index d2672dc..993d494 100755 --- a/bin/polly +++ b/bin/polly @@ -570,12 +570,23 @@ HEREDOC desc "certificates [PRIVATE_KEY] [PUBLIC_KEY]", "installs some common ca certificate secret material into cluster" option "namespace", :type => :string, :default => "default" option "mode", :type => :string, :default => "directory" - def certificates(inbound_ssh_key, inbound_ssh_key_pub, cname = "polly-registry", cname_two = "0.0.0.0") - inbound_ssh_key = File.read(inbound_ssh_key) - inbound_ssh_key_pub = File.read(inbound_ssh_key_pub) + def certificates(inbound_ssh_key="", inbound_ssh_key_pub="", cname = "polly-registry", cname_two = "0.0.0.0") + inbound_ssh_key = File.read(inbound_ssh_key) unless inbound_ssh_key.empty? + inbound_ssh_key_pub = File.read(inbound_ssh_key_pub) unless inbound_ssh_key_pub.empty? - key = OpenSSL::PKey::RSA.new 2048 - key_dsa = OpenSSL::PKey::DSA.new 2048 + key = OpenSSL::PKey::RSA.new 4096 + key_dsa = OpenSSL::PKey::DSA.new 4096 + + #TODO + #ssh_key = StringIO.new + #ssh_key.write(key.ssh_type) + #ssh_key.write([key.to_blob.length].pack('N')) + #ssh_key.write(key.to_blob) + #ssh_priv_key = ssh_key.string + #type = key.ssh_type + #data2 = [ key.to_blob ].pack('m0') + #openssh_format = "#{type} #{data2}" + ###puts openssh_format data = key.to_pem data_dsa = key_dsa.to_pem @@ -640,10 +651,6 @@ HEREDOC #known_hosts = File.read("/var/tmp/cheese.known_hosts") #puts known_hosts.inspect - #type = key.ssh_type - #data2 = [ key.to_blob ].pack('m0') - #openssh_format = "#{type} #{data2}" - ##puts openssh_format case options["mode"] when "k8s-secret" @@ -706,16 +713,21 @@ HEREDOC dir = File.join("/var/tmp", SecureRandom.uuid) FileUtils.mkdir_p(dir) - #TODO: fill in ssh bits - #File.write("#{dir}/sshd_rsa", data) + File.umask(0077) File.write("#{dir}/web-server-certificate.pem", cert) File.write("#{dir}/web-server-key.pem", key) + #TODO: sort out certificate-stack documentation + File.write("#{dir}/etc_slash_ssh_slash_ssh_host_rsa_key", key) + exe.ssh_private_key_from_rsa_private_key("#{dir}/etc_slash_ssh_slash_ssh_host_rsa_key") + File.write("#{dir}/etc_slash_ssh_slash_ssh_host_rsa_key.pub", exe.ssh_keygen_from_private_key("#{dir}/etc_slash_ssh_slash_ssh_host_rsa_key")) + File.write("#{dir}/from-workstation-ca.crt", a) File.write("#{dir}/polly-root-ca.crt", b) File.write("#{dir}/multipass-mega.crt", c) + #TODO: link with vertical.yaml specification puts "certificates will be found in #{dir}" end end @@ -1142,6 +1154,13 @@ HEREDOC exec(*["kubectl", "run", "-it", "--image=polly:latest", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", sh_cmd].compact) end + desc "whx", "workstation instance" + def whx(profile) + exe = ::Polly::Execute.new + + exec("ssh", "-AX", "app@#{exe.multipass_ip(profile)}") + end + desc "waitx", "TBD: wait for pod availability, execute subsequent command" def waitx(clean_name, *cmd) exe = ::Polly::Execute.new @@ -1518,21 +1537,51 @@ HEREDOC end desc "launch [PROFILE]", "todo" - option "platform", :type => :string, :default => "multipass", :desc => "todo" - option "distro", :type => :string, :default => "focal" - option "public-ssh-key", :type => :string, :default => "~/.ssh/id_rsa.pub", :desc => "todo" + option "debug", :default => false, :type => :boolean + option "automatic-host-key", :default => false, :type => :boolean def launch(profile = "foo") exe = ::Polly::Execute.new vertical_lookup = YAML.load(File.read("vertical.yaml")) - public_key = File.read(File.expand_path(options["public-ssh-key"])) + station_profile = vertical_lookup["platforms"][profile] + + station_profile.each { |platform, params| + case platform + when "multipass" + #TODO: pattern-matching ruby3x jazz + raise unless (distro = params["distro"]) && (ssh = params["ssh"]) && + (client_key_pub = ssh["client_key_pub"]) && + (server_key = ssh["server_key"]) && + (server_key_pub = ssh["server_key_pub"]) + + cloud_init_yaml = ::Polly::Build.build_cloudinit_yaml(exe, vertical_lookup, File.read(client_key_pub), File.read(server_key), File.read(server_key_pub)) + + if options["debug"] + puts cloud_init_yaml + exit + end - cloud_init_yaml = ::Polly::Build.build_cloudinit_yaml(exe, vertical_lookup, public_key) + known_hosts_file = File.expand_path("~/.ssh/known_hosts") + known_hosts = File.read(known_hosts_file) if File.exists?(known_hosts_file) - multipass_launch_cmd = ["multipass", "launch", "--name", profile, "--disk=60G", "--cpus=4", "--mem=10G", "--cloud-init=-", options["distro"]] + multipass_launch_cmd = ["multipass", "launch", "--name", profile, "--disk=60G", "--cpus=4", "--memory=10G", "--cloud-init=-", distro] + multipass_options = {:out => $stdout, :err => $stderr, :in => ::Polly::Build.generated_string_fd(cloud_init_yaml)} + exe.system({}, *multipass_launch_cmd, multipass_options) + + server_key_pub_pem = File.read(server_key_pub) + known_hosts_line = "#{exe.multipass_ip(profile)} #{server_key_pub_pem}" + + if known_hosts && known_hosts.index(known_hosts_line) + else + if options["automatic-host-key"] || yes?("append #{known_hosts_file}?") + # echo $(ruby devstack/wkip.rb threep) $(ssh-keygen -yf tmp/threep/sshd_rsa_key) > ~/.ssh/known_hosts + File.write(known_hosts_file, (known_hosts || "") + "\n" + known_hosts_line + "\n") + end + end + + end + } - options = {:out => $stdout, :err => $stderr, :in => ::Polly::Build.generated_string_fd(cloud_init_yaml)} - exe.system({}, *multipass_launch_cmd, options) end desc "stationkeep [PROFILE]", "todo" diff --git a/lib/polly/build.rb b/lib/polly/build.rb index b4bc013..5681af2 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -227,7 +227,7 @@ def self.buildkit_internal(exe, app, build_image_stage, version, generated_docke exec(*["kubectl", "logs", build_pod, "-f"].compact) end - def self.build_cloudinit_yaml(exe, vertical_lookup, public_ssh_key) + def self.build_cloudinit_yaml(exe, vertical_lookup, client_key_pub, server_key, server_key_pub) prewrites = vertical_lookup["prewrites"] users = [{ @@ -235,7 +235,7 @@ def self.build_cloudinit_yaml(exe, vertical_lookup, public_ssh_key) 'shell' => '/bin/bash', 'groups' => 'sudo', 'sudo' => 'ALL=(ALL) NOPASSWD:ALL', - 'ssh_authorized_keys' => [public_ssh_key] + 'ssh_authorized_keys' => [client_key_pub] }] write_files = [] @@ -250,6 +250,24 @@ def self.build_cloudinit_yaml(exe, vertical_lookup, public_ssh_key) } } + write_files << { + 'content' => server_key.strip + "\n", + 'path' => '/etc/ssh/custom_ssh_host_rsa_key', + 'permissions' => '0600' + } + + write_files << { + 'content' => server_key_pub.strip + " root@threep" + "\n", + 'path' => '/etc/ssh/custom_ssh_host_rsa_key.pub', + 'permissions' => '0600' + } + + write_files << { + 'content' => "HostKey /etc/ssh/custom_ssh_host_rsa_key" + "\n", + 'path' => '/etc/ssh/sshd_config.d/custom.conf', + 'permissions' => '0644' + } + { 'users' => users, 'write_files' => write_files diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index 205c9c1..2cc0809 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -126,6 +126,41 @@ def multipass_ip(profile) end end + def ssh_keygen_from_private_key(private_key) + keygen_cmd = [ + "ssh-keygen", + "-yf", + private_key + ] + + stdout_and_stderr_str, status = Open3.capture2e(*keygen_cmd) + unless status.success? + puts stdout_and_stderr_str + exit(1) + end + + stdout_and_stderr_str + end + + def ssh_private_key_from_rsa_private_key(private_key) + keygen_cmd = [ + "ssh-keygen", + "-p", + "-N", + "", + "-f", + private_key + ] + + stdout_and_stderr_str, status = Open3.capture2e(*keygen_cmd) + unless status.success? + puts stdout_and_stderr_str + exit(1) + end + + stdout_and_stderr_str + end + def start_job!(job) clean_name = (current_app + "-" + job.run_name).gsub(/[^\.a-z0-9]/, "-")[0..34] From a5dc1edddaa2b8ef1cb39a1c534aaed2602124dc Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Tue, 16 May 2023 04:20:34 -0400 Subject: [PATCH 005/133] updates in CHANGELOG.md --- CHANGELOG.md | 6 ++++++ VERSION | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2ab86df..db67844 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +# [4.0.1] - 2023-05-16 - Jon Bardin + +Add support for multi-platform launch configuration + +####### + # [2.20.0] - 2023-01-22 - Jon Bardin Test image container diff diff --git a/VERSION b/VERSION index a4cc673..971e119 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.20.0 \ No newline at end of file +2.21.0 \ No newline at end of file From 7fab3aca0fc8afea584526d9e2d41bc8b7c75b6a Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Tue, 16 May 2023 04:20:41 -0400 Subject: [PATCH 006/133] updates in CHANGELOG.md --- CHANGELOG.md | 6 ++++++ VERSION | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index db67844..a67982b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +# [2.22.0] - 2023-05-16 - Jon Bardin + + + +####### + # [4.0.1] - 2023-05-16 - Jon Bardin Add support for multi-platform launch configuration diff --git a/VERSION b/VERSION index 971e119..f1270b4 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.21.0 \ No newline at end of file +2.22.0 \ No newline at end of file From 115b316d6268e9d4e4f0cf40c15f0ee331d7c275 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Tue, 16 May 2023 04:22:54 -0400 Subject: [PATCH 007/133] updates in CHANGELOG.md --- CHANGELOG.md | 6 ++++++ VERSION | 2 +- VERSION.major | 1 + bin/polly | 2 +- 4 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 VERSION.major diff --git a/CHANGELOG.md b/CHANGELOG.md index a67982b..dc6dfe2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +# [4.23.0] - 2023-05-16 - Jon Bardin + +Add better version support + +####### + # [2.22.0] - 2023-05-16 - Jon Bardin diff --git a/VERSION b/VERSION index f1270b4..3374ced 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.22.0 \ No newline at end of file +4.23.0 \ No newline at end of file diff --git a/VERSION.major b/VERSION.major new file mode 100644 index 0000000..b8626c4 --- /dev/null +++ b/VERSION.major @@ -0,0 +1 @@ +4 diff --git a/bin/polly b/bin/polly index 993d494..98d285e 100755 --- a/bin/polly +++ b/bin/polly @@ -23,7 +23,7 @@ class PollyTasks < Thor today = Date.today.to_s username = IO.popen("git config user.name").read.strip || ENV["USER"] || "ac" template_args = [today, username] - version = "2.#{version_count + 1}.0" + version = "#{File.exists?('VERSION.major') ? File.read('VERSION.major').strip : 1}.#{version_count + 1}.0" opening_line_template = "# [#{version}] - %s - %s\n\n\n\n#{version_delim}\n" % template_args Tempfile.create(changelog) do |new_entry_tmp| From 27f6ad81cdd7a2aa01514a6cdf6075ceae987649 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Tue, 16 May 2023 05:37:34 -0400 Subject: [PATCH 008/133] updates in CHANGELOG.md --- CHANGELOG.md | 6 ++++++ VERSION | 2 +- bin/polly | 10 +++++----- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dc6dfe2..e561d9a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +# [4.24.0] - 2023-05-16 - Jon Bardin + +repair wxh git push hooks + +####### + # [4.23.0] - 2023-05-16 - Jon Bardin Add better version support diff --git a/VERSION b/VERSION index 3374ced..2c4686f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.23.0 \ No newline at end of file +4.24.0 \ No newline at end of file diff --git a/bin/polly b/bin/polly index 98d285e..ad2a284 100755 --- a/bin/polly +++ b/bin/polly @@ -1154,8 +1154,8 @@ HEREDOC exec(*["kubectl", "run", "-it", "--image=polly:latest", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", sh_cmd].compact) end - desc "whx", "workstation instance" - def whx(profile) + desc "wxh", "workstation instance" + def wxh(profile) exe = ::Polly::Execute.new exec("ssh", "-AX", "app@#{exe.multipass_ip(profile)}") @@ -1639,7 +1639,7 @@ HEREDOC end desc "mkhooks [PROFILE]", "todo" - option "user", :type => :string, :default => "bip", :desc => "todo" + option "user", :type => :string, :default => "app", :desc => "todo" def mkhooks(profile = "foo") exe = ::Polly::Execute.new @@ -1658,9 +1658,9 @@ HEREDOC system("ssh", remote_user, "--", "git", "clone", "/home/#{options['user']}/workspace/#{uuid}.git", "/home/#{options['user']}/workspace/#{File.basename(Dir.pwd)}", "--branch", `git rev-parse --abbrev-ref HEAD`) || fail system("ssh", remote_user, "--", "ln", "-sf", "/home/#{options['user']}/workspace/#{File.basename(Dir.pwd)}/devstack/git-hooks", "/home/#{options['user']}/workspace/#{uuid}.git/hooks") system("ssh", remote_user, "--", "git", "-C", "/home/#{options['user']}/workspace/#{uuid}.git config", "receive.advertisePushOptions", "true") - #git config core.sshCommand 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ForwardAgent=yes -X' + system("git", "config", "core.sshCommand", 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ForwardAgent=yes -X') else - puts "re-init manually... git remote remove #{foo}" + puts "re-init manually... git remote remove #{profile}" #system("ssh", remote_user, "--", "git", "-C", "/home/#{options['user']}/workspace/#{File.basename(Dir.pwd)}", "pull") #system("ssh", remote_user, "--", "git", "-C", "/home/#{options['user']}/workspace/#{File.basename(Dir.pwd)}", "show") #system("ssh", remote_user, "--", "git", "--git-dir", "/home/#{options['user']}/workspace/#{File.basename(Dir.pwd)}/.git", "pull") From e57628438050caac3da5cd6ea6daa5688ee3d2ab Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Tue, 16 May 2023 21:00:46 -0400 Subject: [PATCH 009/133] updates in CHANGELOG.md --- CHANGELOG.md | 6 ++++++ VERSION | 2 +- lib/polly/build.rb | 9 ++++++++- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e561d9a..8ddd768 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +# [4.25.0] - 2023-05-16 - Jon Bardin + +Allow `host-aliases` block to be defined and written out to /etc/hosts via cloud-init + +####### + # [4.24.0] - 2023-05-16 - Jon Bardin repair wxh git push hooks diff --git a/VERSION b/VERSION index 2c4686f..71cf366 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.24.0 \ No newline at end of file +4.25.0 \ No newline at end of file diff --git a/lib/polly/build.rb b/lib/polly/build.rb index 5681af2..5663b45 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -268,9 +268,16 @@ def self.build_cloudinit_yaml(exe, vertical_lookup, client_key_pub, server_key, 'permissions' => '0644' } + write_files << { + 'content' => "127.0.1.1 $hostname $hostname\n127.0.0.1 localhost\n" + vertical_lookup["host-aliases"].collect { |ha| ha["hostnames"].collect { |hn| ha["ip"] + " " + hn }.join("\n") }.join("\n") + "" + "\n", + 'path' => '/etc/cloud/templates/hosts.debian.tmpl', + 'permissions' => '0644' + } + { 'users' => users, - 'write_files' => write_files + 'write_files' => write_files, + 'manage_etc_hosts' => true }.to_yaml end end From a0f9d12f1df426121096c46fd84349cdf71f6c23 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Thu, 18 May 2023 04:17:19 -0400 Subject: [PATCH 010/133] more ux and code improvement --- bin/polly | 99 ++++++++++++++++++++------------------------ lib/polly/build.rb | 59 +++++++++++++++++--------- lib/polly/config.rb | 2 +- lib/polly/execute.rb | 3 +- 4 files changed, 87 insertions(+), 76 deletions(-) diff --git a/bin/polly b/bin/polly index ad2a284..b1e94bf 100755 --- a/bin/polly +++ b/bin/polly @@ -430,7 +430,6 @@ HEREDOC desc "build [container_def]", "Build the current working directory's Dockerfile" #? option "run", :type => :string, :default => nil #? option "push", :type => :string, :default => nil - #option "docker-config-json", :type => :string, :default => nil option "cache", :type => :boolean, :default => true option "explain", :type => :boolean, :default => false option "in-cluster", :type => :boolean, :default => false @@ -453,7 +452,10 @@ HEREDOC Kernel.eval(pollyfile_ruby, Polly::Generate.get_binding, default_pollyfile) generated_dockerfile = Polly::Generate.read_output elsif container_definition == "-" && File.exists?(default_dockerfile) - generated_dockerfile = File.read(default_dockerfile) + #generated_dockerfile = File.read(default_dockerfile) + raise if version.empty? + Polly::Build.buildkit_workstation_to_controller(exe, app, "wkndr", version, options["no-cache"]) + exit else generated_dockerfile = File.read(container_definition) sub_version = container_definition.split(".").last @@ -464,50 +466,12 @@ HEREDOC if options["in-cluster"] Polly::Generate.all_images.each { |build_image| - puts app.inspect Polly::Build.buildkit_internal(exe, app, build_image, version, generated_dockerfile, options["no-cache"]) } else - #build_dockerfile = [ - # {"DOCKER_BUILDKIT" => "1", "SSH_AUTH_SOCK" => ENV["SSH_AUTH_SOCK"]}, - # "docker", "build", "--progress=plain", "--ssh", "default", - # options["no-cache"] ? "--no-cache" : nil, "-t", - # app + ":" + version, ".", "-f", "-", generated_dockerfile.nil? ? {:in => File.open(container_definition) } : {:in => generated_dockerfile} - #].compact - - #build_dockerfile = [ - # {"DOCKER_BUILDKIT" => "1", "SSH_AUTH_SOCK" => ENV["SSH_AUTH_SOCK"]}, - # "docker", "build", "--progress=plain", "--ssh", "default", - # options["no-cache"] ? "--no-cache" : nil, "-t", - # app + ":" + version, ".", "-f", "-", generated_string_fd.nil? ? {:in => File.open(container_definition) } : {:in => generated_string_fd} - #].compact - - #Polly::Generate.all_images.each { |build_image| - # Polly::Build.buildkit_external(exe, app, build_image.stage, version, generated_dockerfile, options["no-cache"]) - #} - raise if version.empty? - Polly::Build.buildkit_external(exe, app, "wkndr", version, generated_dockerfile, options["no-cache"]) - - tag_dockerfile = ["docker", "tag", app + ":wkndr-" + version, app + ":latest"] - exe.systemx(*tag_dockerfile) - - tag_dockerfile = ["docker", "tag", app + ":wkndr-" + version, app + ":git-latest"] - exe.systemx(*tag_dockerfile) - - tag_dockerfile = ["docker", "tag", app + ":wkndr-" + version, "localhost/" + app + ":git-latest"] - exe.systemx(*tag_dockerfile) end - - #if options["push"] - # tag_dockerfile = ["docker", "tag", app + ":" + version, options["push"] + "/" + app + ":" + version] - # puts tag_dockerfile - # exe.systemx(*tag_dockerfile) - - # push_dockerfile = ["docker", "push", options["push"] + "/" + app + ":" + version] - # exe.systemx(*push_dockerfile) - #end end # desc "checkout [REPO] [VERSION] [DESTINATION]", "" @@ -651,6 +615,9 @@ HEREDOC #known_hosts = File.read("/var/tmp/cheese.known_hosts") #puts known_hosts.inspect + #TODO: !!! + #ssh_key: #{Base64.strict_encode64(inbound_ssh_key || "")} + #ssh_key_pub: #{Base64.strict_encode64(inbound_ssh_key_pub || "")} case options["mode"] when "k8s-secret" @@ -666,8 +633,6 @@ data: dsa: #{Base64.strict_encode64(data_dsa)} dsa_pub: #{Base64.strict_encode64(key_dsa.public_key.to_s)} rsa_pub: #{Base64.strict_encode64(key.public_key.to_s)} - ssh_key: #{Base64.strict_encode64(inbound_ssh_key)} - ssh_key_pub: #{Base64.strict_encode64(inbound_ssh_key_pub)} ... --- apiVersion: v1 @@ -808,7 +773,7 @@ spec: resources: requests: storage: 10Gi - storageClassName: local-storage + storageClassName: local-path ... --- apiVersion: v1 @@ -822,7 +787,7 @@ spec: storage: 10Gi accessModes: - ReadWriteMany - storageClassName: local-storage + storageClassName: local-path hostPath: path: /var/tmp/polly-safe ... @@ -908,6 +873,18 @@ HEREDOC polly_deployments << <<-HEREDOC --- +apiVersion: v1 +kind: ConfigMap +metadata: + name: polly-buildkitd-configuration +data: + buildkitd.toml: |- + debug = true + [registry."polly-registry:443"] + ca=["/certs/ca.polly.crt"] + insecure = true +... +--- apiVersion: apps/v1 kind: StatefulSet metadata: @@ -924,6 +901,7 @@ spec: template: metadata: labels: + name: polly-buildkitd app: buildkitd annotations: container.apparmor.security.beta.kubernetes.io/buildkitd: unconfined @@ -964,17 +942,28 @@ spec: # https://github.com/moby/buildkit/issues/879#issuecomment-1240347038 - mountPath: /home/user/.local/share/buildkit name: buildkitd + - name: configurations + subPath: buildkitd.toml + mountPath: /home/user/.config/buildkit/buildkitd.toml + - name: ca-certificates + mountPath: /certs volumes: - name: buildkitd emptyDir: {} + - name: configurations + configMap: + name: polly-buildkitd-configuration + - name: ca-certificates + secret: + secretName: ca-certificates ... --- apiVersion: apps/v1 kind: Deployment metadata: - name: polly-git + name: polly-controller labels: - app: polly-git + app: polly-controller stack: polly spec: revisionHistoryLimit: 1 @@ -983,11 +972,11 @@ spec: replicas: 1 selector: matchLabels: - name: polly-git + name: polly-controller template: metadata: labels: - name: polly-git + name: polly-controller stack: polly spec: serviceAccountName: polly @@ -1004,7 +993,7 @@ spec: #supplementalGroups: [121, 123, 134, 999, 1000, 1001] initContainers: containers: - - name: polly-git + - name: polly-controller securityContext: runAsUser: 1000 volumeMounts: @@ -1131,27 +1120,27 @@ HEREDOC o,e,s = exe.execute_simple(:output, deploy_polly_app, options) puts [o, e, s] - wait_polly_app = ["kubectl", "wait", "--for=condition=available", "deployment/polly-git"] + wait_polly_app = ["kubectl", "wait", "--for=condition=available", "deployment/polly-controller"] o,e,s = exe.execute_simple(:output, wait_polly_app, {}) puts [o, e, s] - wait_polly_app = ["kubectl", "rollout", "status", "deployment/polly-git"] + wait_polly_app = ["kubectl", "rollout", "status", "deployment/polly-controller"] o,e,s = exe.execute_simple(:output, wait_polly_app, {}) puts [o, e, s] end desc "xxh", "debug shell into polly controller" - def xxh(sh_cmd = "bash") + def xxh(service = "git", sh_cmd = "sh") exe = ::Polly::Execute.new - exec(*["kubectl", "exec", exe.polly_pod, "-i", $stdin.tty? ? "-t" : nil, "--", sh_cmd].compact) + exec(*["kubectl", "exec", exe.polly_pod(service), "-i", $stdin.tty? ? "-t" : nil, "--", sh_cmd].compact) end desc "shh", "debug instance of polly controller" def shh(sh_cmd = "bash") exe = ::Polly::Execute.new - exec(*["kubectl", "run", "-it", "--image=polly:latest", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", sh_cmd].compact) + exec(*["kubectl", "run", "shh", "-it", "--image=ghcr.io/unhookd/polly:master", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", sh_cmd].compact) end desc "wxh", "workstation instance" @@ -1487,7 +1476,7 @@ HEREDOC if options["build"] buildctl_local_cmd = [ "buildctl", - "--addr", "kube-pod://buildkitd-0?namespace=#{namespace}", + "--addr", "kube-pod://polly-buildkitd-0?namespace=#{namespace}", "build", "--ssh", "default=#{Dir.home}/.ssh/id_rsa", "--frontend", "dockerfile.v0", diff --git a/lib/polly/build.rb b/lib/polly/build.rb index 5681af2..71088e1 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -2,7 +2,6 @@ module Polly class Build - def self.build_image_to_tag(app, build_image_stage, version) app + ":" + build_image_stage + "-" + version end @@ -14,28 +13,50 @@ def self.generated_string_fd(generated_dockerfile) fd end - def self.buildkit_external(exe, app, build_image_stage, version, generated_dockerfile, force_no_cache) + def self.buildkit_workstation_to_controller(exe, app, build_image_stage, version, force_no_cache) + #file = Tempfile.new('Dockerfile', Dir.pwd) + #file.write(generated_dockerfile) + #file.rewind + #puts file.path tag = build_image_to_tag(app, build_image_stage, version) - - build_dockerfile = [ - {"DOCKER_BUILDKIT" => "1", "SSH_AUTH_SOCK" => ENV["SSH_AUTH_SOCK"]}, - "docker", "build", "--progress=plain", "--ssh", "default", - force_no_cache ? "--no-cache" : nil, - #"--target", build_image_stage, - "-t", tag, - "-f", "-", - ".", - {:in => generated_string_fd(generated_dockerfile)} - ].compact - - #o,e,s = exe.execute_simple(:output, build_dockerfile, io_options) - #puts [o, e] - puts build_dockerfile.inspect - exe.systemx(*build_dockerfile) - + buildctl_local_cmd = [ + {"SSH_AUTH_SOCK" => ENV["SSH_AUTH_SOCK"]}, + "buildctl", + "--addr", "kube-pod://polly-buildkitd-0", + "build", + "--ssh", "default", #"default=#{Dir.home}/.ssh/id_rsa", + "--frontend", "dockerfile.v0", + "--local", "context=.", "--local", "dockerfile=.", + "--output", "type=image,name=polly-registry:443/polly-registry/#{tag},push=true" + ] + puts buildctl_local_cmd.inspect + exe.systemx(*buildctl_local_cmd) || fail("unable to build") puts "Built and tagged: #{tag} OK" end + def self.buildkit_external(exe, app, build_image_stage, version, generated_dockerfile, force_no_cache) + raise + ##file = Tempfile.new('Dockerfile', Dir.pwd) + ##file.write(generated_dockerfile) + ##file.rewind + ##puts file.path + #tag = build_image_to_tag(app, build_image_stage, version) + #buildctl_local_cmd = [ + # {"SSH_AUTH_SOCK" => ENV["SSH_AUTH_SOCK"]}, + # "buildctl", + # "--addr", "kube-pod://polly-buildkitd-0", + # "build", + # "--ssh", "default", #"default=#{Dir.home}/.ssh/id_rsa", + # "--frontend", "dockerfile.v0", + # "--local", "context=.", "--local", "dockerfile=.", #"--opt", "filename=#{File.basename(file.path)}", + # "--output", "type=image,name=polly-registry:443/polly-registry/#{tag},push=true" #, + # #{:in => generated_string_fd(generated_dockerfile)} + #] + #puts buildctl_local_cmd.inspect + #exe.systemx(*buildctl_local_cmd) + #puts "Built and tagged: #{tag} OK" + end + def self.buildkit_internal(exe, app, build_image_stage, version, generated_dockerfile, force_no_cache) tag = build_image_to_tag(app, build_image_stage.stage, version) stage = app + "-" + build_image_stage.stage diff --git a/lib/polly/config.rb b/lib/polly/config.rb index a598ef7..04e5de4 100644 --- a/lib/polly/config.rb +++ b/lib/polly/config.rb @@ -11,7 +11,7 @@ def self.rc end def self.allowed_contexts - rc["allowed_contexts"] || ["polly-ci", "kubernetes-admin@kubernetes"] + rc["allowed_contexts"] || ["polly-ci", "kubernetes-admin@kubernetes", "default"] end def self.image_repo diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index 2cc0809..1d3aee3 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -957,7 +957,8 @@ def execute_procfile(working_directory, procfile, obv = ::Polly::Observe.new) $stdout.write($/) end - def polly_pod(label = "name=#{POLLY}-git") + def polly_pod(service = "controller") + label = "name=#{POLLY}-#{service}" @polly_pods ||= {} @polly_pods[label] ||= begin cmd = "kubectl get pods --field-selector=status.phase=Running -l #{label} -o name | cut -d/ -f2" From 873f3240d268bdbdf3a7fdad67766d9b392dea90 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Thu, 18 May 2023 04:31:10 -0400 Subject: [PATCH 011/133] ux tweaks --- bin/polly | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/bin/polly b/bin/polly index b1e94bf..ccc1e50 100755 --- a/bin/polly +++ b/bin/polly @@ -772,7 +772,7 @@ spec: - ReadWriteMany resources: requests: - storage: 10Gi + storage: 5Gi storageClassName: local-path ... --- @@ -784,7 +784,7 @@ metadata: stack: polly spec: capacity: - storage: 10Gi + storage: 5Gi accessModes: - ReadWriteMany storageClassName: local-path @@ -890,6 +890,7 @@ kind: StatefulSet metadata: labels: app: buildkitd + stack: polly name: polly-buildkitd spec: serviceName: buildkitd @@ -903,6 +904,7 @@ spec: labels: name: polly-buildkitd app: buildkitd + stack: polly annotations: container.apparmor.security.beta.kubernetes.io/buildkitd: unconfined # see buildkit/docs/rootless.md for caveats of rootless mode From ae468626c0ee4aa496b5cd0193cbe3cfb9e1d75a Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Thu, 18 May 2023 05:02:00 -0400 Subject: [PATCH 012/133] more ux cleanup --- bin/polly | 76 ++++++++++++++++++---------------------------- lib/polly/build.rb | 6 ---- 2 files changed, 30 insertions(+), 52 deletions(-) diff --git a/bin/polly b/bin/polly index ccc1e50..610df9f 100755 --- a/bin/polly +++ b/bin/polly @@ -108,8 +108,8 @@ class PollyTasks < Thor end end - if options["u"] === true - if exe.systemx("git", "push", "-u", "origin", "HEAD") + if options["u"] + if exe.systemx("git", "push", "-u", options["u"], "HEAD") exit(0) end end @@ -404,29 +404,6 @@ class PollyTasks < Thor #end end - desc "docker-config", "installs docker-config-json secret" - def docker_config - exe = ::Polly::Execute.new - - docker_config_secret = [] - docker_config_secret << <<-HEREDOC ---- -apiVersion: v1 -kind: Secret -metadata: - name: docker-config -type: Opaque -data: - config.json: #{Base64.strict_encode64($stdin.read)} -... -HEREDOC - - apply_job = ["kubectl", "apply", "-f", "-"] - options = {:stdin_data => docker_config_secret.join} - o,e,s = exe.execute_simple(:output, apply_job, options) - puts [o, e] - end - desc "build [container_def]", "Build the current working directory's Dockerfile" #? option "run", :type => :string, :default => nil #? option "push", :type => :string, :default => nil @@ -1138,11 +1115,11 @@ HEREDOC exec(*["kubectl", "exec", exe.polly_pod(service), "-i", $stdin.tty? ? "-t" : nil, "--", sh_cmd].compact) end - desc "shh", "debug instance of polly controller" - def shh(sh_cmd = "bash") + desc "shr", "run a polly shell" + def shr(shr_cmd = "bash") exe = ::Polly::Execute.new - exec(*["kubectl", "run", "shh", "-it", "--image=ghcr.io/unhookd/polly:master", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", sh_cmd].compact) + exec(*["kubectl", "run", "shr", "-it", "--image=ghcr.io/unhookd/polly:master", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", shr_cmd].compact) end desc "wxh", "workstation instance" @@ -1508,24 +1485,31 @@ HEREDOC end end - #TODO: detect other repo categories to login different mech - desc "login [REPO]", "utility to authenticate to docker repo" - def login(repo_registry_url = nil) - exe = ::Polly::Execute.new - vertical_lookup = YAML.load(File.read("vertical.yaml")) - repo_registry = vertical_lookup["repo-registry"] - - docker_login_password = IO.popen("aws ecr get-login-password").read - Process.wait - unless $?.success? - exit(1) - end - - docker_login_cmd = ["docker", "login", "--username", "AWS", "--password-stdin", repo_registry] - options = {:stdin_data => docker_login_password} - o,e,s = exe.execute_simple(:output, docker_login_cmd, options) - puts [o, e, s] - end + ##TODO: re-impl without /usr/bin/docker + ##mkdir -p ~/.docker + ##kubectl create secret docker-registry --dry-run=client docker-regcred \ + ## --docker-server=XXX/repo \ + ## --docker-username=AWS \ + ## --docker-password=${PASSWORD} \ + ## --namespace=xxx \ + ## -o json | jq -r '.data.".dockerconfigjson"' | base64 -d > ~/.docker/config.json + #desc "login [REPO]", "utility to authenticate to docker repo" + #def login(repo_registry_url = nil) + # exe = ::Polly::Execute.new + # vertical_lookup = YAML.load(File.read("vertical.yaml")) + # repo_registry = vertical_lookup["repo-registry"] + + # docker_login_password = IO.popen("aws ecr get-login-password").read + # Process.wait + # unless $?.success? + # exit(1) + # end + + # docker_login_cmd = ["docker", "login", "--username", "AWS", "--password-stdin", repo_registry] + # options = {:stdin_data => docker_login_password} + # o,e,s = exe.execute_simple(:output, docker_login_cmd, options) + # puts [o, e, s] + #end desc "launch [PROFILE]", "todo" option "debug", :default => false, :type => :boolean diff --git a/lib/polly/build.rb b/lib/polly/build.rb index 71088e1..4656e87 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -179,9 +179,6 @@ def self.buildkit_internal(exe, app, build_image_stage, version, generated_docke runAsUser: 1000 runAsGroup: 1000 volumeMounts: - #- mountPath: /home/user/.docker/config.json - # subPath: config.json - # name: docker-config - mountPath: /tmp/#{app}/Dockerfile subPath: Dockerfile name: polly-dockerfile-#{app} @@ -198,9 +195,6 @@ def self.buildkit_internal(exe, app, build_image_stage, version, generated_docke subPath: ca-certificates.crt name: ca-certificates volumes: - #- name: docker-config - # secret: - # secretName: docker-config - name: polly-dockerfile-#{app} configMap: name: polly-dockerfile-#{app} From 1e25840661eced4c135fa19077680f4556f0ddaf Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Thu, 18 May 2023 05:20:55 -0400 Subject: [PATCH 013/133] update ux --- README.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/README.md b/README.md index 910c151..ea5d183 100644 --- a/README.md +++ b/README.md @@ -116,12 +116,6 @@ exec's into the polly controller deployement to provide a debugging interactive prints logs of polly controller deployement for debugging -# polly docker-config - -accepts on STDIN a `~/.docker/config.json` document, and creates a specific secret for allowin fetching from private repos in private clusters. - -TBD: allow STDIN creation of a variety of configMap/secretMap resources (SEE: `polly certificate`) - # polly key TBD: manages authentication From 9aa47443c3a132d25768621bdc6f8653365463b0 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Thu, 18 May 2023 05:35:40 -0400 Subject: [PATCH 014/133] add private k3s registry build bits --- lib/polly/build.rb | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/lib/polly/build.rb b/lib/polly/build.rb index 4656e87..006891c 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -282,6 +282,48 @@ def self.build_cloudinit_yaml(exe, vertical_lookup, client_key_pub, server_key, 'path' => '/etc/ssh/sshd_config.d/custom.conf', 'permissions' => '0644' } +#mirrors: +# "docker.io": +# endpoint: +# - "https://polly-registry:443" +# "polly-registry": +# endpoint: +# - "https://polly-registry:443" +#configs: +# "polly-registry:443": +# tls: +# #cert_file: # path to the cert file used in the registry +# #key_file: # path to the key file used in the registry +# ca_file: /home/app/workspace/polly/ca # path to the ca file used in the registry + polly_registry_k3s_config = { + "mirrors" => { + "docker.io" => { + "endpoint" => [ + "https://polly-registry:443" + ] + }, + "polly-registry" => { + "endpoint" => [ + "https://polly-registry:443" + ] + } + }, + "configs" => { + "polly-registry:443" => { + "tls" => { + "ca_file" => "/home/app/workspace/polly/ca" + } + } + } + } + + write_files << { + 'content' => YAML.dump(polly_registry_k3s_config), + 'path' => '/etc/rancher/k3s/registries.yaml', + 'permissions' => '0644' + } + + { 'users' => users, From 2f0a3658f2981ca0ce1794c1ba0cb2a8d94904bc Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Thu, 18 May 2023 20:04:19 -0400 Subject: [PATCH 015/133] add polly rxn --- bin/polly | 22 ++++++++++++++++++++++ lib/polly/build.rb | 3 ++- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/bin/polly b/bin/polly index 610df9f..ff06272 100755 --- a/bin/polly +++ b/bin/polly @@ -1122,6 +1122,28 @@ HEREDOC exec(*["kubectl", "run", "shr", "-it", "--image=ghcr.io/unhookd/polly:master", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", shr_cmd].compact) end + desc "rxn", "run app pod" + def rxn(rxn_cmd = "bash") + exe = ::Polly::Execute.new + + vertical_lookup = YAML.load(File.read("vertical.yaml")) + environment_overrides = vertical_lookup["environment-overrides"] + + env_flags = (environment_overrides || []).collect { |env| "--env=#{env["name"]}=#{env["value"]}" } + + version = exe.current_revision + branch = exe.current_branch + app = exe.current_app + image_repo = Polly::Config.image_repo + + tag = Polly::Build.build_image_to_tag(app, "wkndr", version) + + cmd = ["kubectl", "run", "rxn", "-it", *env_flags, "--image=polly-registry:443/polly-registry/#{tag}", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", rxn_cmd].compact + #puts cmd.inspect + + exec(*cmd) + end + desc "wxh", "workstation instance" def wxh(profile) exe = ::Polly::Execute.new diff --git a/lib/polly/build.rb b/lib/polly/build.rb index bcf574f..377f268 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -14,6 +14,7 @@ def self.generated_string_fd(generated_dockerfile) end def self.buildkit_workstation_to_controller(exe, app, build_image_stage, version, force_no_cache) + #TODO: figure out refactor for stdin/generated container image specification #file = Tempfile.new('Dockerfile', Dir.pwd) #file.write(generated_dockerfile) #file.rewind @@ -24,12 +25,12 @@ def self.buildkit_workstation_to_controller(exe, app, build_image_stage, version "buildctl", "--addr", "kube-pod://polly-buildkitd-0", "build", + "--progress=plain", "--ssh", "default", #"default=#{Dir.home}/.ssh/id_rsa", "--frontend", "dockerfile.v0", "--local", "context=.", "--local", "dockerfile=.", "--output", "type=image,name=polly-registry:443/polly-registry/#{tag},push=true" ] - puts buildctl_local_cmd.inspect exe.systemx(*buildctl_local_cmd) || fail("unable to build") puts "Built and tagged: #{tag} OK" end From 9437307651a1a22142d491ff368a02a7ff5254b7 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Thu, 18 May 2023 20:17:23 -0400 Subject: [PATCH 016/133] repair in-cluster k8s registry --- bin/polly | 87 +++++++++++++++++++++++++++------------------- lib/polly/build.rb | 10 +++--- 2 files changed, 56 insertions(+), 41 deletions(-) diff --git a/bin/polly b/bin/polly index 610df9f..f61ef9f 100755 --- a/bin/polly +++ b/bin/polly @@ -1539,7 +1539,7 @@ HEREDOC known_hosts_file = File.expand_path("~/.ssh/known_hosts") known_hosts = File.read(known_hosts_file) if File.exists?(known_hosts_file) - multipass_launch_cmd = ["multipass", "launch", "--name", profile, "--disk=60G", "--cpus=4", "--memory=10G", "--cloud-init=-", distro] + multipass_launch_cmd = ["multipass", "launch", "--name", profile, "--disk=100G", "--cpus=4", "--memory=10G", "--cloud-init=-", distro] multipass_options = {:out => $stdout, :err => $stderr, :in => ::Polly::Build.generated_string_fd(cloud_init_yaml)} exe.system({}, *multipass_launch_cmd, multipass_options) @@ -1560,7 +1560,7 @@ HEREDOC end desc "stationkeep [PROFILE]", "todo" - def stationkeep(profile = "foo") + def stationkeep(profile = "foo", substation = nil) exe = ::Polly::Execute.new vertical_lookup = YAML.load(File.read("vertical.yaml")) @@ -1568,45 +1568,55 @@ HEREDOC multipass_ip = exe.multipass_ip(profile) + if substation + stationkeeps = stationkeeps.select { |stationkeep| stationkeep["name"] == substation } + end + stationkeeps.each { |stationkeep| - if bootstrap = stationkeep["bootstrap"] - bootstrap_script = File.read(bootstrap) - shebang = bootstrap_script.split("\n")[0].split("!", 2)[1].split(" ") - - options = {:stdin_data => bootstrap_script} - ssh_pipe = ["ssh", "app@#{multipass_ip}", "sudo", *shebang] - stdin, stdout, stderr, wait_thr = Open3.popen3(*ssh_pipe) - stdin.write(options[:stdin_data]) - stdin.close - - resolution = :ok - begin - until wait_thr.join(1.0 / 24.0) - if bits = begin - stdout.readpartial(8192) - rescue EOFError - end - - $stdout.write(bits) - end - end - rescue Interrupt - Process.kill("INT", wait_thr.pid) - $stderr.write(stderr.read) - resolution = :interrupt - end + sudo = false + if bootstrap = stationkeep["root"] + sudo = true + elsif bootstrap = stationkeep["app"] + else + raise + end + + bootstrap_script = File.read(bootstrap) + shebang = bootstrap_script.split("\n")[0].split("!", 2)[1].split(" ") - $stdout.write(stdout.read) unless stdout.eof? - #$stderr.write(stderr.read) unless stderr.eof? + options = {:stdin_data => bootstrap_script} + ssh_pipe = ["ssh", "-AX", "app@#{multipass_ip}", sudo ? "sudo" : nil, *shebang].compact + stdin, stdout, stderr, wait_thr = Open3.popen3(*ssh_pipe) + stdin.write(options[:stdin_data]) + stdin.close - unless wait_thr.value.success? - puts wait_thr.value.inspect - puts stderr.read - resolution = :errored + resolution = :ok + begin + until wait_thr.join(1.0 / 24.0) + if bits = begin + stdout.readpartial(8192) + rescue EOFError + end + + $stdout.write(bits) + end end + rescue Interrupt + Process.kill("INT", wait_thr.pid) + $stderr.write(stderr.read) + resolution = :interrupt + end + + $stdout.write(stdout.read) unless stdout.eof? + #$stderr.write(stderr.read) unless stderr.eof? - break unless resolution == :ok + unless wait_thr.value.success? + puts wait_thr.value.inspect + puts stderr.read + resolution = :errored end + + break unless resolution == :ok } puts @@ -1633,7 +1643,12 @@ HEREDOC system("ssh", remote_user, "--", "git", "clone", "/home/#{options['user']}/workspace/#{uuid}.git", "/home/#{options['user']}/workspace/#{File.basename(Dir.pwd)}", "--branch", `git rev-parse --abbrev-ref HEAD`) || fail system("ssh", remote_user, "--", "ln", "-sf", "/home/#{options['user']}/workspace/#{File.basename(Dir.pwd)}/devstack/git-hooks", "/home/#{options['user']}/workspace/#{uuid}.git/hooks") system("ssh", remote_user, "--", "git", "-C", "/home/#{options['user']}/workspace/#{uuid}.git config", "receive.advertisePushOptions", "true") - system("git", "config", "core.sshCommand", 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ForwardAgent=yes -X') + + polly_ssh_config_d = "#{Dir.home}/.ssh/polly_config.d" + Dir.mkdir_p(polly_ssh_config_d) + File.write(File.join(polly_ssh_config_d, profile), "Host #{multipass_ip}\n ForwardAgent yes") + + #system("git", "config", "remote.#{profile}.sshCommand", 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ForwardAgent=yes -X') else puts "re-init manually... git remote remove #{profile}" #system("ssh", remote_user, "--", "git", "-C", "/home/#{options['user']}/workspace/#{File.basename(Dir.pwd)}", "pull") diff --git a/lib/polly/build.rb b/lib/polly/build.rb index bcf574f..d4e04c9 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -297,11 +297,11 @@ def self.build_cloudinit_yaml(exe, vertical_lookup, client_key_pub, server_key, # ca_file: /home/app/workspace/polly/ca # path to the ca file used in the registry polly_registry_k3s_config = { "mirrors" => { - "docker.io" => { - "endpoint" => [ - "https://polly-registry:443" - ] - }, + #"docker.io" => { + # "endpoint" => [ + # "https://polly-registry:443" + # ] + #}, "polly-registry" => { "endpoint" => [ "https://polly-registry:443" From 20603f15c393f1c8524da44efa338debe681be8c Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 19 May 2023 13:29:30 -0400 Subject: [PATCH 017/133] allow cert package --- bin/polly | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 50 insertions(+), 3 deletions(-) diff --git a/bin/polly b/bin/polly index ff06272..36c2aaa 100755 --- a/bin/polly +++ b/bin/polly @@ -674,11 +674,11 @@ HEREDOC end end - desc "init", "bootstraps project polly controller pod" + desc "init [CERTS]", "bootstraps project polly controller pod" option "re-init", :type => :boolean, :default => false option "with-registry", :type => :boolean, :default => false option "with-bootstrap", :type => :string, :default => "ghcr.io/unhookd/polly:3.0-rc1" # "polly:3.0-rc1" - def init + def init(cert_package_dir) exe = ::Polly::Execute.new unless exe.in_polly? @@ -699,7 +699,54 @@ HEREDOC git_image = options["with-bootstrap"] # "alpine/git:latest" git_command = ["sleep", "2147483647"].to_json - polly_resources << <<-HEREDOC + #etc_slash_ssh_slash_ssh_host_rsa_key + #etc_slash_ssh_slash_ssh_host_rsa_key.pub + #from-workstation-ca.crt + #id_rsa.pub + #multipass-mega.crt + #polly-root-ca.crt + #web-server-certificate.pem + #web-server-key.pem + #File.write("#{dir}/web-server-certificate.pem", cert) + #File.write("#{dir}/web-server-key.pem", key) + #File.write("#{dir}/from-workstation-ca.crt", a) + #File.write("#{dir}/polly-root-ca.crt", b) + #File.write("#{dir}/multipass-mega.crt", c) + + cert = File.open(File.join(cert_package_dir, "web-server-certificate.pem")).read + key = File.open(File.join(cert_package_dir, "web-server-key.pem")).read + + polly_certificates = <<-HEREDOC +--- +apiVersion: v1 +kind: Secret +metadata: + name: "registry-certificates" +type: Opaque +data: + registry.polly.pem: #{Base64.strict_encode64(cert)} + registry.polly.key: #{Base64.strict_encode64(key)} +... +HEREDOC + + # obv = ::Polly::Observe.new + # obv.register_channels(["certificates"]) + + # delete_polly_certificates = ["kubectl", "delete", "--namespace=#{options['namespace']}", "-f", "-"] + # create_polly_certificates = ["kubectl", "create", "--namespace=#{options['namespace']}", "-f", "-"] + + # options = {:stdin_data => polly_certificates} + # o,e,s = exe.execute_simple(:output, delete_polly_certificates, options) + # obv.report_io("certificates", o, e) + # obv.flush($stdout, $stderr) + + # o,e,s = exe.execute_simple(:output, create_polly_certificates, options) + # obv.report_io("certificates", o, e) + # obv.flush($stdout, $stderr) + + # obv.flush($stdout, $stderr, true) + + polly_resources << polly_certificates << <<-HEREDOC --- apiVersion: v1 kind: ServiceAccount From ee95214a9aaa4c01e99db1a4643f772b7ff8b6e1 Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 19 May 2023 16:35:42 -0400 Subject: [PATCH 018/133] polly-registry listens on 23443 --- bin/polly | 70 +++++++++++++++++++++++++++++----------------- lib/polly/build.rb | 26 ++++++++--------- 2 files changed, 58 insertions(+), 38 deletions(-) diff --git a/bin/polly b/bin/polly index 36c2aaa..0ffb178 100755 --- a/bin/polly +++ b/bin/polly @@ -712,6 +712,10 @@ HEREDOC #File.write("#{dir}/from-workstation-ca.crt", a) #File.write("#{dir}/polly-root-ca.crt", b) #File.write("#{dir}/multipass-mega.crt", c) + # + a = File.open(File.join(cert_package_dir, "from-workstation-ca.crt")).read + b = File.open(File.join(cert_package_dir, "polly-root-ca.crt")).read + c = File.open(File.join(cert_package_dir, "multipass-mega.crt")).read cert = File.open(File.join(cert_package_dir, "web-server-certificate.pem")).read key = File.open(File.join(cert_package_dir, "web-server-key.pem")).read @@ -727,8 +731,21 @@ data: registry.polly.pem: #{Base64.strict_encode64(cert)} registry.polly.key: #{Base64.strict_encode64(key)} ... +--- +apiVersion: v1 +kind: Secret +metadata: + name: "ca-certificates" +type: Opaque +data: + ca.workstation.crt: #{Base64.strict_encode64(a)} + ca.polly.crt: #{Base64.strict_encode64(b)} +... HEREDOC +#puts polly_certificates +#exit + # obv = ::Polly::Observe.new # obv.register_channels(["certificates"]) @@ -868,8 +885,9 @@ metadata: name: "polly-registry" spec: ports: - - port: 443 - name: docker-registry + - port: 23443 + targetPort: 23443 + name: https protocol: TCP selector: name: "polly-registry" @@ -904,7 +922,7 @@ metadata: data: buildkitd.toml: |- debug = true - [registry."polly-registry:443"] + [registry."polly-registry:23443"] ca=["/certs/ca.polly.crt"] insecure = true ... @@ -962,26 +980,26 @@ spec: runAsUser: 1000 runAsGroup: 1000 volumeMounts: - # Dockerfile has `VOLUME /home/user/.local/share/buildkit` by default too, - # but the default VOLUME does not work with rootless on Google's Container-Optimized OS - # as it is mounted with `nosuid,nodev`. - # https://github.com/moby/buildkit/issues/879#issuecomment-1240347038 - - mountPath: /home/user/.local/share/buildkit - name: buildkitd - - name: configurations - subPath: buildkitd.toml - mountPath: /home/user/.config/buildkit/buildkitd.toml - - name: ca-certificates - mountPath: /certs + # Dockerfile has `VOLUME /home/user/.local/share/buildkit` by default too, + # but the default VOLUME does not work with rootless on Google's Container-Optimized OS + # as it is mounted with `nosuid,nodev`. + # https://github.com/moby/buildkit/issues/879#issuecomment-1240347038 + - mountPath: /home/user/.local/share/buildkit + name: buildkitd + - name: configurations + subPath: buildkitd.toml + mountPath: /home/user/.config/buildkit/buildkitd.toml + - name: ca-certificates + mountPath: /certs volumes: - - name: buildkitd - emptyDir: {} - - name: configurations - configMap: - name: polly-buildkitd-configuration - - name: ca-certificates - secret: - secretName: ca-certificates + - name: buildkitd + emptyDir: {} + - name: configurations + configMap: + name: polly-buildkitd-configuration + - name: ca-certificates + secret: + secretName: ca-certificates ... --- apiVersion: apps/v1 @@ -1078,6 +1096,7 @@ spec: name: polly-registry stack: polly spec: + hostNetwork: true volumes: - name: registry-config configMap: @@ -1110,7 +1129,8 @@ spec: memory: 1000Mi cpu: 2000m ports: - - containerPort: 443 + - containerPort: 23443 + name: https command: - /bin/registry args: @@ -1122,7 +1142,7 @@ spec: - name: REGISTRY_HTTP_TLS_KEY value: /etc/ssl/private/registry.polly.key - name: REGISTRY_HTTP_ADDR - value: 0.0.0.0:443 + value: 0.0.0.0:23443 ... HEREDOC end @@ -1185,7 +1205,7 @@ HEREDOC tag = Polly::Build.build_image_to_tag(app, "wkndr", version) - cmd = ["kubectl", "run", "rxn", "-it", *env_flags, "--image=polly-registry:443/polly-registry/#{tag}", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", rxn_cmd].compact + cmd = ["kubectl", "run", "rxn", "-it", *env_flags, "--image=polly-registry:23443/polly-registry/#{tag}", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", rxn_cmd].compact #puts cmd.inspect exec(*cmd) diff --git a/lib/polly/build.rb b/lib/polly/build.rb index 377f268..eaa4ab4 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -29,7 +29,7 @@ def self.buildkit_workstation_to_controller(exe, app, build_image_stage, version "--ssh", "default", #"default=#{Dir.home}/.ssh/id_rsa", "--frontend", "dockerfile.v0", "--local", "context=.", "--local", "dockerfile=.", - "--output", "type=image,name=polly-registry:443/polly-registry/#{tag},push=true" + "--output", "type=image,name=polly-registry:23443/polly-registry/#{tag},push=true" ] exe.systemx(*buildctl_local_cmd) || fail("unable to build") puts "Built and tagged: #{tag} OK" @@ -148,7 +148,7 @@ def self.buildkit_internal(exe, app, build_image_stage, version, generated_docke args: - build #- --import-cache - #- type=registry,ref=polly-registry:443/#{app} + #- type=registry,ref=polly-registry:23443/#{app} - --import-cache - type=local,src=/polly/safe/buildkit,mode=max - --frontend @@ -160,7 +160,7 @@ def self.buildkit_internal(exe, app, build_image_stage, version, generated_docke #- --export-cache #- type=inline #- --export-cache - #- type=registry,ref=polly-registry:443/#{app} + #- type=registry,ref=polly-registry:23443/#{app} - --export-cache - type=local,dest=/polly/safe/buildkit,mode=max #- --output @@ -168,7 +168,7 @@ def self.buildkit_internal(exe, app, build_image_stage, version, generated_docke #- --output #- type=image,name=#{app}/#{tag},push=true ##- --output - ##- type=image,name=polly-registry:443/#{tag},push=true + ##- type=image,name=polly-registry:23443/#{tag},push=true resources: requests: memory: 5000Mi @@ -289,28 +289,28 @@ def self.build_cloudinit_yaml(exe, vertical_lookup, client_key_pub, server_key, # - "https://polly-registry:443" # "polly-registry": # endpoint: -# - "https://polly-registry:443" +# - "https://polly-registry:23443" #configs: -# "polly-registry:443": +# "polly-registry:23443": # tls: # #cert_file: # path to the cert file used in the registry # #key_file: # path to the key file used in the registry # ca_file: /home/app/workspace/polly/ca # path to the ca file used in the registry polly_registry_k3s_config = { "mirrors" => { - "docker.io" => { - "endpoint" => [ - "https://polly-registry:443" - ] - }, + #"docker.io" => { + # "endpoint" => [ + # "https://polly-registry:443" + # ] + #}, "polly-registry" => { "endpoint" => [ - "https://polly-registry:443" + "https://polly-registry:23443" ] } }, "configs" => { - "polly-registry:443" => { + "polly-registry:24443" => { "tls" => { "ca_file" => "/home/app/workspace/polly/ca" } From b49ff2dca0f85876cd1ed828ac4b9e42bc732137 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 19 May 2023 16:36:44 -0400 Subject: [PATCH 019/133] configure ca-file and bits for polly-registry, and pre-init git-config --- bin/polly | 10 +++++++--- lib/polly/build.rb | 20 +++++++++++++++----- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/bin/polly b/bin/polly index f61ef9f..a72b124 100755 --- a/bin/polly +++ b/bin/polly @@ -1527,9 +1527,10 @@ HEREDOC raise unless (distro = params["distro"]) && (ssh = params["ssh"]) && (client_key_pub = ssh["client_key_pub"]) && (server_key = ssh["server_key"]) && - (server_key_pub = ssh["server_key_pub"]) + (server_key_pub = ssh["server_key_pub"]) && + (ca_cert = ssh["ca_cert"]) - cloud_init_yaml = ::Polly::Build.build_cloudinit_yaml(exe, vertical_lookup, File.read(client_key_pub), File.read(server_key), File.read(server_key_pub)) + cloud_init_yaml = ::Polly::Build.build_cloudinit_yaml(exe, vertical_lookup, File.read(ca_cert), File.read(client_key_pub), File.read(server_key), File.read(server_key_pub)) if options["debug"] puts cloud_init_yaml @@ -1644,8 +1645,11 @@ HEREDOC system("ssh", remote_user, "--", "ln", "-sf", "/home/#{options['user']}/workspace/#{File.basename(Dir.pwd)}/devstack/git-hooks", "/home/#{options['user']}/workspace/#{uuid}.git/hooks") system("ssh", remote_user, "--", "git", "-C", "/home/#{options['user']}/workspace/#{uuid}.git config", "receive.advertisePushOptions", "true") + system("ssh", remote_user, "--", "git", "config", "--global", "user.name", IO.popen("git config user.name").read.strip) + system("ssh", remote_user, "--", "git", "config", "--global", "user.email", IO.popen("git config user.email").read.strip) + polly_ssh_config_d = "#{Dir.home}/.ssh/polly_config.d" - Dir.mkdir_p(polly_ssh_config_d) + FileUtils.mkdir_p(polly_ssh_config_d) File.write(File.join(polly_ssh_config_d, profile), "Host #{multipass_ip}\n ForwardAgent yes") #system("git", "config", "remote.#{profile}.sshCommand", 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ForwardAgent=yes -X') diff --git a/lib/polly/build.rb b/lib/polly/build.rb index d4e04c9..4fa3d11 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -242,7 +242,7 @@ def self.buildkit_internal(exe, app, build_image_stage, version, generated_docke exec(*["kubectl", "logs", build_pod, "-f"].compact) end - def self.build_cloudinit_yaml(exe, vertical_lookup, client_key_pub, server_key, server_key_pub) + def self.build_cloudinit_yaml(exe, vertical_lookup, ca_cert, client_key_pub, server_key, server_key_pub) prewrites = vertical_lookup["prewrites"] users = [{ @@ -277,6 +277,18 @@ def self.build_cloudinit_yaml(exe, vertical_lookup, client_key_pub, server_key, 'permissions' => '0600' } + write_files << { + 'content' => ca_cert.strip + "\n", + 'path' => '/usr/local/share/ca-certificates/polly-ca.crt', + 'permissions' => '0644' + } + + #write_files << { + # 'content' => "KUBECONFIG=\"~/.kube/k3s-config:~/.kube/config\"" + "\n" + "PATH=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin\"" + "\n", + # 'path' => '/etc/environment', + # 'permissions' => '0644' + #} + write_files << { 'content' => "HostKey /etc/ssh/custom_ssh_host_rsa_key" + "\n", 'path' => '/etc/ssh/sshd_config.d/custom.conf', @@ -311,7 +323,7 @@ def self.build_cloudinit_yaml(exe, vertical_lookup, client_key_pub, server_key, "configs" => { "polly-registry:443" => { "tls" => { - "ca_file" => "/home/app/workspace/polly/ca" + "ca_file" => "/usr/local/share/ca-certificates/polly-ca.crt" } } } @@ -323,10 +335,8 @@ def self.build_cloudinit_yaml(exe, vertical_lookup, client_key_pub, server_key, 'permissions' => '0644' } - - write_files << { - 'content' => "127.0.1.1 $hostname $hostname\n127.0.0.1 localhost\n" + vertical_lookup["host-aliases"].collect { |ha| ha["hostnames"].collect { |hn| ha["ip"] + " " + hn }.join("\n") }.join("\n") + "" + "\n", + 'content' => "127.0.0.1 polly-registry\n127.0.1.1 $hostname $hostname\n127.0.0.1 localhost\n" + vertical_lookup["host-aliases"].collect { |ha| ha["hostnames"].collect { |hn| ha["ip"] + " " + hn }.join("\n") }.join("\n") + "" + "\n", 'path' => '/etc/cloud/templates/hosts.debian.tmpl', 'permissions' => '0644' } From ce4e1e41cc38d2078eb3f8600ea07f6f671d4778 Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 19 May 2023 19:21:01 -0400 Subject: [PATCH 020/133] better layer caching --- bin/polly | 12 ++++++------ lib/polly/build.rb | 28 +++++++++++++++++++++++++++- 2 files changed, 33 insertions(+), 7 deletions(-) diff --git a/bin/polly b/bin/polly index 5315923..c9eb15a 100755 --- a/bin/polly +++ b/bin/polly @@ -410,14 +410,14 @@ class PollyTasks < Thor option "cache", :type => :boolean, :default => true option "explain", :type => :boolean, :default => false option "in-cluster", :type => :boolean, :default => false - def build(container_definition="-") + def build(container_definition="-", in_version = nil, in_branch = nil) default_pollyfile = "Pollyfile" default_dockerfile = "Dockerfile" exe = ::Polly::Execute.new(options) - version = exe.current_revision - branch = exe.current_branch + version = in_version || exe.current_revision + branch = in_branch || exe.current_branch app = exe.current_app image_repo = Polly::Config.image_repo @@ -1190,7 +1190,7 @@ HEREDOC end desc "rxn", "run app pod" - def rxn(rxn_cmd = "bash") + def rxn(in_version = nil, in_branch = nil, rxn_cmd = "bash") exe = ::Polly::Execute.new vertical_lookup = YAML.load(File.read("vertical.yaml")) @@ -1198,8 +1198,8 @@ HEREDOC env_flags = (environment_overrides || []).collect { |env| "--env=#{env["name"]}=#{env["value"]}" } - version = exe.current_revision - branch = exe.current_branch + version = in_version || exe.current_revision + branch = in_branch || exe.current_branch app = exe.current_app image_repo = Polly::Config.image_repo diff --git a/lib/polly/build.rb b/lib/polly/build.rb index 72fe7d9..511f662 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -29,8 +29,34 @@ def self.buildkit_workstation_to_controller(exe, app, build_image_stage, version "--ssh", "default", #"default=#{Dir.home}/.ssh/id_rsa", "--frontend", "dockerfile.v0", "--local", "context=.", "--local", "dockerfile=.", - "--output", "type=image,name=polly-registry:23443/polly-registry/#{tag},push=true" + "--output", "type=image,name=polly-registry:23443/polly-registry/#{tag},push=true", + "--import-cache", + "type=registry,ref=polly-registry:23443/#{app}", + #"--import-cache", + #"type=local,src=/polly/safe/buildkit,mode=max", + #- --frontend + #- dockerfile.v0 + #- --local + #- context=/home/app/#{app} + #- --local + #- dockerfile=/tmp/#{app} + "--export-cache", + "type=inline", + "--export-cache", + "type=registry,ref=polly-registry:23443/#{app}" + #- --export-cache + #- type=registry,ref=polly-registry:23443/#{app} + #"--export-cache", + #"type=local,dest=/polly/safe/buildkit,mode=max" + #- --output + #- type=tar,dest=/polly-safe/buildkit/#{tag}.tar + #- --output + #- type=image,name=#{app}/#{tag},push=true + ##- --output + ##- type=image,name=polly-registry:23443/#{tag},push=true + ] + puts buildctl_local_cmd.inspect exe.systemx(*buildctl_local_cmd) || fail("unable to build") puts "Built and tagged: #{tag} OK" end From 05082bf5eb28f83d877091b8a846fcfd6664b448 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 19 May 2023 19:21:38 -0400 Subject: [PATCH 021/133] repair port --- lib/polly/build.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/polly/build.rb b/lib/polly/build.rb index 72fe7d9..efa04ff 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -322,7 +322,7 @@ def self.build_cloudinit_yaml(exe, vertical_lookup, ca_cert, client_key_pub, ser } }, "configs" => { - "polly-registry:24443" => { + "polly-registry:23443" => { "tls" => { "ca_file" => "/usr/local/share/ca-certificates/polly-ca.crt" } From b4f2251d3edd44a17508e449772d344c3dae3f60 Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 19 May 2023 21:46:27 -0400 Subject: [PATCH 022/133] bad version --- bin/polly | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/bin/polly b/bin/polly index c9eb15a..70b6d13 100755 --- a/bin/polly +++ b/bin/polly @@ -410,14 +410,14 @@ class PollyTasks < Thor option "cache", :type => :boolean, :default => true option "explain", :type => :boolean, :default => false option "in-cluster", :type => :boolean, :default => false - def build(container_definition="-", in_version = nil, in_branch = nil) + def build(container_definition="-") default_pollyfile = "Pollyfile" default_dockerfile = "Dockerfile" exe = ::Polly::Execute.new(options) - version = in_version || exe.current_revision - branch = in_branch || exe.current_branch + version = exe.current_revision + branch = exe.current_branch app = exe.current_app image_repo = Polly::Config.image_repo @@ -1190,7 +1190,7 @@ HEREDOC end desc "rxn", "run app pod" - def rxn(in_version = nil, in_branch = nil, rxn_cmd = "bash") + def rxn(rxn_cmd = "bash") exe = ::Polly::Execute.new vertical_lookup = YAML.load(File.read("vertical.yaml")) From b060100c9039cd09e1aad4ade7f81e001a56dda9 Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 19 May 2023 21:47:23 -0400 Subject: [PATCH 023/133] bits --- bin/polly | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/polly b/bin/polly index 70b6d13..5315923 100755 --- a/bin/polly +++ b/bin/polly @@ -1198,8 +1198,8 @@ HEREDOC env_flags = (environment_overrides || []).collect { |env| "--env=#{env["name"]}=#{env["value"]}" } - version = in_version || exe.current_revision - branch = in_branch || exe.current_branch + version = exe.current_revision + branch = exe.current_branch app = exe.current_app image_repo = Polly::Config.image_repo From 7dbecfb81a715940e28854dd9347f4a47d854e09 Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 19 May 2023 21:47:38 -0400 Subject: [PATCH 024/133] updates in CHANGELOG.md --- CHANGELOG.md | 6 ++++++ VERSION | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ddd768..00f6f77 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +# [4.26.0] - 2023-05-19 - Jon + +add more build/run options + +####### + # [4.25.0] - 2023-05-16 - Jon Bardin Allow `host-aliases` block to be defined and written out to /etc/hosts via cloud-init diff --git a/VERSION b/VERSION index 71cf366..4731277 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.25.0 \ No newline at end of file +4.26.0 \ No newline at end of file From 0b9f897e9f780603626eee9730f945c7ef7af40a Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 19 May 2023 23:48:42 -0400 Subject: [PATCH 025/133] make -it togglable --- bin/polly | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/polly b/bin/polly index 5315923..e87aa31 100755 --- a/bin/polly +++ b/bin/polly @@ -1205,7 +1205,7 @@ HEREDOC tag = Polly::Build.build_image_to_tag(app, "wkndr", version) - cmd = ["kubectl", "run", "rxn", "-it", *env_flags, "--image=polly-registry:23443/polly-registry/#{tag}", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", rxn_cmd].compact + cmd = ["kubectl", "run", "rxn", "--attach=true", *env_flags, "--image=polly-registry:23443/polly-registry/#{tag}", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", rxn_cmd].compact #puts cmd.inspect exec(*cmd) From d532161f71a10dc18bbaf1dc8e5bc98192e63986 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Sat, 20 May 2023 01:00:40 -0400 Subject: [PATCH 026/133] repair dns bits --- bin/polly | 31 ++++++++++++++++++++----------- lib/polly/build.rb | 28 +++++++++++++++++++++++++++- 2 files changed, 47 insertions(+), 12 deletions(-) diff --git a/bin/polly b/bin/polly index e87aa31..3607abc 100755 --- a/bin/polly +++ b/bin/polly @@ -511,9 +511,11 @@ class PollyTasks < Thor desc "certificates [PRIVATE_KEY] [PUBLIC_KEY]", "installs some common ca certificate secret material into cluster" option "namespace", :type => :string, :default => "default" option "mode", :type => :string, :default => "directory" - def certificates(inbound_ssh_key="", inbound_ssh_key_pub="", cname = "polly-registry", cname_two = "0.0.0.0") - inbound_ssh_key = File.read(inbound_ssh_key) unless inbound_ssh_key.empty? - inbound_ssh_key_pub = File.read(inbound_ssh_key_pub) unless inbound_ssh_key_pub.empty? + def certificates(cnames = "polly.local") + #inbound_ssh_key = File.read(inbound_ssh_key) unless inbound_ssh_key.empty? + #inbound_ssh_key_pub = File.read(inbound_ssh_key_pub) unless inbound_ssh_key_pub.empty? + + key_client = OpenSSL::PKey::RSA.new 4096 key = OpenSSL::PKey::RSA.new 4096 key_dsa = OpenSSL::PKey::DSA.new 4096 @@ -524,10 +526,10 @@ class PollyTasks < Thor #ssh_key.write([key.to_blob.length].pack('N')) #ssh_key.write(key.to_blob) #ssh_priv_key = ssh_key.string - #type = key.ssh_type - #data2 = [ key.to_blob ].pack('m0') - #openssh_format = "#{type} #{data2}" - ###puts openssh_format + + type = key_client.ssh_type + data2 = [ key_client.to_blob ].pack('m0') + openssh_format = "#{type} #{data2}" data = key.to_pem data_dsa = key_dsa.to_pem @@ -554,6 +556,9 @@ class PollyTasks < Thor root_ca.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always",false)) root_ca.sign(root_key, OpenSSL::Digest::SHA256.new) + cnames = cnames.split(":") + ["polly-registry"] + cname = cnames.shift + key = OpenSSL::PKey::RSA.new 2048 cert = OpenSSL::X509::Certificate.new cert.version = 2 @@ -568,7 +573,7 @@ class PollyTasks < Thor ef.issuer_certificate = root_ca cert.add_extension(ef.create_extension("keyUsage", "digitalSignature", true)) cert.add_extension(ef.create_extension("subjectKeyIdentifier", "hash", false)) - cert.add_extension(ef.create_extension("subjectAltName", "DNS:#{cname},IP:#{cname_two}", false)) + cert.add_extension(ef.create_extension("subjectAltName", cnames.collect { |cn| "DNS:#{cn}" }.join(",") + ",IP:0.0.0.0", false)) cert.sign(root_key, OpenSSL::Digest::SHA256.new) #key = File.read("/usr/local/etc/openssl/misc/workstation-key.pem") @@ -591,10 +596,11 @@ class PollyTasks < Thor #kn.add("wkstation-service", key) #known_hosts = File.read("/var/tmp/cheese.known_hosts") #puts known_hosts.inspect + #TODO: !!! + #ssh_key: #{Base64.strict_encode64(inbound_ssh_key || "")} + #ssh_key_pub: #{Base64.strict_encode64(inbound_ssh_key_pub || "")} + - #TODO: !!! - #ssh_key: #{Base64.strict_encode64(inbound_ssh_key || "")} - #ssh_key_pub: #{Base64.strict_encode64(inbound_ssh_key_pub || "")} case options["mode"] when "k8s-secret" @@ -657,6 +663,9 @@ HEREDOC File.umask(0077) + File.write("#{dir}/id_rsa.pub", openssh_format) + File.write("#{dir}/id_rsa", key_client.to_s) + File.write("#{dir}/web-server-certificate.pem", cert) File.write("#{dir}/web-server-key.pem", key) diff --git a/lib/polly/build.rb b/lib/polly/build.rb index 8f42831..5f625c6 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -321,6 +321,31 @@ def self.build_cloudinit_yaml(exe, vertical_lookup, ca_cert, client_key_pub, ser 'path' => '/etc/ssh/sshd_config.d/custom.conf', 'permissions' => '0644' } + + write_files << { + 'path' => '/etc/systemd/resolved.conf', + 'append' => true, + 'content' => "MulticastDNS=yes\n" + } + + write_files << { + 'path' => '/etc/systemd/system/mdns@.service', + 'content' => "[Service] +Type=oneshot +ExecStart=/usr/bin/resolvectl mdns %i yes +After=sys-subsystem-net-devices-%i.device + +[Install] +WantedBy=sys-subsystem-net-devices-%i.device +" + } + + runcmd = [ + "systemctl restart systemd-resolved.service", + "systemctl start mdns@ens3.service", # https://github.com/canonical/multipass/issues/1830 + "systemctl enable mdns@ens3.service" + ] + #mirrors: # "docker.io": # endpoint: @@ -371,7 +396,8 @@ def self.build_cloudinit_yaml(exe, vertical_lookup, ca_cert, client_key_pub, ser { 'users' => users, 'write_files' => write_files, - 'manage_etc_hosts' => true + 'manage_etc_hosts' => true, + 'runcmd' => runcmd }.to_yaml end end From 819c54613415d486768c4c2d1443435c15d5bd44 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Sat, 20 May 2023 02:10:19 -0400 Subject: [PATCH 027/133] repair cname creation --- bin/polly | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/polly b/bin/polly index 3607abc..f7571c7 100755 --- a/bin/polly +++ b/bin/polly @@ -557,7 +557,7 @@ class PollyTasks < Thor root_ca.sign(root_key, OpenSSL::Digest::SHA256.new) cnames = cnames.split(":") + ["polly-registry"] - cname = cnames.shift + cname = cnames.first key = OpenSSL::PKey::RSA.new 2048 cert = OpenSSL::X509::Certificate.new From 76b4c80b6746d5f9aed70ebb311bf79d74a381ac Mon Sep 17 00:00:00 2001 From: Jon Date: Sat, 20 May 2023 21:45:54 -0400 Subject: [PATCH 028/133] make p12 export function --- bin/polly | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bin/polly b/bin/polly index e87aa31..06c708c 100755 --- a/bin/polly +++ b/bin/polly @@ -512,6 +512,7 @@ class PollyTasks < Thor option "namespace", :type => :string, :default => "default" option "mode", :type => :string, :default => "directory" def certificates(inbound_ssh_key="", inbound_ssh_key_pub="", cname = "polly-registry", cname_two = "0.0.0.0") + # openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 inbound_ssh_key = File.read(inbound_ssh_key) unless inbound_ssh_key.empty? inbound_ssh_key_pub = File.read(inbound_ssh_key_pub) unless inbound_ssh_key_pub.empty? @@ -534,7 +535,7 @@ class PollyTasks < Thor exe = ::Polly::Execute.new - root_key = OpenSSL::PKey::RSA.new 2048 # the CA's public/private key + root_key = OpenSSL::PKey::RSA.new 2048 # the CA's public/private key #!!!!!! root_ca = OpenSSL::X509::Certificate.new root_ca.version = 2 # cf. RFC 5280 - to make it a "v3" certificate From e11689590ba151b7c89cada037b150ef5f226c03 Mon Sep 17 00:00:00 2001 From: Jon Date: Wed, 24 May 2023 21:37:35 -0400 Subject: [PATCH 029/133] better timeout for shr and rxn --- bin/polly | 4 ++-- lib/polly/build.rb | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bin/polly b/bin/polly index 06528b7..9ef9814 100755 --- a/bin/polly +++ b/bin/polly @@ -1200,7 +1200,7 @@ HEREDOC def shr(shr_cmd = "bash") exe = ::Polly::Execute.new - exec(*["kubectl", "run", "shr", "-it", "--image=ghcr.io/unhookd/polly:master", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", shr_cmd].compact) + exec(*["kubectl", "run", "shr", "-it", "--pod-running-timeout=3m0s", "--image=ghcr.io/unhookd/polly:master", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", shr_cmd].compact) end desc "rxn", "run app pod" @@ -1219,7 +1219,7 @@ HEREDOC tag = Polly::Build.build_image_to_tag(app, "wkndr", version) - cmd = ["kubectl", "run", "rxn", "--attach=true", *env_flags, "--image=polly-registry:23443/polly-registry/#{tag}", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", rxn_cmd].compact + cmd = ["kubectl", "run", "rxn", "--attach=true", "-it", "--pod-running-timeout=3m0s", *env_flags, "--image=polly-registry:23443/polly-registry/#{tag}", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", rxn_cmd].compact #puts cmd.inspect exec(*cmd) diff --git a/lib/polly/build.rb b/lib/polly/build.rb index 5f625c6..771f104 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -56,7 +56,7 @@ def self.buildkit_workstation_to_controller(exe, app, build_image_stage, version ##- type=image,name=polly-registry:23443/#{tag},push=true ] - puts buildctl_local_cmd.inspect + #puts buildctl_local_cmd.inspect exe.systemx(*buildctl_local_cmd) || fail("unable to build") puts "Built and tagged: #{tag} OK" end From 32dc4152988f0fd2d14968554952f65a30036131 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Sun, 18 Jun 2023 03:32:33 +0000 Subject: [PATCH 030/133] update to ruby 3 --- lib/polly/generate.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/polly/generate.rb b/lib/polly/generate.rb index d62c826..67f8cc4 100644 --- a/lib/polly/generate.rb +++ b/lib/polly/generate.rb @@ -177,7 +177,7 @@ def app def prototype1 @prototype1 = true @bootstrap = image { - stage "bootstrap", "ubuntu:focal-20221130" + stage "bootstrap", "ubuntu:jammy-20221130" root @@ -191,7 +191,7 @@ def prototype1 run %q{test -e /usr/lib/locale/locale-archive || ((locale-gen --purge en_US); (echo -e "LANG=$LANG\nLANGUAGE=$LANGUAGE\n" | tee /etc/default/locale); (locale-gen $LANGUAGE); (dpkg-reconfigure locales))} - apt %w{curl mysql-client-8.0 mysql-server-core-8.0 ruby2* libruby2* ruby-bundler rubygems-integration rake git build-essential default-libmysqlclient-dev} + apt %w{curl mysql-client-8.0 mysql-server-core-8.0 ruby3* libruby3* ruby-bundler rubygems-integration rake git build-essential default-libmysqlclient-dev} run %q{useradd --uid 1000 --home-dir /home/app --create-home --shell /bin/bash app} command("WORKDIR") { "/home/app" @@ -206,6 +206,7 @@ def prototype1 run %q{bundle config set --local jobs 4} run %q{bundle config set --local retry 3} #TODO: figure out conventional bundling strategy + #TODO: figure out .gem strategy prototype #run %q{bundle config set --local deploment true} #run %q{bundle config set --local without development} command("COPY") { From 819e8cf54b164881b27e2b2161996a90ddb0f7cf Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Wed, 21 Jun 2023 01:09:04 -0400 Subject: [PATCH 031/133] update thor version for better ruby3x support --- polly.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/polly.gemspec b/polly.gemspec index 286583f..bbd00d1 100644 --- a/polly.gemspec +++ b/polly.gemspec @@ -18,7 +18,7 @@ Gem::Specification.new do |spec| spec.executables = ["polly"] spec.require_paths = ["lib"] - spec.add_dependency "thor", "= 0.20.3" + spec.add_dependency "thor", "= 1.2.2" spec.add_dependency "net-ssh", "~> 6.0" spec.add_dependency "yajl-ruby", "= 1.4.1" spec.add_dependency "guard", "~> 2.18" From be39e92d0de78cbedb7ef8d43e7328241073985d Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Wed, 21 Jun 2023 05:55:48 +0000 Subject: [PATCH 032/133] todo figure out how to map all secrets for single node instance case --- bin/polly | 64 +++++++++++++++++++++++----------------------- lib/polly/build.rb | 2 +- 2 files changed, 33 insertions(+), 33 deletions(-) diff --git a/bin/polly b/bin/polly index 8287188..829862d 100755 --- a/bin/polly +++ b/bin/polly @@ -422,7 +422,7 @@ class PollyTasks < Thor image_repo = Polly::Config.image_repo generated_dockerfile = nil - + puts [container_definition, default_dockerfile].inspect if container_definition == "-" && File.exists?(default_pollyfile) pollyfile_ruby = File.read(default_pollyfile) #TODO: ??? Polly::Generate.options = options @@ -441,14 +441,14 @@ class PollyTasks < Thor end end - if options["in-cluster"] - Polly::Generate.all_images.each { |build_image| - Polly::Build.buildkit_internal(exe, app, build_image, version, generated_dockerfile, options["no-cache"]) - } - else - raise if version.empty? - Polly::Build.buildkit_external(exe, app, "wkndr", version, generated_dockerfile, options["no-cache"]) - end + #if options["in-cluster"] + # Polly::Generate.all_images.each { |build_image| + # Polly::Build.buildkit_internal(exe, app, build_image, version, generated_dockerfile, options["no-cache"]) + # } + #else + # raise if version.empty? + # Polly::Build.buildkit_external(exe, app, "wkndr", version, generated_dockerfile, options["no-cache"]) + #end end # desc "checkout [REPO] [VERSION] [DESTINATION]", "" @@ -654,27 +654,27 @@ data: dsa_pub: #{Base64.strict_encode64(key_dsa.public_key.to_s)} rsa_pub: #{Base64.strict_encode64(key.public_key.to_s)} ... ---- -apiVersion: v1 -kind: Secret -metadata: - name: "registry-certificates" -type: Opaque -data: - registry.polly.pem: #{Base64.strict_encode64(cert.to_pem)} - registry.polly.key: #{Base64.strict_encode64(key.to_pem)} -... ---- -apiVersion: v1 -kind: Secret -metadata: - name: "ca-certificates" -type: Opaque -data: - ca.workstation.crt: #{Base64.strict_encode64(a)} - ca.polly.crt: #{Base64.strict_encode64(b)} - ca-certificates.crt: #{Base64.strict_encode64(c)} -... +#--- +#apiVersion: v1 +#kind: Secret +#metadata: +# name: "registry-certificates" +#type: Opaque +#data: +# registry.polly.pem: #{Base64.strict_encode64(cert.to_pem)} +# registry.polly.key: #{Base64.strict_encode64(key.to_pem)} +#... +#--- +#apiVersion: v1 +#kind: Secret +#metadata: +# name: "ca-certificates" +#type: Opaque +#data: +# ca.workstation.crt: #{Base64.strict_encode64(a)} +# ca.polly.crt: #{Base64.strict_encode64(b)} +# ca-certificates.crt: #{Base64.strict_encode64(c)} +#... --- apiVersion: v1 kind: Secret @@ -811,7 +811,7 @@ data: ... HEREDOC -#puts polly_certificates +puts polly_certificates #exit # obv = ::Polly::Observe.new @@ -1340,7 +1340,7 @@ HEREDOC puts [o, e, s] end - deploy_polly_app = ["kubectl", "apply", "-f", "-"] + deploy_polly_app = ["kubectl", "apply", "--server-side=true", "-f", "-"] options = {:stdin_data => polly_run} o,e,s = exe.execute_simple(:output, deploy_polly_app, options) diff --git a/lib/polly/build.rb b/lib/polly/build.rb index 771f104..1a6805e 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -26,7 +26,7 @@ def self.buildkit_workstation_to_controller(exe, app, build_image_stage, version "--addr", "kube-pod://polly-buildkitd-0", "build", "--progress=plain", - "--ssh", "default", #"default=#{Dir.home}/.ssh/id_rsa", + #"--ssh", "default", #"default=#{Dir.home}/.ssh/id_rsa", "--frontend", "dockerfile.v0", "--local", "context=.", "--local", "dockerfile=.", "--output", "type=image,name=polly-registry:23443/polly-registry/#{tag},push=true", From 065ed2d35e15bdc80f57377f904f402ebc85045a Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Tue, 27 Jun 2023 06:12:33 +0000 Subject: [PATCH 033/133] better bootstrap sequence --- README.md | 8 ++- bin/polly | 179 ++++++++++++++++++++++++++++++++++-------------------- 2 files changed, 120 insertions(+), 67 deletions(-) diff --git a/README.md b/README.md index ea5d183..cad422d 100644 --- a/README.md +++ b/README.md @@ -16,14 +16,18 @@ Do not expose polly to a kubernetes cluster unless you have thoroughly understoo TODO, in the future, `polly` will be available via `sudo gem install polly` ... until then it must be installed manually, see below + #### deps sudo apt-get install ruby rubygems-integration libffi-dev build-essential --no-install-recommends sudo gem install bundler - cd ~/workspace + + #### clone repo git clone git@github.com:unhookd/polly.git cd polly + + #### install app bundle config set --local path vendor/bundle bundle install - sudo ln -fs ${HOME}/workspace/polly/bin/polly /usr/local/bin/polly + sudo ln -fs $(realpath bin/polly) /usr/local/bin/polly polly help # .circleci/config.yml diff --git a/bin/polly b/bin/polly index 829862d..702c167 100755 --- a/bin/polly +++ b/bin/polly @@ -640,82 +640,82 @@ class PollyTasks < Thor case options["mode"] - when "k8s-secret" - polly_certificates = <<-HEREDOC ---- -apiVersion: v1 -kind: Secret -metadata: - name: sshd -type: Opaque -data: - rsa: #{Base64.strict_encode64(data)} - dsa: #{Base64.strict_encode64(data_dsa)} - dsa_pub: #{Base64.strict_encode64(key_dsa.public_key.to_s)} - rsa_pub: #{Base64.strict_encode64(key.public_key.to_s)} -... +# when "k8s-secret" +# polly_certificates = <<-HEREDOC #--- #apiVersion: v1 #kind: Secret #metadata: -# name: "registry-certificates" +# name: sshd #type: Opaque #data: -# registry.polly.pem: #{Base64.strict_encode64(cert.to_pem)} -# registry.polly.key: #{Base64.strict_encode64(key.to_pem)} +# rsa: #{Base64.strict_encode64(data)} +# dsa: #{Base64.strict_encode64(data_dsa)} +# dsa_pub: #{Base64.strict_encode64(key_dsa.public_key.to_s)} +# rsa_pub: #{Base64.strict_encode64(key.public_key.to_s)} #... +##--- +##apiVersion: v1 +##kind: Secret +##metadata: +## name: "registry-certificates" +##type: Opaque +##data: +## registry.polly.pem: #{Base64.strict_encode64(cert.to_pem)} +## registry.polly.key: #{Base64.strict_encode64(key.to_pem)} +##... +##--- +##apiVersion: v1 +##kind: Secret +##metadata: +## name: "ca-certificates" +##type: Opaque +##data: +## ca.workstation.crt: #{Base64.strict_encode64(a)} +## ca.polly.crt: #{Base64.strict_encode64(b)} +## ca-certificates.crt: #{Base64.strict_encode64(c)} +##... #--- #apiVersion: v1 #kind: Secret #metadata: -# name: "ca-certificates" +# name: "buildkit-daemon-certs" #type: Opaque #data: -# ca.workstation.crt: #{Base64.strict_encode64(a)} -# ca.polly.crt: #{Base64.strict_encode64(b)} -# ca-certificates.crt: #{Base64.strict_encode64(c)} +# ca.pem: #{Base64.strict_encode64(b)} +# cert.pem: #{Base64.strict_encode64(cert2.to_pem)} +# key.pem: #{Base64.strict_encode64(key2.to_pem)} #... ---- -apiVersion: v1 -kind: Secret -metadata: - name: "buildkit-daemon-certs" -type: Opaque -data: - ca.pem: #{Base64.strict_encode64(b)} - cert.pem: #{Base64.strict_encode64(cert2.to_pem)} - key.pem: #{Base64.strict_encode64(key2.to_pem)} -... ---- -apiVersion: v1 -kind: Secret -metadata: - name: "buildkit-client-certs" -type: Opaque -data: - ca.pem: #{Base64.strict_encode64(b)} - cert.pem: #{Base64.strict_encode64(cert3.to_pem)} - key.pem: #{Base64.strict_encode64(key3.to_pem)} -... -HEREDOC - - obv = ::Polly::Observe.new - obv.register_channels(["certificates"]) - - delete_polly_certificates = ["kubectl", "delete", "--namespace=#{options['namespace']}", "-f", "-"] - create_polly_certificates = ["kubectl", "create", "--namespace=#{options['namespace']}", "-f", "-"] - - options = {:stdin_data => polly_certificates} - o,e,s = exe.execute_simple(:output, delete_polly_certificates, options) - obv.report_io("certificates", o, e) - obv.flush($stdout, $stderr) - - o,e,s = exe.execute_simple(:output, create_polly_certificates, options) - obv.report_io("certificates", o, e) - obv.flush($stdout, $stderr) - - obv.flush($stdout, $stderr, true) - +#--- +#apiVersion: v1 +#kind: Secret +#metadata: +# name: "buildkit-client-certs" +#type: Opaque +#data: +# ca.pem: #{Base64.strict_encode64(b)} +# cert.pem: #{Base64.strict_encode64(cert3.to_pem)} +# key.pem: #{Base64.strict_encode64(key3.to_pem)} +#... +#HEREDOC +# +# obv = ::Polly::Observe.new +# obv.register_channels(["certificates"]) +# +# delete_polly_certificates = ["kubectl", "delete", "--namespace=#{options['namespace']}", "-f", "-"] +# create_polly_certificates = ["kubectl", "create", "--namespace=#{options['namespace']}", "-f", "-"] +# +# options = {:stdin_data => polly_certificates} +# o,e,s = exe.execute_simple(:output, delete_polly_certificates, options) +# obv.report_io("certificates", o, e) +# obv.flush($stdout, $stderr) +# +# o,e,s = exe.execute_simple(:output, create_polly_certificates, options) +# obv.report_io("certificates", o, e) +# obv.flush($stdout, $stderr) +# +# obv.flush($stdout, $stderr, true) +# when "directory" dir = File.join("/var/tmp", SecureRandom.uuid) FileUtils.mkdir_p(dir) @@ -737,6 +737,12 @@ HEREDOC File.write("#{dir}/polly-root-ca.crt", b) File.write("#{dir}/multipass-mega.crt", c) + File.write("#{dir}/buildkit-server-cert.crt", cert2) + File.write("#{dir}/buildkit-server-cert.key", key2) + + File.write("#{dir}/buildkit-client-cert.crt", cert3) + File.write("#{dir}/buildkit-client-cert.key", key3) + #TODO: link with vertical.yaml specification puts "certificates will be found in #{dir}" end @@ -788,6 +794,23 @@ HEREDOC cert = File.open(File.join(cert_package_dir, "web-server-certificate.pem")).read key = File.open(File.join(cert_package_dir, "web-server-key.pem")).read + key2 = File.open(File.join(cert_package_dir, "buildkit-server-cert.key")).read + cert2 = File.open(File.join(cert_package_dir, "buildkit-server-cert.crt")).read + key3 = File.open(File.join(cert_package_dir, "buildkit-client-cert.key")).read + cert3 = File.open(File.join(cert_package_dir, "buildkit-client-cert.crt")).read + +#--- +#apiVersion: v1 +#kind: Secret +#metadata: +# name: sshd +#type: Opaque +#data: +# rsa: #{Base64.strict_encode64(data)} +# dsa: #{Base64.strict_encode64(data_dsa)} +# dsa_pub: #{Base64.strict_encode64(key_dsa.public_key.to_s)} +# rsa_pub: #{Base64.strict_encode64(key.public_key.to_s)} +#... polly_certificates = <<-HEREDOC --- apiVersion: v1 @@ -809,9 +832,31 @@ data: ca.workstation.crt: #{Base64.strict_encode64(a)} ca.polly.crt: #{Base64.strict_encode64(b)} ... +--- +apiVersion: v1 +kind: Secret +metadata: + name: "buildkit-daemon-certs" +type: Opaque +data: + ca.pem: #{Base64.strict_encode64(b)} + cert.pem: #{Base64.strict_encode64(cert2)} + key.pem: #{Base64.strict_encode64(key2)} +... +--- +apiVersion: v1 +kind: Secret +metadata: + name: "buildkit-client-certs" +type: Opaque +data: + ca.pem: #{Base64.strict_encode64(b)} + cert.pem: #{Base64.strict_encode64(cert3)} + key.pem: #{Base64.strict_encode64(key3)} +... HEREDOC -puts polly_certificates +#puts polly_certificates #exit # obv = ::Polly::Observe.new @@ -1373,8 +1418,12 @@ HEREDOC def rxn(rxn_cmd = "bash") exe = ::Polly::Execute.new - vertical_lookup = YAML.load(File.read("vertical.yaml")) - environment_overrides = vertical_lookup["environment-overrides"] + environment_variables = nil + + if File.exist?("vertical.yaml") + vertical_lookup = YAML.load(File.read("vertical.yaml")) + environment_overrides = vertical_lookup["environment-overrides"] + end env_flags = (environment_overrides || []).collect { |env| "--env=#{env["name"]}=#{env["value"]}" } From ebbdcded2d8cbcef1f25e65fde3b4113fde877f9 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 31 Jul 2023 11:09:21 +0000 Subject: [PATCH 034/133] bits From 308412757cc8bd25a0a16d2259c5f25c64c1eb66 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 31 Jul 2023 11:12:14 +0000 Subject: [PATCH 035/133] bits From 9ef7a9685c7483a1fc7802fdf493000ed3f27a5e Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 31 Jul 2023 11:14:00 +0000 Subject: [PATCH 036/133] bits From 6784565c9d352b0e7205cb97d45e6125be9c7ac8 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 31 Jul 2023 11:17:57 +0000 Subject: [PATCH 037/133] bits From a26d3d000e7ec2812684d3cded9115407dd75729 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 10 Nov 2023 02:37:40 +0000 Subject: [PATCH 038/133] better container def args detection --- Dockerfile.default | 4 +-- bin/polly | 54 +++++++++++++++++++++++--------------- lib/polly/build.rb | 64 +++++++++++++++++++++++++++++++--------------- 3 files changed, 79 insertions(+), 43 deletions(-) diff --git a/Dockerfile.default b/Dockerfile.default index 0e6361c..0595781 100644 --- a/Dockerfile.default +++ b/Dockerfile.default @@ -19,6 +19,7 @@ RUN set -ex; \ apt-get update; apt-get install -y kubectl; apt-get clean; \ usermod -a -G $(grep docker /etc/group | cut -d: -f3) app; \ usermod -a -G $(grep docker /etc/group | cut -d: -f3) runner; \ + mkdir /tmp/buildkit && cd /tmp/buildkit && curl -sL -o buildkit.tar.gz "https://github.com/moby/buildkit/releases/download/v0.11.1/buildkit-v0.11.1.linux-amd64.tar.gz" && tar zxf buildkit.tar.gz && mv bin/buildctl /usr/local/bin && cd && rm -Rf /tmp/buildkit; \ true; # syntax=docker/dockerfile-upstream:master-experimental FROM base AS gem @@ -31,7 +32,7 @@ COPY --chown=app lib /__w/polly/polly/lib COPY --chown=app bin /__w/polly/polly/bin COPY --chown=app doc /__w/polly/polly/doc RUN set -ex; \ - mkdir -p /polly/safe/git /polly/safe/run /polly/safe/tmp /polly/app /app /__w/polly/polly; \ + mkdir -p /polly/app /app /__w/polly/polly; \ chown -R app.alpha /home/app /polly /app /__w/polly/polly; \ chown -R app /home/app /polly /app /__w/polly/polly; \ chown -R app /home/app; \ @@ -45,4 +46,3 @@ RUN set -ex; \ gem install --no-document --minimal-deps /home/app/polly-latest.gem && grep -Rn '\.gem\.' /var/lib 2>/dev/null | cut -d: -f1 | sort | uniq | xargs -I{} rm {} && rm /home/app/polly-latest.gem; \ true; USER app -LABEL "org.opencontainers.image.description"="For pollyci" diff --git a/bin/polly b/bin/polly index 702c167..25db1a9 100755 --- a/bin/polly +++ b/bin/polly @@ -410,7 +410,7 @@ class PollyTasks < Thor option "cache", :type => :boolean, :default => true option "explain", :type => :boolean, :default => false option "in-cluster", :type => :boolean, :default => false - def build(container_definition="-") + def build(container_definition=nil) default_pollyfile = "Pollyfile" default_dockerfile = "Dockerfile" @@ -421,34 +421,47 @@ class PollyTasks < Thor app = exe.current_app image_repo = Polly::Config.image_repo - generated_dockerfile = nil - puts [container_definition, default_dockerfile].inspect - if container_definition == "-" && File.exists?(default_pollyfile) + #generated_dockerfile = nil + if container_definition == nil && File.exists?(default_pollyfile) pollyfile_ruby = File.read(default_pollyfile) #TODO: ??? Polly::Generate.options = options Kernel.eval(pollyfile_ruby, Polly::Generate.get_binding, default_pollyfile) generated_dockerfile = Polly::Generate.read_output - elsif container_definition == "-" && File.exists?(default_dockerfile) - #generated_dockerfile = File.read(default_dockerfile) - raise if version.empty? - Polly::Build.buildkit_workstation_to_controller(exe, app, "wkndr", version, options["no-cache"]) - exit + elsif container_definition == nil && File.exists?(default_dockerfile) + generated_dockerfile = File.read(default_dockerfile) else generated_dockerfile = File.read(container_definition) - sub_version = container_definition.split(".").last - if sub_version != container_definition - app += "-" + sub_version - end end - #if options["in-cluster"] - # Polly::Generate.all_images.each { |build_image| - # Polly::Build.buildkit_internal(exe, app, build_image, version, generated_dockerfile, options["no-cache"]) - # } + raise if version.empty? + + Polly::Build.buildkit_workstation_to_controller(exe, app, "wkndr", version, generated_dockerfile, options["no-cache"]) + + exit + + #if container_definition == "-" && File.exists?(default_pollyfile) + # pollyfile_ruby = File.read(default_pollyfile) + # #TODO: ??? Polly::Generate.options = options + # Kernel.eval(pollyfile_ruby, Polly::Generate.get_binding, default_pollyfile) + # generated_dockerfile = Polly::Generate.read_output + #elsif container_definition == "-" && File.exists?(default_dockerfile) + # #generated_dockerfile = File.read(default_dockerfile) #else - # raise if version.empty? - # Polly::Build.buildkit_external(exe, app, "wkndr", version, generated_dockerfile, options["no-cache"]) + # generated_dockerfile = File.read(container_definition) + # sub_version = container_definition.split(".").last + # if sub_version != container_definition + # app += "-" + sub_version + # end #end + + ##if options["in-cluster"] + ## Polly::Generate.all_images.each { |build_image| + ## Polly::Build.buildkit_internal(exe, app, build_image, version, generated_dockerfile, options["no-cache"]) + ## } + ##else + ## raise if version.empty? + ## Polly::Build.buildkit_external(exe, app, "wkndr", version, generated_dockerfile, options["no-cache"]) + ##end end # desc "checkout [REPO] [VERSION] [DESTINATION]", "" @@ -1433,8 +1446,9 @@ HEREDOC image_repo = Polly::Config.image_repo tag = Polly::Build.build_image_to_tag(app, "wkndr", version) + puts tag.inspect - cmd = ["kubectl", "run", "rxn", "--attach=true", "-it", "--pod-running-timeout=3m0s", *env_flags, "--image=polly-registry:23443/polly-registry/#{tag}", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", rxn_cmd].compact + cmd = ["kubectl", "run", "rxn", "--attach=true", "-it", "--pod-running-timeout=3m0s", *env_flags, "--image=polly-registry:23443/polly-registry/#{tag}", "--image-pull-policy=Always", "--rm=true", "--quiet=true", "--command", "--", rxn_cmd].compact #puts cmd.inspect exec(*cmd) diff --git a/lib/polly/build.rb b/lib/polly/build.rb index 1a6805e..6c60b00 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -13,27 +13,30 @@ def self.generated_string_fd(generated_dockerfile) fd end - def self.buildkit_workstation_to_controller(exe, app, build_image_stage, version, force_no_cache) + def self.buildkit_workstation_to_controller(exe, app, build_image_stage, version, generated_dockerfile, force_no_cache = false) #TODO: figure out refactor for stdin/generated container image specification - #file = Tempfile.new('Dockerfile', Dir.pwd) - #file.write(generated_dockerfile) - #file.rewind - #puts file.path + file = Tempfile.new('Dockerfile.tmp', Dir.pwd) + dockerfile_path = file.path + "-tmp" + puts File.write(dockerfile_path, generated_dockerfile) + puts :foo + #puts generated_dockerfile.inspect + tag = build_image_to_tag(app, build_image_stage, version) buildctl_local_cmd = [ {"SSH_AUTH_SOCK" => ENV["SSH_AUTH_SOCK"]}, "buildctl", "--addr", "kube-pod://polly-buildkitd-0", "build", + ####"debug", "dump-llb", "--progress=plain", - #"--ssh", "default", #"default=#{Dir.home}/.ssh/id_rsa", + "--ssh", "default", #"default=#{Dir.home}/.ssh/id_rsa", "--frontend", "dockerfile.v0", - "--local", "context=.", "--local", "dockerfile=.", + "--local", "context=.", "--local", "dockerfile=.", "--opt", "filename=#{File.basename(dockerfile_path)}", "--output", "type=image,name=polly-registry:23443/polly-registry/#{tag},push=true", "--import-cache", "type=registry,ref=polly-registry:23443/#{app}", - #"--import-cache", - #"type=local,src=/polly/safe/buildkit,mode=max", + "--import-cache", + "type=local,src=/polly/safe/buildkit,mode=max", #- --frontend #- dockerfile.v0 #- --local @@ -44,21 +47,40 @@ def self.buildkit_workstation_to_controller(exe, app, build_image_stage, version "type=inline", "--export-cache", "type=registry,ref=polly-registry:23443/#{app}" - #- --export-cache - #- type=registry,ref=polly-registry:23443/#{app} - #"--export-cache", - #"type=local,dest=/polly/safe/buildkit,mode=max" - #- --output - #- type=tar,dest=/polly-safe/buildkit/#{tag}.tar - #- --output - #- type=image,name=#{app}/#{tag},push=true + ##- --export-cache + ##- type=registry,ref=polly-registry:23443/#{app} + ##"--export-cache", + ##"type=local,dest=/polly/safe/buildkit,mode=max" ##- --output - ##- type=image,name=polly-registry:23443/#{tag},push=true + ##- type=tar,dest=/polly-safe/buildkit/#{tag}.tar + ##- --output + ##- type=image,name=#{app}/#{tag},push=true + ###- --output + ###- type=image,name=polly-registry:23443/#{tag},push=true ] - #puts buildctl_local_cmd.inspect - exe.systemx(*buildctl_local_cmd) || fail("unable to build") - puts "Built and tagged: #{tag} OK" + puts buildctl_local_cmd.inspect + #exe.systemx(*buildctl_local_cmd) || fail("unable to build") + #io_options = {:stdin_data => generated_dockerfile} + #o,e,s = exe.execute_simple(:output, buildctl_local_cmd, {}) + + process_stdin, process_stdout, process_stderr, process_waiter = exe.execute_simple(:async, buildctl_local_cmd, {}) + + $stdout.sync = true + begin + while process_waiter.run + #$stdout.write(".") + $stdout.write(process_stdout.read_nonblock(1024)) rescue IO::EAGAINWaitReadable + $stderr.write(process_stderr.read_nonblock(1024)) rescue IO::EAGAINWaitReadable + end + rescue ThreadError + end + + $stdout.write(process_stdout.read_nonblock(1024)) rescue IO::EAGAINWaitReadable + $stderr.write(process_stderr.read_nonblock(1024)) rescue IO::EAGAINWaitReadable + File.unlink(dockerfile_path) + + puts "Built and tagged: #{tag} OK #{process_waiter.inspect}" end def self.buildkit_external(exe, app, build_image_stage, version, generated_dockerfile, force_no_cache) From ea7efac5b0b303e3e740cf23528687d4f7ff11e2 Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 6 Feb 2024 14:24:22 -0500 Subject: [PATCH 039/133] better def rxn --- bin/polly | 68 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 36 insertions(+), 32 deletions(-) diff --git a/bin/polly b/bin/polly index 9ef9814..afd4c84 100755 --- a/bin/polly +++ b/bin/polly @@ -417,21 +417,21 @@ class PollyTasks < Thor exe = ::Polly::Execute.new(options) version = exe.current_revision - branch = exe.current_branch + branch = exe.current_branch.gsub("/", "-") app = exe.current_app image_repo = Polly::Config.image_repo generated_dockerfile = nil - if container_definition == "-" && File.exists?(default_pollyfile) + if (container_definition == "-" || container_definition == default_pollyfile) && File.exists?(default_pollyfile) pollyfile_ruby = File.read(default_pollyfile) #TODO: ??? Polly::Generate.options = options Kernel.eval(pollyfile_ruby, Polly::Generate.get_binding, default_pollyfile) generated_dockerfile = Polly::Generate.read_output - elsif container_definition == "-" && File.exists?(default_dockerfile) + elsif (container_definition == "-" || container_definition == default_dockerfile) && File.exists?(default_dockerfile) #generated_dockerfile = File.read(default_dockerfile) raise if version.empty? - Polly::Build.buildkit_workstation_to_controller(exe, app, "wkndr", version, options["no-cache"]) + Polly::Build.buildkit_workstation_to_controller(exe, app, branch, version, options["no-cache"]) exit else generated_dockerfile = File.read(container_definition) @@ -447,7 +447,7 @@ class PollyTasks < Thor } else raise if version.empty? - Polly::Build.buildkit_external(exe, app, "wkndr", version, generated_dockerfile, options["no-cache"]) + Polly::Build.buildkit_external(exe, app, branch, version, generated_dockerfile, options["no-cache"]) end end @@ -508,7 +508,7 @@ class PollyTasks < Thor # obv.flush($stdout, $stderr, true) # end - desc "certificates [PRIVATE_KEY] [PUBLIC_KEY]", "installs some common ca certificate secret material into cluster" + desc "certificates [CNAME]", "installs some common ca certificate secret material into cluster" option "namespace", :type => :string, :default => "default" option "mode", :type => :string, :default => "directory" # def certificates(inbound_ssh_key="", inbound_ssh_key_pub="", cname = "polly-registry", cname_two = "0.0.0.0") @@ -608,7 +608,7 @@ class PollyTasks < Thor case options["mode"] - when "k8s-secret" + when "k8s-secrets" polly_certificates = <<-HEREDOC --- apiVersion: v1 @@ -622,27 +622,27 @@ data: dsa_pub: #{Base64.strict_encode64(key_dsa.public_key.to_s)} rsa_pub: #{Base64.strict_encode64(key.public_key.to_s)} ... ---- -apiVersion: v1 -kind: Secret -metadata: - name: "registry-certificates" -type: Opaque -data: - registry.polly.pem: #{Base64.strict_encode64(cert.to_pem)} - registry.polly.key: #{Base64.strict_encode64(key.to_pem)} -... ---- -apiVersion: v1 -kind: Secret -metadata: - name: "ca-certificates" -type: Opaque -data: - ca.workstation.crt: #{Base64.strict_encode64(a)} - ca.polly.crt: #{Base64.strict_encode64(b)} - ca-certificates.crt: #{Base64.strict_encode64(c)} -... +#--- +#apiVersion: v1 +#kind: Secret +#metadata: +# name: "registry-certificates" +#type: Opaque +#data: +# registry.polly.pem: #{Base64.strict_encode64(cert.to_pem)} +# registry.polly.key: #{Base64.strict_encode64(key.to_pem)} +#... +#--- +#apiVersion: v1 +#kind: Secret +#metadata: +# name: "ca-certificates" +#type: Opaque +#data: +# ca.workstation.crt: #{Base64.strict_encode64(a)} +# ca.polly.crt: #{Base64.strict_encode64(b)} +# ca-certificates.crt: #{Base64.strict_encode64(c)} +#... HEREDOC obv = ::Polly::Observe.new @@ -1204,11 +1204,15 @@ HEREDOC end desc "rxn", "run app pod" + option "stage", :type => :string, :default => nil def rxn(rxn_cmd = "bash") exe = ::Polly::Execute.new - vertical_lookup = YAML.load(File.read("vertical.yaml")) - environment_overrides = vertical_lookup["environment-overrides"] + environment_overrides = nil + if File.exists?("vertical.yaml") + vertical_lookup = YAML.load(File.read("vertical.yaml")) + environment_overrides = vertical_lookup["environment-overrides"] + end env_flags = (environment_overrides || []).collect { |env| "--env=#{env["name"]}=#{env["value"]}" } @@ -1217,9 +1221,9 @@ HEREDOC app = exe.current_app image_repo = Polly::Config.image_repo - tag = Polly::Build.build_image_to_tag(app, "wkndr", version) + tag = Polly::Build.build_image_to_tag(app, options["stage"] || branch, version) - cmd = ["kubectl", "run", "rxn", "--attach=true", "-it", "--pod-running-timeout=3m0s", *env_flags, "--image=polly-registry:23443/polly-registry/#{tag}", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", rxn_cmd].compact + cmd = ["kubectl", "run", "rxn-#{app}", "--attach=true", "-it", "--pod-running-timeout=3m0s", *env_flags, "--image=polly-registry:23443/polly-registry/#{tag}", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", rxn_cmd].compact #puts cmd.inspect exec(*cmd) From 28b4408f6b9a8d51e61b4cc344af27207b06c1f9 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Wed, 7 Feb 2024 14:51:44 +0000 Subject: [PATCH 040/133] more debug and setup --- .dockerignore | 1 - Pollyfile | 10 ++++++++++ lib/polly/build.rb | 4 +++- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/.dockerignore b/.dockerignore index e7d4494..b539298 100644 --- a/.dockerignore +++ b/.dockerignore @@ -5,7 +5,6 @@ vendor .circleci .github Dockerfile -Pollyfile Dockerfile.default .dockerignore Gemfile diff --git a/Pollyfile b/Pollyfile index 1a8e3e9..44f4456 100644 --- a/Pollyfile +++ b/Pollyfile @@ -96,7 +96,17 @@ run %q{gem install --no-document --minimal-deps /home/app/polly-latest.gem && grep -Rn '\.gem\.' /var/lib 2>/dev/null | cut -d: -f1 | sort | uniq | xargs -I{} rm {} && rm /home/app/polly-latest.gem} + run %q{ln -sf /usr/local/bin/polly /bin/dockerfile-frontend} + + command("COPY") { + "--chown=app Pollyfile /home/app/Pollyfile" + } + app + + command("ENTRYPOINT") { + '["/bin/dockerfile-frontend"]' + } } #description("For pollyci") diff --git a/lib/polly/build.rb b/lib/polly/build.rb index 6c60b00..acb3c13 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -59,10 +59,12 @@ def self.buildkit_workstation_to_controller(exe, app, build_image_stage, version ###- type=image,name=polly-registry:23443/#{tag},push=true ] - puts buildctl_local_cmd.inspect + puts buildctl_local_cmd.join(" ") + #.inspect #exe.systemx(*buildctl_local_cmd) || fail("unable to build") #io_options = {:stdin_data => generated_dockerfile} #o,e,s = exe.execute_simple(:output, buildctl_local_cmd, {}) + #exit process_stdin, process_stdout, process_stderr, process_waiter = exe.execute_simple(:async, buildctl_local_cmd, {}) From 7e85d5af9b5461edf6de7ace2cd70f863bb1f32f Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Wed, 7 Feb 2024 15:05:55 +0000 Subject: [PATCH 041/133] updates in CHANGELOG.md --- CHANGELOG.md | 6 ++++++ VERSION | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 00f6f77..279a89f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +# [4.27.0] - 2024-02-07 - Jon Bardin + +Merge build features + +####### + # [4.26.0] - 2023-05-19 - Jon add more build/run options diff --git a/VERSION b/VERSION index 4731277..238cd7a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.26.0 \ No newline at end of file +4.27.0 \ No newline at end of file From b0a4dc81db035f731b05df92d5a679cd35bdc192 Mon Sep 17 00:00:00 2001 From: Jon Date: Wed, 7 Feb 2024 17:08:49 -0500 Subject: [PATCH 042/133] add --stage support --- bin/polly | 5 ++-- lib/polly/build.rb | 65 ++++++++++------------------------------------ 2 files changed, 17 insertions(+), 53 deletions(-) diff --git a/bin/polly b/bin/polly index b1f3256..a9d2d87 100755 --- a/bin/polly +++ b/bin/polly @@ -410,6 +410,7 @@ class PollyTasks < Thor option "cache", :type => :boolean, :default => true option "explain", :type => :boolean, :default => false option "in-cluster", :type => :boolean, :default => false + option "stage", :type => :string, :default => nil def build(container_definition=nil) default_pollyfile = "Pollyfile" default_dockerfile = "Dockerfile" @@ -431,7 +432,7 @@ class PollyTasks < Thor elsif (container_definition == "-" || container_definition == default_dockerfile) && File.exists?(default_dockerfile) #generated_dockerfile = File.read(default_dockerfile) raise if version.empty? - Polly::Build.buildkit_workstation_to_controller(exe, app, branch, version, options["no-cache"]) + Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, options["stage"], options["no-cache"]) exit #elsif container_definition == nil && File.exists?(default_dockerfile) # generated_dockerfile = File.read(default_dockerfile) @@ -1500,7 +1501,7 @@ HEREDOC env_flags = (environment_overrides || []).collect { |env| "--env=#{env["name"]}=#{env["value"]}" } version = exe.current_revision - branch = exe.current_branch + branch = exe.current_branch.gsub("/", "-") app = exe.current_app image_repo = Polly::Config.image_repo diff --git a/lib/polly/build.rb b/lib/polly/build.rb index acb3c13..5a724d3 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -13,15 +13,8 @@ def self.generated_string_fd(generated_dockerfile) fd end - def self.buildkit_workstation_to_controller(exe, app, build_image_stage, version, generated_dockerfile, force_no_cache = false) - #TODO: figure out refactor for stdin/generated container image specification - file = Tempfile.new('Dockerfile.tmp', Dir.pwd) - dockerfile_path = file.path + "-tmp" - puts File.write(dockerfile_path, generated_dockerfile) - puts :foo - #puts generated_dockerfile.inspect - - tag = build_image_to_tag(app, build_image_stage, version) + def self.buildkit_workstation_to_controller(exe, app, version, branch, build_image_stage, force_no_cache = nil) + tag = build_image_to_tag(app, build_image_stage || branch, version) buildctl_local_cmd = [ {"SSH_AUTH_SOCK" => ENV["SSH_AUTH_SOCK"]}, "buildctl", @@ -31,58 +24,28 @@ def self.buildkit_workstation_to_controller(exe, app, build_image_stage, version "--progress=plain", "--ssh", "default", #"default=#{Dir.home}/.ssh/id_rsa", "--frontend", "dockerfile.v0", - "--local", "context=.", "--local", "dockerfile=.", "--opt", "filename=#{File.basename(dockerfile_path)}", + "--local", "context=.", "--local", "dockerfile=.", + #"--opt", "filename=#{File.basename(dockerfile_path)}", "--output", "type=image,name=polly-registry:23443/polly-registry/#{tag},push=true", "--import-cache", "type=registry,ref=polly-registry:23443/#{app}", "--import-cache", - "type=local,src=/polly/safe/buildkit,mode=max", - #- --frontend - #- dockerfile.v0 - #- --local - #- context=/home/app/#{app} - #- --local - #- dockerfile=/tmp/#{app} + "type=local,src=/var/tmp/polly-safe/buildkit,mode=max", "--export-cache", "type=inline", "--export-cache", - "type=registry,ref=polly-registry:23443/#{app}" - ##- --export-cache - ##- type=registry,ref=polly-registry:23443/#{app} - ##"--export-cache", - ##"type=local,dest=/polly/safe/buildkit,mode=max" - ##- --output - ##- type=tar,dest=/polly-safe/buildkit/#{tag}.tar - ##- --output - ##- type=image,name=#{app}/#{tag},push=true - ###- --output - ###- type=image,name=polly-registry:23443/#{tag},push=true - + "type=registry,ref=polly-registry:23443/#{app}", + "--export-cache", + "type=local,dest=/var/tmp/polly-safe/buildkit,mode=max" # this is client-side ] - puts buildctl_local_cmd.join(" ") - #.inspect - #exe.systemx(*buildctl_local_cmd) || fail("unable to build") - #io_options = {:stdin_data => generated_dockerfile} - #o,e,s = exe.execute_simple(:output, buildctl_local_cmd, {}) - #exit - - process_stdin, process_stdout, process_stderr, process_waiter = exe.execute_simple(:async, buildctl_local_cmd, {}) - - $stdout.sync = true - begin - while process_waiter.run - #$stdout.write(".") - $stdout.write(process_stdout.read_nonblock(1024)) rescue IO::EAGAINWaitReadable - $stderr.write(process_stderr.read_nonblock(1024)) rescue IO::EAGAINWaitReadable - end - rescue ThreadError - end - $stdout.write(process_stdout.read_nonblock(1024)) rescue IO::EAGAINWaitReadable - $stderr.write(process_stderr.read_nonblock(1024)) rescue IO::EAGAINWaitReadable - File.unlink(dockerfile_path) + if build_image_stage + buildctl_local_cmd += ["--opt", "target=#{build_image_stage}"] + end - puts "Built and tagged: #{tag} OK #{process_waiter.inspect}" + puts buildctl_local_cmd.inspect + exe.systemx(*buildctl_local_cmd) || fail("unable to build") + puts "Built and tagged: #{tag} OK" end def self.buildkit_external(exe, app, build_image_stage, version, generated_dockerfile, force_no_cache) From a0d1a00035f643c935411a6bf1decd22a9979c17 Mon Sep 17 00:00:00 2001 From: Jon Date: Wed, 28 Feb 2024 22:56:59 -0500 Subject: [PATCH 043/133] better args passing --- bin/polly | 8 +++++--- lib/polly/build.rb | 11 ++++++++--- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/bin/polly b/bin/polly index a9d2d87..70ba396 100755 --- a/bin/polly +++ b/bin/polly @@ -411,6 +411,7 @@ class PollyTasks < Thor option "explain", :type => :boolean, :default => false option "in-cluster", :type => :boolean, :default => false option "stage", :type => :string, :default => nil + option "push", :type => :string, :default => nil def build(container_definition=nil) default_pollyfile = "Pollyfile" default_dockerfile = "Dockerfile" @@ -424,15 +425,16 @@ class PollyTasks < Thor generated_dockerfile = nil + if (container_definition == nil || container_definition == "-" || container_definition == default_pollyfile) && File.exists?(default_pollyfile) pollyfile_ruby = File.read(default_pollyfile) #TODO: ??? Polly::Generate.options = options Kernel.eval(pollyfile_ruby, Polly::Generate.get_binding, default_pollyfile) generated_dockerfile = Polly::Generate.read_output - elsif (container_definition == "-" || container_definition == default_dockerfile) && File.exists?(default_dockerfile) + elsif (container_definition != nil || container_definition == "-" || container_definition == default_dockerfile) && File.exists?(container_definition) #generated_dockerfile = File.read(default_dockerfile) raise if version.empty? - Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, options["stage"], options["no-cache"]) + Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, container_definition, options["stage"], options["no-cache"], options["push"]) exit #elsif container_definition == nil && File.exists?(default_dockerfile) # generated_dockerfile = File.read(default_dockerfile) @@ -1509,7 +1511,7 @@ HEREDOC #tag = Polly::Build.build_image_to_tag(app, "wkndr", version) puts tag.inspect - cmd = ["kubectl", "run", "rxn-#{app}", "--attach=true", "-it", "--pod-running-timeout=3m0s", *env_flags, "--image=polly-registry:23443/polly-registry/#{tag}", "--image-pull-policy=Always", "--rm=true", "--quiet=true", "--", rxn_cmd].compact + cmd = ["kubectl", "run", "rxn-#{app}", "--attach=true", "-it", "--pod-running-timeout=3m0s", *env_flags, "--image=polly-registry:23443/polly-registry/#{tag}", "--image-pull-policy=Always", "--rm=true", "--quiet=true", "--command", "--", rxn_cmd].compact # cmd = ["kubectl", "run", "rxn", "--attach=true", "-it", "--pod-running-timeout=3m0s", *env_flags, "--image=polly-registry:23443/polly-registry/#{tag}", "--image-pull-policy=Always", "--rm=true", "--quiet=true", "--command", "--", rxn_cmd].compact puts cmd.inspect diff --git a/lib/polly/build.rb b/lib/polly/build.rb index 5a724d3..eb615f2 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -13,7 +13,7 @@ def self.generated_string_fd(generated_dockerfile) fd end - def self.buildkit_workstation_to_controller(exe, app, version, branch, build_image_stage, force_no_cache = nil) + def self.buildkit_workstation_to_controller(exe, app, version, branch, dockerfile_path, build_image_stage, force_no_cache = nil, push_stage = nil) tag = build_image_to_tag(app, build_image_stage || branch, version) buildctl_local_cmd = [ {"SSH_AUTH_SOCK" => ENV["SSH_AUTH_SOCK"]}, @@ -25,8 +25,7 @@ def self.buildkit_workstation_to_controller(exe, app, version, branch, build_ima "--ssh", "default", #"default=#{Dir.home}/.ssh/id_rsa", "--frontend", "dockerfile.v0", "--local", "context=.", "--local", "dockerfile=.", - #"--opt", "filename=#{File.basename(dockerfile_path)}", - "--output", "type=image,name=polly-registry:23443/polly-registry/#{tag},push=true", + "--opt", "filename=#{dockerfile_path}", "--import-cache", "type=registry,ref=polly-registry:23443/#{app}", "--import-cache", @@ -43,6 +42,12 @@ def self.buildkit_workstation_to_controller(exe, app, version, branch, build_ima buildctl_local_cmd += ["--opt", "target=#{build_image_stage}"] end + if push_stage + buildctl_local_cmd += ["--output", "type=image,name=#{push_stage}/#{tag.split(":").last},push=true"] + else + buildctl_local_cmd += ["--output", "type=image,name=polly-registry:23443/polly-registry/#{tag},push=true"] + end + puts buildctl_local_cmd.inspect exe.systemx(*buildctl_local_cmd) || fail("unable to build") puts "Built and tagged: #{tag} OK" From 81a7f4cae160a2a65a2d7e4dcb0b101dd060e5b0 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Sun, 31 Mar 2024 09:40:46 +0000 Subject: [PATCH 044/133] add polly deploy command --- bin/polly | 52 ++++++++++++++++++++++++++++ lib/polly.rb | 1 + lib/polly/config.rb | 2 +- lib/polly/document_stream_handler.rb | 18 ++++++++++ 4 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 lib/polly/document_stream_handler.rb diff --git a/bin/polly b/bin/polly index 70ba396..5360f38 100755 --- a/bin/polly +++ b/bin/polly @@ -482,6 +482,58 @@ class PollyTasks < Thor ##end end + desc "deploy", "deploys kubernetes resources" + def deploy(glob = "kubernetes/**/*yaml") + exe = ::Polly::Execute.new(options) + + version = exe.current_revision + branch = exe.current_branch.gsub("/", "-") + app = exe.current_app + image_repo = Polly::Config.image_repo + + resource_paths = Dir.glob(glob) + + all_resources_yaml = "" + + document_handler_switch = Proc.new do |document| + add_to_pending_documents = false + + description = document.to_ruby + + next unless description + + kind = description["kind"] + name = description["metadata"]["name"] + + case kind + when "Service" + + when "Deployment", "ReplicationController" + description["spec"]["template"]["spec"]["initContainers"].each { |c| + if c["image"] == app + ":latest" + c["image"] = (image_repo + "/polly-registry/" + (app + ":" + branch + "-" + version)) + end + } + description["spec"]["template"]["spec"]["containers"].each { |c| + if c["image"] == app + ":latest" + c["image"] = (image_repo + "/polly-registry/" + (app + ":" + branch + "-" + version)) + end + } + + else + end + + all_resources_yaml << description.to_yaml + "\n...\n" + end + + handler = Polly::DocumentStreamHandler.new(&document_handler_switch) + parser = Psych::Parser.new(handler) + resource_paths.each { |resource_path| + parser.parse(File.read(resource_path), resource_path) + } + puts all_resources_yaml + end + # desc "checkout [REPO] [VERSION] [DESTINATION]", "" # def checkout(repo, version, destination) # obv = ::Polly::Observe.new diff --git a/lib/polly.rb b/lib/polly.rb index 5e236b5..158a3c7 100644 --- a/lib/polly.rb +++ b/lib/polly.rb @@ -32,4 +32,5 @@ class Error < StandardError; end autoload 'Job', 'polly/job' autoload 'Observe', 'polly/observe' autoload 'Plan', 'polly/plan' + autoload 'DocumentStreamHandler', 'polly/document_stream_handler' end diff --git a/lib/polly/config.rb b/lib/polly/config.rb index 04e5de4..2889509 100644 --- a/lib/polly/config.rb +++ b/lib/polly/config.rb @@ -15,7 +15,7 @@ def self.allowed_contexts end def self.image_repo - rc["image_repo"] || "polly-registry:443" + rc["image_repo"] || "polly-registry:23443" end end end diff --git a/lib/polly/document_stream_handler.rb b/lib/polly/document_stream_handler.rb new file mode 100644 index 0000000..1fd75ea --- /dev/null +++ b/lib/polly/document_stream_handler.rb @@ -0,0 +1,18 @@ +module Polly + class DocumentStreamHandler < Psych::TreeBuilder + def initialize &block + super + @block = block + end + + def end_document implicit_end = !streaming? + @last.implicit_end = implicit_end + @block.call pop + end + + def start_document version, tag_directives, implicit + n = Psych::Nodes::Document.new version, tag_directives, implicit + push n + end + end +end From 8d504c27d4340142867b576477f2ed130eb53d8e Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Sun, 31 Mar 2024 23:46:45 +0000 Subject: [PATCH 045/133] add polly gitch && polly build && polly deploy loop support --- bin/polly | 72 ++++++++++++++++++++++++++++++++------------ lib/polly/execute.rb | 4 +++ 2 files changed, 56 insertions(+), 20 deletions(-) diff --git a/bin/polly b/bin/polly index 5360f38..ef1c601 100755 --- a/bin/polly +++ b/bin/polly @@ -116,7 +116,7 @@ class PollyTasks < Thor if msg = options["m"] if exe.systemx("git", "add", ".") - if exe.systemx("git", "commit", "-m", (msg.length > 1) ? msg : "wip") + if exe.systemx(*["git", "commit", "-m", (msg.length > 1) ? msg : "wip", (msg.length > 1) ? nil : "--allow-empty"].compact) exit(0) end end @@ -509,6 +509,8 @@ class PollyTasks < Thor when "Service" when "Deployment", "ReplicationController" + description["metadata"]["labels"].merge!(exe.polly_labels) + description["spec"]["template"]["metadata"]["labels"].merge!(exe.polly_labels) description["spec"]["template"]["spec"]["initContainers"].each { |c| if c["image"] == app + ":latest" c["image"] = (image_repo + "/polly-registry/" + (app + ":" + branch + "-" + version)) @@ -531,7 +533,14 @@ class PollyTasks < Thor resource_paths.each { |resource_path| parser.parse(File.read(resource_path), resource_path) } - puts all_resources_yaml + #puts all_resources_yaml + + apply_yaml = ["kubectl", "apply", "-f", "-"] + create_options = {:stdin_data => all_resources_yaml} + o,e,s = exe.execute_simple(:output, apply_yaml, create_options) + puts o + puts e + fail unless s end # desc "checkout [REPO] [VERSION] [DESTINATION]", "" @@ -1578,34 +1587,57 @@ HEREDOC end desc "waitx", "TBD: wait for pod availability, execute subsequent command" - def waitx(clean_name, *cmd) + def waitx(*cmd) exe = ::Polly::Execute.new - #$stderr.write("waiting for deploy\n") - exe.execute_simple(:silent, ["kubectl", "wait", "--for=condition=available", "deployment/#{clean_name}"], {}) + waited_for_deployments = false + while !waited_for_deployments + #$stderr.write("waiting for deploy\n") + o,e,waited_for_deployments = exe.execute_simple(:output, ["kubectl", "wait", "--for=condition=available", "deployment", "-l", URI.encode_www_form(exe.polly_labels.to_a).gsub("&",","), "--timeout=30s"], {}) + puts o + puts e + end - #$stderr.write("listing pods\n") - find_all_pods = "kubectl get pods -l name=#{clean_name} -o name | cut -d/ -f2" - a = IO.popen(find_all_pods).read.strip - exe.wait_child - all_pods = a.split("\n") + waited_for_pods = false + while !waited_for_pods + #$stderr.write("waiting for deploy\n") + o,e,waited_for_pods = exe.execute_simple(:output, ["kubectl", "wait", "--for=condition=ready", "pod", "-l", URI.encode_www_form(exe.polly_labels.to_a).gsub("&",","), "--timeout=30s"], {}) + puts o + puts e + end - pod_index = 0 - kube_exec_cmd = [ - "kubectl", "exec", - all_pods[pod_index], - "--" - ] + cmd + unless cmd.empty? + $stderr.write("listing pods\n") + find_all_pods = "kubectl get pods -l #{URI.encode_www_form(exe.polly_labels.to_a).gsub("&",",")} -o name | cut -d/ -f2" + a = IO.popen(find_all_pods).read.strip + exe.wait_child + all_pods = a.split("\n") - o,e,s = exe.execute_simple(:output, kube_exec_cmd, {}) - #TODO - puts [e, e, s] unless s + pod_index = 0 + kube_exec_cmd = [ + "kubectl", "exec", + all_pods[pod_index], + "--" + ] + cmd + + #puts kube_exec_cmd.join(" ") + + o,e,s = exe.execute_simple(:output, kube_exec_cmd, {}) + + if s + puts o + else + puts e + fail + end + end end desc "logs", "fetch logs from polly controller pod" + option "polly", :type => :boolean, :default => false def logs exe = ::Polly::Execute.new - exec(*["kubectl", "logs", exe.polly_pod, "-f"].compact) + exec(*["kubectl", "logs", "-l", URI.encode_www_form(exe.polly_labels.to_a).gsub("&",","), "-f"].compact, "--max-log-requests=128") end desc "dev [PROCFILE]", "runs processes as outlined in Procfile" diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index 0a7102a..13ebfdd 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -88,6 +88,10 @@ def current_app end end + def polly_labels + {"polly-current-app" => current_app} + end + def current_branch @current_branch ||= begin a = IO.popen("git rev-parse --abbrev-ref HEAD").read.strip From 504438651a7722a66729962a7c777907d0e5fa21 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 00:09:46 +0000 Subject: [PATCH 046/133] rebootstrap on debian bookworm --- .gitignore | 1 + Dockerfile.default | 11 +++++++---- Pollyfile | 13 +++++++++---- bin/polly | 23 ++++++++++++++++++++++- polly.gemspec | 2 +- 5 files changed, 40 insertions(+), 10 deletions(-) diff --git a/.gitignore b/.gitignore index 96cfcb2..3c4bc78 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .bundle vendor Gemfile.lock +Dockerfile-pollygen* diff --git a/Dockerfile.default b/Dockerfile.default index 0595781..c99fb20 100644 --- a/Dockerfile.default +++ b/Dockerfile.default @@ -1,5 +1,5 @@ # syntax=docker/dockerfile-upstream:master-experimental -FROM ghcr.io/unhookd/polly:3.0-rc1@sha256:7cc65086b101fe352a8ff83180888f0f7079b2f80139b0f39ba7b2a4cb34b168 AS base +FROM public.ecr.aws/debian/debian:bookworm-20240311-slim AS base USER root ENV DEBIAN_FRONTEND=noninteractive LC_ALL=C.UTF-8 LANG=en_US LANGUAGE=en_US ACCEPT_EULA=y RUN set -ex; \ @@ -14,12 +14,12 @@ RUN set -ex; \ apt-get update; apt-get install -y locales locales-all; apt-get clean; \ test -e /usr/lib/locale/locale-archive || ((locale-gen --purge en_US); (echo -e "LANG=$LANG\nLANGUAGE=$LANGUAGE\n" | tee /etc/default/locale); (locale-gen $LANGUAGE); (dpkg-reconfigure locales)); \ apt-get update; apt-get install -y vim git curl apt-transport-https aptitude ca-certificates apt-utils software-properties-common docker.io build-essential libyaml-dev ruby3* libruby3* ruby-bundler rubygems-integration rake amazon-ecr-credential-helper; apt-get clean; \ - curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add; \ - apt-add-repository "deb http://apt.kubernetes.io/ kubernetes-xenial main"; \ + curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg; \ + echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list; \ apt-get update; apt-get install -y kubectl; apt-get clean; \ usermod -a -G $(grep docker /etc/group | cut -d: -f3) app; \ usermod -a -G $(grep docker /etc/group | cut -d: -f3) runner; \ - mkdir /tmp/buildkit && cd /tmp/buildkit && curl -sL -o buildkit.tar.gz "https://github.com/moby/buildkit/releases/download/v0.11.1/buildkit-v0.11.1.linux-amd64.tar.gz" && tar zxf buildkit.tar.gz && mv bin/buildctl /usr/local/bin && cd && rm -Rf /tmp/buildkit; \ + mkdir /tmp/buildkit && cd /tmp/buildkit && curl -sL -o buildkit.tar.gz "https://github.com/moby/buildkit/releases/download/v0.13.1/buildkit-v0.13.1.linux-amd64.tar.gz" && tar zxf buildkit.tar.gz && mv bin/buildctl /usr/local/bin && cd && rm -Rf /tmp/buildkit; \ true; # syntax=docker/dockerfile-upstream:master-experimental FROM base AS gem @@ -44,5 +44,8 @@ WORKDIR /home/app COPY --chown=app --from=gem /home/app/polly-latest.gem /home/app/polly-latest.gem RUN set -ex; \ gem install --no-document --minimal-deps /home/app/polly-latest.gem && grep -Rn '\.gem\.' /var/lib 2>/dev/null | cut -d: -f1 | sort | uniq | xargs -I{} rm {} && rm /home/app/polly-latest.gem; \ + ln -sf /usr/local/bin/polly /bin/dockerfile-frontend; \ true; +COPY --chown=app Pollyfile /home/app/Pollyfile USER app +ENTRYPOINT ["/bin/dockerfile-frontend"] diff --git a/Pollyfile b/Pollyfile index 44f4456..af07b4c 100644 --- a/Pollyfile +++ b/Pollyfile @@ -1,9 +1,10 @@ #!/usr/bin/env ruby @base = image { - stage "base", "ghcr.io/unhookd/polly:3.0-rc1@sha256:7cc65086b101fe352a8ff83180888f0f7079b2f80139b0f39ba7b2a4cb34b168" + #stage "base", "ghcr.io/unhookd/polly:3.0-rc1@sha256:7cc65086b101fe352a8ff83180888f0f7079b2f80139b0f39ba7b2a4cb34b168" #stage "base", "ghcr.io/unhookd/polly:3.0-rc1" #stage "base", "ubuntu:jammy-20220421" + stage "base", "public.ecr.aws/debian/debian:bookworm-20240311-slim" root @@ -29,14 +30,18 @@ apt %w{vim git curl apt-transport-https aptitude ca-certificates apt-utils software-properties-common docker.io build-essential libyaml-dev ruby3* libruby3* ruby-bundler rubygems-integration rake amazon-ecr-credential-helper} - run %q{curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add} - run %q{apt-add-repository "deb http://apt.kubernetes.io/ kubernetes-xenial main"} + #run %q{curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add} + #run %q{apt-add-repository "deb http://apt.kubernetes.io/ kubernetes-xenial main"} + run %q{curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg} + run %q{echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list} + apt %w{kubectl} run %q{usermod -a -G $(grep docker /etc/group | cut -d: -f3) app} run %q{usermod -a -G $(grep docker /etc/group | cut -d: -f3) runner} - run %q{mkdir /tmp/buildkit && cd /tmp/buildkit && curl -sL -o buildkit.tar.gz "https://github.com/moby/buildkit/releases/download/v0.11.1/buildkit-v0.11.1.linux-amd64.tar.gz" && tar zxf buildkit.tar.gz && mv bin/buildctl /usr/local/bin && cd && rm -Rf /tmp/buildkit} + buildkit_version = "v0.13.1" + run %Q{mkdir /tmp/buildkit && cd /tmp/buildkit && curl -sL -o buildkit.tar.gz "https://github.com/moby/buildkit/releases/download/#{buildkit_version}/buildkit-#{buildkit_version}.linux-amd64.tar.gz" && tar zxf buildkit.tar.gz && mv bin/buildctl /usr/local/bin && cd && rm -Rf /tmp/buildkit} } # image declares container artifacts diff --git a/bin/polly b/bin/polly index ef1c601..27217ef 100755 --- a/bin/polly +++ b/bin/polly @@ -425,17 +425,38 @@ class PollyTasks < Thor generated_dockerfile = nil - if (container_definition == nil || container_definition == "-" || container_definition == default_pollyfile) && File.exists?(default_pollyfile) pollyfile_ruby = File.read(default_pollyfile) #TODO: ??? Polly::Generate.options = options Kernel.eval(pollyfile_ruby, Polly::Generate.get_binding, default_pollyfile) generated_dockerfile = Polly::Generate.read_output + + file = Tempfile.new('Dockerfile-pollygen-', Dir.pwd) + file_path = file.path + file.unlink + + File.write(file_path, generated_dockerfile) + puts file_path + #tag = build_image_to_tag(app, build_image_stage, version) + #buildctl_local_cmd = [ + # {"SSH_AUTH_SOCK" => ENV["SSH_AUTH_SOCK"]}, + # "buildctl", + # "--addr", "kube-pod://polly-buildkitd-0", + # "build", + # "--ssh", "default", #"default=#{Dir.home}/.ssh/id_rsa", + # "--frontend", "dockerfile.v0", + # "--local", "context=.", "--local", "dockerfile=.", #"--opt", "filename=#{File.basename(file.path)}", + + raise if version.empty? + Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, File.basename(file_path), options["stage"], options["no-cache"], options["push"]) + exit + elsif (container_definition != nil || container_definition == "-" || container_definition == default_dockerfile) && File.exists?(container_definition) #generated_dockerfile = File.read(default_dockerfile) raise if version.empty? Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, container_definition, options["stage"], options["no-cache"], options["push"]) exit + #elsif container_definition == nil && File.exists?(default_dockerfile) # generated_dockerfile = File.read(default_dockerfile) else diff --git a/polly.gemspec b/polly.gemspec index bbd00d1..50da351 100644 --- a/polly.gemspec +++ b/polly.gemspec @@ -20,6 +20,6 @@ Gem::Specification.new do |spec| spec.add_dependency "thor", "= 1.2.2" spec.add_dependency "net-ssh", "~> 6.0" - spec.add_dependency "yajl-ruby", "= 1.4.1" + spec.add_dependency "yajl-ruby", "~> 1.4.3" spec.add_dependency "guard", "~> 2.18" end From 2eed3df64dc72cb10bfbc088bd06767237839f74 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 00:13:45 +0000 Subject: [PATCH 047/133] use specific version --- bin/polly | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bin/polly b/bin/polly index 27217ef..ce559c5 100755 --- a/bin/polly +++ b/bin/polly @@ -1242,7 +1242,8 @@ spec: containers: #####<<<<<<< HEAD - name: buildkitd - image: moby/buildkit:master-rootless + image: moby/buildkit:v0.13.1-rootless + #image: moby/buildkit:master-rootless args: - --oci-worker-no-process-sandbox readinessProbe: From e347556eda74a4d8b1c1198f1fc3c5e28bff47da Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 00:21:52 +0000 Subject: [PATCH 048/133] rebootstrap gha action --- .github/workflows/primary.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/primary.yml b/.github/workflows/primary.yml index 67de6fc..65b14a6 100644 --- a/.github/workflows/primary.yml +++ b/.github/workflows/primary.yml @@ -16,8 +16,8 @@ jobs: container: options: "--user 0" - #image: ubuntu:jammy-20220421 - image: ghcr.io/unhookd/polly:3.0-rc1@sha256:7cc65086b101fe352a8ff83180888f0f7079b2f80139b0f39ba7b2a4cb34b168 + image: public.ecr.aws/debian/debian:bookworm-20240311-slim + #image: ghcr.io/unhookd/polly:3.0-rc1@sha256:7cc65086b101fe352a8ff83180888f0f7079b2f80139b0f39ba7b2a4cb34b168 steps: - uses: actions/checkout@v3 @@ -37,11 +37,12 @@ jobs: apt-get update; apt-get install -y locales locales-all; apt-get clean; test -e /usr/lib/locale/locale-archive || ((locale-gen --purge en_US); (echo -e "LANG=$LANG\nLANGUAGE=$LANGUAGE\n" | tee /etc/default/locale); (locale-gen $LANGUAGE); (dpkg-reconfigure locales)); apt-get update; apt-get install -y vim git curl apt-transport-https aptitude ca-certificates apt-utils software-properties-common docker.io build-essential libyaml-dev ruby3* libruby3* ruby-bundler rubygems-integration rake amazon-ecr-credential-helper; apt-get clean; - curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add; - apt-add-repository "deb http://apt.kubernetes.io/ kubernetes-xenial main"; + curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg; + echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list; apt-get update; apt-get install -y kubectl; apt-get clean; usermod -a -G $(grep docker /etc/group | cut -d: -f3) app; usermod -a -G $(grep docker /etc/group | cut -d: -f3) runner; + mkdir /tmp/buildkit && cd /tmp/buildkit && curl -sL -o buildkit.tar.gz "https://github.com/moby/buildkit/releases/download/v0.13.1/buildkit-v0.13.1.linux-amd64.tar.gz" && tar zxf buildkit.tar.gz && mv bin/buildctl /usr/local/bin && cd && rm -Rf /tmp/buildkit; mkdir -p /polly/safe/git /polly/safe/run /polly/safe/tmp /polly/app /app /__w/polly/polly; chown -R app.alpha /home/app /polly /app /__w/polly/polly; From 50e611d3fbeb69a9d8f0a73dfa624bca192cc8c8 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 00:24:24 +0000 Subject: [PATCH 049/133] add missing envs --- .github/workflows/primary.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/primary.yml b/.github/workflows/primary.yml index 65b14a6..71bbc2d 100644 --- a/.github/workflows/primary.yml +++ b/.github/workflows/primary.yml @@ -26,6 +26,12 @@ jobs: run: | set -ex + export DEBIAN_FRONTEND="noninteractive" + export LC_ALL="C.UTF-8" + export LANG="en_US" + export LANGUAGE="en_US" + export ACCEPT_EULA="y" + (getent group alpha || groupadd --gid 121 alpha); (getent group tau || groupadd --gid 123 tau); (getent group beta || groupadd --gid 134 beta); From dbae6726e3d89b4a39a9b1b65d970fd99ce5abb8 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 00:26:28 +0000 Subject: [PATCH 050/133] rebootstrap from this branch base image --- .github/workflows/primary.yml | 4 ++-- Dockerfile.default | 2 +- Pollyfile | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/primary.yml b/.github/workflows/primary.yml index 71bbc2d..2907aaa 100644 --- a/.github/workflows/primary.yml +++ b/.github/workflows/primary.yml @@ -16,8 +16,8 @@ jobs: container: options: "--user 0" - image: public.ecr.aws/debian/debian:bookworm-20240311-slim - #image: ghcr.io/unhookd/polly:3.0-rc1@sha256:7cc65086b101fe352a8ff83180888f0f7079b2f80139b0f39ba7b2a4cb34b168 + #image: public.ecr.aws/debian/debian:bookworm-20240311-slim + image: ghcr.io/unhookd/polly:4.0-rc-3@sha256:1169fa172ec82abfaa368396aaad8be59d1879e76fcd115495567598d7500586 steps: - uses: actions/checkout@v3 diff --git a/Dockerfile.default b/Dockerfile.default index c99fb20..a093fce 100644 --- a/Dockerfile.default +++ b/Dockerfile.default @@ -1,5 +1,5 @@ # syntax=docker/dockerfile-upstream:master-experimental -FROM public.ecr.aws/debian/debian:bookworm-20240311-slim AS base +FROM ghcr.io/unhookd/polly:4.0-rc-3@sha256:1169fa172ec82abfaa368396aaad8be59d1879e76fcd115495567598d7500586 AS base USER root ENV DEBIAN_FRONTEND=noninteractive LC_ALL=C.UTF-8 LANG=en_US LANGUAGE=en_US ACCEPT_EULA=y RUN set -ex; \ diff --git a/Pollyfile b/Pollyfile index af07b4c..0e40349 100644 --- a/Pollyfile +++ b/Pollyfile @@ -1,10 +1,10 @@ #!/usr/bin/env ruby @base = image { - #stage "base", "ghcr.io/unhookd/polly:3.0-rc1@sha256:7cc65086b101fe352a8ff83180888f0f7079b2f80139b0f39ba7b2a4cb34b168" + stage "base", "ghcr.io/unhookd/polly:4.0-rc-3@sha256:1169fa172ec82abfaa368396aaad8be59d1879e76fcd115495567598d7500586" #stage "base", "ghcr.io/unhookd/polly:3.0-rc1" #stage "base", "ubuntu:jammy-20220421" - stage "base", "public.ecr.aws/debian/debian:bookworm-20240311-slim" + #stage "base", "public.ecr.aws/debian/debian:bookworm-20240311-slim" root From bbac7627c658686ba1b253e22f8d8135c3dd27cc Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 00:29:21 +0000 Subject: [PATCH 051/133] add --no-tty ? --- .github/workflows/primary.yml | 2 +- Dockerfile.default | 2 +- Pollyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/primary.yml b/.github/workflows/primary.yml index 2907aaa..6309246 100644 --- a/.github/workflows/primary.yml +++ b/.github/workflows/primary.yml @@ -43,7 +43,7 @@ jobs: apt-get update; apt-get install -y locales locales-all; apt-get clean; test -e /usr/lib/locale/locale-archive || ((locale-gen --purge en_US); (echo -e "LANG=$LANG\nLANGUAGE=$LANGUAGE\n" | tee /etc/default/locale); (locale-gen $LANGUAGE); (dpkg-reconfigure locales)); apt-get update; apt-get install -y vim git curl apt-transport-https aptitude ca-certificates apt-utils software-properties-common docker.io build-essential libyaml-dev ruby3* libruby3* ruby-bundler rubygems-integration rake amazon-ecr-credential-helper; apt-get clean; - curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg; + curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --no-tty --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg; echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list; apt-get update; apt-get install -y kubectl; apt-get clean; usermod -a -G $(grep docker /etc/group | cut -d: -f3) app; diff --git a/Dockerfile.default b/Dockerfile.default index a093fce..64e7d94 100644 --- a/Dockerfile.default +++ b/Dockerfile.default @@ -14,7 +14,7 @@ RUN set -ex; \ apt-get update; apt-get install -y locales locales-all; apt-get clean; \ test -e /usr/lib/locale/locale-archive || ((locale-gen --purge en_US); (echo -e "LANG=$LANG\nLANGUAGE=$LANGUAGE\n" | tee /etc/default/locale); (locale-gen $LANGUAGE); (dpkg-reconfigure locales)); \ apt-get update; apt-get install -y vim git curl apt-transport-https aptitude ca-certificates apt-utils software-properties-common docker.io build-essential libyaml-dev ruby3* libruby3* ruby-bundler rubygems-integration rake amazon-ecr-credential-helper; apt-get clean; \ - curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg; \ + curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --no-tty --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg; \ echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list; \ apt-get update; apt-get install -y kubectl; apt-get clean; \ usermod -a -G $(grep docker /etc/group | cut -d: -f3) app; \ diff --git a/Pollyfile b/Pollyfile index 0e40349..180b500 100644 --- a/Pollyfile +++ b/Pollyfile @@ -32,7 +32,7 @@ #run %q{curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add} #run %q{apt-add-repository "deb http://apt.kubernetes.io/ kubernetes-xenial main"} - run %q{curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg} + run %q{curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --no-tty --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg} run %q{echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list} apt %w{kubectl} From f951173895851e33347155908d9ac339c78092f5 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 00:32:03 +0000 Subject: [PATCH 052/133] try --batch ? --- .github/workflows/primary.yml | 2 +- Dockerfile.default | 2 +- Pollyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/primary.yml b/.github/workflows/primary.yml index 6309246..c7db18e 100644 --- a/.github/workflows/primary.yml +++ b/.github/workflows/primary.yml @@ -43,7 +43,7 @@ jobs: apt-get update; apt-get install -y locales locales-all; apt-get clean; test -e /usr/lib/locale/locale-archive || ((locale-gen --purge en_US); (echo -e "LANG=$LANG\nLANGUAGE=$LANGUAGE\n" | tee /etc/default/locale); (locale-gen $LANGUAGE); (dpkg-reconfigure locales)); apt-get update; apt-get install -y vim git curl apt-transport-https aptitude ca-certificates apt-utils software-properties-common docker.io build-essential libyaml-dev ruby3* libruby3* ruby-bundler rubygems-integration rake amazon-ecr-credential-helper; apt-get clean; - curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --no-tty --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg; + curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --batch --no-tty --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg; echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list; apt-get update; apt-get install -y kubectl; apt-get clean; usermod -a -G $(grep docker /etc/group | cut -d: -f3) app; diff --git a/Dockerfile.default b/Dockerfile.default index 64e7d94..025bfb0 100644 --- a/Dockerfile.default +++ b/Dockerfile.default @@ -14,7 +14,7 @@ RUN set -ex; \ apt-get update; apt-get install -y locales locales-all; apt-get clean; \ test -e /usr/lib/locale/locale-archive || ((locale-gen --purge en_US); (echo -e "LANG=$LANG\nLANGUAGE=$LANGUAGE\n" | tee /etc/default/locale); (locale-gen $LANGUAGE); (dpkg-reconfigure locales)); \ apt-get update; apt-get install -y vim git curl apt-transport-https aptitude ca-certificates apt-utils software-properties-common docker.io build-essential libyaml-dev ruby3* libruby3* ruby-bundler rubygems-integration rake amazon-ecr-credential-helper; apt-get clean; \ - curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --no-tty --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg; \ + curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --batch --no-tty --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg; \ echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list; \ apt-get update; apt-get install -y kubectl; apt-get clean; \ usermod -a -G $(grep docker /etc/group | cut -d: -f3) app; \ diff --git a/Pollyfile b/Pollyfile index 180b500..eb394d3 100644 --- a/Pollyfile +++ b/Pollyfile @@ -32,7 +32,7 @@ #run %q{curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add} #run %q{apt-add-repository "deb http://apt.kubernetes.io/ kubernetes-xenial main"} - run %q{curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --no-tty --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg} + run %q{curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --batch --no-tty --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg} run %q{echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list} apt %w{kubectl} From 127f2a0992b4ab4cd44bb5c620e846a39c3aaca5 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 00:34:05 +0000 Subject: [PATCH 053/133] ignore if keyring exists --- .github/workflows/primary.yml | 2 +- Dockerfile.default | 2 +- Pollyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/primary.yml b/.github/workflows/primary.yml index c7db18e..388ed90 100644 --- a/.github/workflows/primary.yml +++ b/.github/workflows/primary.yml @@ -43,7 +43,7 @@ jobs: apt-get update; apt-get install -y locales locales-all; apt-get clean; test -e /usr/lib/locale/locale-archive || ((locale-gen --purge en_US); (echo -e "LANG=$LANG\nLANGUAGE=$LANGUAGE\n" | tee /etc/default/locale); (locale-gen $LANGUAGE); (dpkg-reconfigure locales)); apt-get update; apt-get install -y vim git curl apt-transport-https aptitude ca-certificates apt-utils software-properties-common docker.io build-essential libyaml-dev ruby3* libruby3* ruby-bundler rubygems-integration rake amazon-ecr-credential-helper; apt-get clean; - curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --batch --no-tty --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg; + test -e /etc/apt/keyrings/kubernetes-apt-keyring.gpg || (curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --batch --no-tty --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg); echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list; apt-get update; apt-get install -y kubectl; apt-get clean; usermod -a -G $(grep docker /etc/group | cut -d: -f3) app; diff --git a/Dockerfile.default b/Dockerfile.default index 025bfb0..28c71c7 100644 --- a/Dockerfile.default +++ b/Dockerfile.default @@ -14,7 +14,7 @@ RUN set -ex; \ apt-get update; apt-get install -y locales locales-all; apt-get clean; \ test -e /usr/lib/locale/locale-archive || ((locale-gen --purge en_US); (echo -e "LANG=$LANG\nLANGUAGE=$LANGUAGE\n" | tee /etc/default/locale); (locale-gen $LANGUAGE); (dpkg-reconfigure locales)); \ apt-get update; apt-get install -y vim git curl apt-transport-https aptitude ca-certificates apt-utils software-properties-common docker.io build-essential libyaml-dev ruby3* libruby3* ruby-bundler rubygems-integration rake amazon-ecr-credential-helper; apt-get clean; \ - curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --batch --no-tty --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg; \ + test -e /etc/apt/keyrings/kubernetes-apt-keyring.gpg || (curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --batch --no-tty --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg); \ echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list; \ apt-get update; apt-get install -y kubectl; apt-get clean; \ usermod -a -G $(grep docker /etc/group | cut -d: -f3) app; \ diff --git a/Pollyfile b/Pollyfile index eb394d3..69e6ed2 100644 --- a/Pollyfile +++ b/Pollyfile @@ -32,7 +32,7 @@ #run %q{curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add} #run %q{apt-add-repository "deb http://apt.kubernetes.io/ kubernetes-xenial main"} - run %q{curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --batch --no-tty --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg} + run %q{test -e /etc/apt/keyrings/kubernetes-apt-keyring.gpg || (curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --batch --no-tty --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg)} run %q{echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list} apt %w{kubectl} From 1c998f368af08ba63261af97500919e0b72e1851 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 00:36:12 +0000 Subject: [PATCH 054/133] remove old ref --- Pollyfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Pollyfile b/Pollyfile index 69e6ed2..506183c 100644 --- a/Pollyfile +++ b/Pollyfile @@ -2,9 +2,8 @@ @base = image { stage "base", "ghcr.io/unhookd/polly:4.0-rc-3@sha256:1169fa172ec82abfaa368396aaad8be59d1879e76fcd115495567598d7500586" - #stage "base", "ghcr.io/unhookd/polly:3.0-rc1" - #stage "base", "ubuntu:jammy-20220421" #stage "base", "public.ecr.aws/debian/debian:bookworm-20240311-slim" + #stage "base", "ghcr.io/unhookd/polly:3.0-rc1" root From f4ea6e5dfef9b686ac48065bbd1c84a638691935 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 00:38:26 +0000 Subject: [PATCH 055/133] update depedency gems --- polly.gemspec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/polly.gemspec b/polly.gemspec index 50da351..1e94013 100644 --- a/polly.gemspec +++ b/polly.gemspec @@ -18,8 +18,8 @@ Gem::Specification.new do |spec| spec.executables = ["polly"] spec.require_paths = ["lib"] - spec.add_dependency "thor", "= 1.2.2" - spec.add_dependency "net-ssh", "~> 6.0" + spec.add_dependency "thor", "~> 1.3" + spec.add_dependency "net-ssh", "~> 7.0" spec.add_dependency "yajl-ruby", "~> 1.4.3" spec.add_dependency "guard", "~> 2.18" end From f73d4f20334efead1f05909fbed5fa5b72185e13 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 00:39:01 +0000 Subject: [PATCH 056/133] redo bootstrap --- Dockerfile.default | 2 +- Pollyfile | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile.default b/Dockerfile.default index 28c71c7..e100640 100644 --- a/Dockerfile.default +++ b/Dockerfile.default @@ -1,5 +1,5 @@ # syntax=docker/dockerfile-upstream:master-experimental -FROM ghcr.io/unhookd/polly:4.0-rc-3@sha256:1169fa172ec82abfaa368396aaad8be59d1879e76fcd115495567598d7500586 AS base +FROM public.ecr.aws/debian/debian:bookworm-20240311-slim AS base USER root ENV DEBIAN_FRONTEND=noninteractive LC_ALL=C.UTF-8 LANG=en_US LANGUAGE=en_US ACCEPT_EULA=y RUN set -ex; \ diff --git a/Pollyfile b/Pollyfile index 506183c..a9cdead 100644 --- a/Pollyfile +++ b/Pollyfile @@ -1,9 +1,9 @@ #!/usr/bin/env ruby @base = image { - stage "base", "ghcr.io/unhookd/polly:4.0-rc-3@sha256:1169fa172ec82abfaa368396aaad8be59d1879e76fcd115495567598d7500586" - #stage "base", "public.ecr.aws/debian/debian:bookworm-20240311-slim" - #stage "base", "ghcr.io/unhookd/polly:3.0-rc1" + #stage "base", "ghcr.io/unhookd/polly:4.0-rc-3@sha256:1169fa172ec82abfaa368396aaad8be59d1879e76fcd115495567598d7500586" + stage "base", "public.ecr.aws/debian/debian:bookworm-20240311-slim" + #stage "base", "ghcr.io/unhookd/polly:4.0-rc-3" root From 3b9941e61f245b5a18dee6f15e48dd20508e4330 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 00:39:23 +0000 Subject: [PATCH 057/133] redo bootstrap --- .github/workflows/primary.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/primary.yml b/.github/workflows/primary.yml index 388ed90..2db27db 100644 --- a/.github/workflows/primary.yml +++ b/.github/workflows/primary.yml @@ -16,8 +16,8 @@ jobs: container: options: "--user 0" - #image: public.ecr.aws/debian/debian:bookworm-20240311-slim - image: ghcr.io/unhookd/polly:4.0-rc-3@sha256:1169fa172ec82abfaa368396aaad8be59d1879e76fcd115495567598d7500586 + image: public.ecr.aws/debian/debian:bookworm-20240311-slim + #image: ghcr.io/unhookd/polly:4.0-rc-3@sha256:1169fa172ec82abfaa368396aaad8be59d1879e76fcd115495567598d7500586 steps: - uses: actions/checkout@v3 From c116e9fd53dfa7356f9a356d1f3ec230254a76cc Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 00:40:13 +0000 Subject: [PATCH 058/133] updates in CHANGELOG.md --- CHANGELOG.md | 6 ++++++ VERSION | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 279a89f..f0e81a0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +# [4.28.0] - 2024-04-01 - Jon Bardin + +Upgrade base images and to ruby3 + +####### + # [4.27.0] - 2024-02-07 - Jon Bardin Merge build features diff --git a/VERSION b/VERSION index 238cd7a..4e940ae 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.27.0 \ No newline at end of file +4.28.0 \ No newline at end of file From e5f6c12f52221fd033fe9f367f84e5ab690c72c6 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 01:36:20 +0000 Subject: [PATCH 059/133] repair git init polly test init --- Pollyfile | 6 ++++++ bin/polly | 12 ++++++++---- lib/polly/execute.rb | 20 ++++++++++++++++---- 3 files changed, 30 insertions(+), 8 deletions(-) diff --git a/Pollyfile b/Pollyfile index a9cdead..efb88bd 100644 --- a/Pollyfile +++ b/Pollyfile @@ -106,6 +106,12 @@ "--chown=app Pollyfile /home/app/Pollyfile" } + command("COPY") { + "--chown=app config/git-repo/templates /home/app/config/git-repo/templates" + } + + run %q{mkdir -p /polly/safe/git/polly/hooks && chown -R app.app /polly/safe} + app command("ENTRYPOINT") { diff --git a/bin/polly b/bin/polly index ce559c5..66b1275 100755 --- a/bin/polly +++ b/bin/polly @@ -336,7 +336,7 @@ class PollyTasks < Thor git_init_cmd = [ "git", "init", "--bare", "/polly/safe/git/#{exe.current_app}", - "--template=/polly/app/config/git-repo/templates" + "--template=/home/app/config/git-repo/templates" ] unless options["local"] @@ -348,6 +348,9 @@ class PollyTasks < Thor ] end + #puts git_init_cmd + #exit + o,e,s = exe.execute_simple(:output, git_init_cmd, {}) puts o unless s @@ -908,7 +911,7 @@ HEREDOC desc "init [CERTS]", "bootstraps project polly controller pod" option "re-init", :type => :boolean, :default => false option "with-registry", :type => :boolean, :default => false - option "with-bootstrap", :type => :string, :default => "ghcr.io/unhookd/polly:3.0-rc1" # "polly:3.0-rc1" + option "with-bootstrap", :type => :string, :default => "ghcr.io/unhookd/polly:4.0-rc-3" def init(cert_package_dir) exe = ::Polly::Execute.new @@ -928,7 +931,7 @@ HEREDOC #nginx-apt-proxy: /usr/sbin/nginx -g 'daemon off;' git_image = options["with-bootstrap"] # "alpine/git:latest" - git_command = ["sleep", "2147483647"].to_json + git_command = ["sleep", "infinity"].to_json #etc_slash_ssh_slash_ssh_host_rsa_key #etc_slash_ssh_slash_ssh_host_rsa_key.pub @@ -1420,6 +1423,7 @@ spec: - name: polly-controller securityContext: runAsUser: 1000 + runAsGroup: 1000 volumeMounts: - mountPath: /polly/safe name: polly-mount @@ -1559,7 +1563,7 @@ HEREDOC end desc "xxh", "debug shell into polly controller" - def xxh(service = "git", sh_cmd = "sh") + def xxh(service = "controller", sh_cmd = "sh") exe = ::Polly::Execute.new exec(*["kubectl", "exec", exe.polly_pod(service), "-i", $stdin.tty? ? "-t" : nil, "--", sh_cmd].compact) diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index 13ebfdd..c2ebb38 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -198,11 +198,22 @@ def start_job!(job) Kernel.exit(1) end - docker_image_url = URI.parse("http://local/#{first_docker_executor_hint["image"]}") - repo = docker_image_url.host + #docker_image_url = URI.parse("http://local/#{first_docker_executor_hint["image"]}") + #repo = docker_image_url.host + ##TODO: ???? File.basename(docker_image_url.path) + #Pathname.new(docker_image_url.path).relative_path_from(Pathname.new("/")).to_s + #add_circleci_job + + #buildctl_local_cmd += ["--output", "type=image,name=polly-registry:23443/polly-registry/#{tag},push=true"] + + version = current_revision + branch = current_branch.gsub("/", "-") + app = current_app + #image_repo = Polly::Config.image_repo + + raise "polly-registry:23443/polly-registry/#{app}:#{branch}-#{version}" + - #TODO: ???? File.basename(docker_image_url.path) - Pathname.new(docker_image_url.path).relative_path_from(Pathname.new("/")).to_s end end @@ -966,6 +977,7 @@ def execute_procfile(working_directory, procfile, obv = ::Polly::Observe.new) def polly_pod(service = "controller") label = "name=#{POLLY}-#{service}" + #puts label.inspect @polly_pods ||= {} @polly_pods[label] ||= begin cmd = "kubectl get pods --field-selector=status.phase=Running -l #{label} -o name | cut -d/ -f2" From 3e33fbce19b9e8e3f5df8436f23e6dcccdab2070 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 01:39:02 +0000 Subject: [PATCH 060/133] better image artifact-first bootstrap --- lib/polly/execute.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index c2ebb38..4bcb310 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -211,9 +211,7 @@ def start_job!(job) app = current_app #image_repo = Polly::Config.image_repo - raise "polly-registry:23443/polly-registry/#{app}:#{branch}-#{version}" - - + "polly-registry:23443/polly-registry/#{app}:#{branch}-#{version}" end end From 12d3d700cfec1d1ab093b25b705040b3b7134433 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 01:46:11 +0000 Subject: [PATCH 061/133] use full command override --- lib/polly/execute.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index 4bcb310..c31a782 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -353,7 +353,7 @@ def start_job!(job) "image" => run_image, "imagePullPolicy" => "IfNotPresent", "workingDir" => job.parameters[:working_directory] || "/home/app/#{current_app}", #TODO: local executor support - "args" => sleep_cmd_args, + "command" => sleep_cmd_args, "volumeMounts" => [ { "mountPath" => "/certs/client", From 8238ab6d5a74df64caa824b8fda8f0af39b3eb48 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 02:11:15 +0000 Subject: [PATCH 062/133] better polly test --- Pollyfile | 1 + bin/polly | 25 ++++++++++++++++--------- lib/polly/execute.rb | 15 +++++++++------ 3 files changed, 26 insertions(+), 15 deletions(-) diff --git a/Pollyfile b/Pollyfile index efb88bd..a94d824 100644 --- a/Pollyfile +++ b/Pollyfile @@ -129,6 +129,7 @@ workflow_image = "polly:latest" job("primary", [{"image"=>workflow_image}], [ + {"run"=>{"name"=>"demo","command"=>"false"}}, {"run"=>{"name"=>"demo","command"=>"echo DEMO!!!!"}}, {"run"=>{"name"=>"demo","command"=>"polly generate > Dockerfile"}}, #{"run"=>{"name"=>"config","command"=>"bundle config set --local path vendor/bundle"}}, diff --git a/bin/polly b/bin/polly index 66b1275..8e88444 100755 --- a/bin/polly +++ b/bin/polly @@ -1612,14 +1612,18 @@ HEREDOC exec("ssh", "-AX", "app@#{exe.multipass_ip(profile)}") end - desc "waitx", "TBD: wait for pod availability, execute subsequent command" - def waitx(*cmd) + desc "waitx", "[CLEAN_NAME] wait for pod availability, execute subsequent command" + def waitx(clean_name = nil, *cmd) + puts "waiting for #{clean_name}" + exe = ::Polly::Execute.new + label_selector = clean_name || URI.encode_www_form(exe.polly_labels.to_a).gsub("&",",") + waited_for_deployments = false while !waited_for_deployments #$stderr.write("waiting for deploy\n") - o,e,waited_for_deployments = exe.execute_simple(:output, ["kubectl", "wait", "--for=condition=available", "deployment", "-l", URI.encode_www_form(exe.polly_labels.to_a).gsub("&",","), "--timeout=30s"], {}) + o,e,waited_for_deployments = exe.execute_simple(:output, ["kubectl", "wait", "--for=condition=available", "deployment", "-l", label_selector, "--timeout=30s"], {}) puts o puts e end @@ -1627,26 +1631,29 @@ HEREDOC waited_for_pods = false while !waited_for_pods #$stderr.write("waiting for deploy\n") - o,e,waited_for_pods = exe.execute_simple(:output, ["kubectl", "wait", "--for=condition=ready", "pod", "-l", URI.encode_www_form(exe.polly_labels.to_a).gsub("&",","), "--timeout=30s"], {}) + o,e,waited_for_pods = exe.execute_simple(:output, ["kubectl", "wait", "--for=condition=ready", "pod", "-l", label_selector, "--timeout=30s"], {}) puts o puts e end unless cmd.empty? - $stderr.write("listing pods\n") - find_all_pods = "kubectl get pods -l #{URI.encode_www_form(exe.polly_labels.to_a).gsub("&",",")} -o name | cut -d/ -f2" + $stderr.write("listing pods to run #{cmd.inspect}\n") + find_all_pods = "kubectl get pods -l #{label_selector} -o name | cut -d/ -f2" a = IO.popen(find_all_pods).read.strip exe.wait_child all_pods = a.split("\n") + run_cmd_args = ["bash", "-e", "-o", "pipefail", "-c", cmd.join(" ")] + #"bash #{run_shell_path} > /proc/1/fd/1 2> /proc/1/fd/2"] + pod_index = 0 kube_exec_cmd = [ "kubectl", "exec", all_pods[pod_index], "--" - ] + cmd + ] + run_cmd_args - #puts kube_exec_cmd.join(" ") + #puts kube_exec_cmd.inspect #join(" ") o,e,s = exe.execute_simple(:output, kube_exec_cmd, {}) @@ -1654,7 +1661,7 @@ HEREDOC puts o else puts e - fail + #fail end end end diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index c31a782..2213443 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -231,7 +231,8 @@ def start_job!(job) #run_cmd_args = ["bash", "-e", "-x", "-o", "pipefail", run_shell_path] #if true #TODO: bits - run_cmd_args = ["bash", "-e", "-o", "pipefail", "-c", "bash #{run_shell_path} > /proc/1/fd/1 2> /proc/1/fd/2"] + #run_cmd_args = ["bash", "-e", "-o", "pipefail", "-c", "bash #{run_shell_path} > /proc/1/fd/1 2> /proc/1/fd/2"] + run_cmd_args = ["bash #{run_shell_path}"] # > /proc/1/fd/1 2> /proc/1/fd/2"] #end intend_to_run_cmd = nil @@ -255,7 +256,8 @@ def start_job!(job) "metadata" => { "name" => clean_name, "labels" => { - "app" => clean_name + "app" => clean_name, + "polly" => "polly-ci" } }, "spec" => { @@ -267,15 +269,16 @@ def start_job!(job) "selector" => { "matchLabels" => { #TODO: abstract this!!!! - "name" => clean_name + "app" => clean_name, + "polly" => "polly-ci" } }, "template" => { "metadata" => { "labels" => { #TODO: abstract this - "name" => clean_name, - "app" => "polly-ci" + "app" => clean_name, + "polly" => "polly-ci" }, "annotations" => {} } @@ -502,7 +505,7 @@ def start_job!(job) polly_waitx = [ "polly", "waitx", - clean_name, + "app=#{clean_name},polly=polly-ci", ] + intend_to_run_cmd @runners << [job.run_name, clean_name, execute_simple(:async, polly_waitx, {})] From 39ca0516c12ea3cc73ab6548190c4d1362ca03d4 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 02:22:18 +0000 Subject: [PATCH 063/133] try bootstrapping polly test with polly build --- Pollyfile | 5 +++-- lib/polly/execute.rb | 5 ++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/Pollyfile b/Pollyfile index a94d824..2e1027e 100644 --- a/Pollyfile +++ b/Pollyfile @@ -129,13 +129,14 @@ workflow_image = "polly:latest" job("primary", [{"image"=>workflow_image}], [ - {"run"=>{"name"=>"demo","command"=>"false"}}, {"run"=>{"name"=>"demo","command"=>"echo DEMO!!!!"}}, {"run"=>{"name"=>"demo","command"=>"polly generate > Dockerfile"}}, + {"run"=>{"name"=>"demo","command"=>"polly help"}}, + {"run"=>{"name"=>"demo","command"=>"polly build"}}, #{"run"=>{"name"=>"config","command"=>"bundle config set --local path vendor/bundle"}}, #{"run"=>{"name"=>"bundler","command"=>"bundle install"}}, #{"run"=>{"name"=>"rspec","command"=>"bundle exec rspec"}}, - {"run"=>{"name"=>"build","command"=>"pwd && ls -l && buildctl --timeout 120 --addr tcp://polly-buildkitd:1234 --tlsservername polly-buildkitd --tlscacert /certs/client/ca.pem --tlscert /certs/client/cert.pem --tlskey /certs/client/key.pem build --frontend dockerfile.v0 --local context=. --local dockerfile=."}} + #{"run"=>{"name"=>"build","command"=>"pwd && ls -l && buildctl --timeout 120 --addr tcp://polly-buildkitd:1234 --tlsservername polly-buildkitd --tlscacert /certs/client/ca.pem --tlscert /certs/client/cert.pem --tlskey /certs/client/key.pem build --frontend dockerfile.v0 --local context=. --local dockerfile=."}} ],{},"/home/app/polly" ) } diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index 2213443..1d57455 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -232,7 +232,10 @@ def start_job!(job) #run_cmd_args = ["bash", "-e", "-x", "-o", "pipefail", run_shell_path] #if true #TODO: bits #run_cmd_args = ["bash", "-e", "-o", "pipefail", "-c", "bash #{run_shell_path} > /proc/1/fd/1 2> /proc/1/fd/2"] - run_cmd_args = ["bash #{run_shell_path}"] # > /proc/1/fd/1 2> /proc/1/fd/2"] + run_cmd_args = ["/bin/bash #{run_shell_path}"] # > /proc/1/fd/1 2> /proc/1/fd/2"] + #puts run_shell_path + + #run_cmd_args = ["sleep infinity"] # > /proc/1/fd/1 2> /proc/1/fd/2"] #end intend_to_run_cmd = nil From 27b30b5e60f0aee3d03d16980dba7db8ee62abac Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 02:27:22 +0000 Subject: [PATCH 064/133] ensure git config is set --- bin/polly | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/bin/polly b/bin/polly index 8e88444..5c357e5 100755 --- a/bin/polly +++ b/bin/polly @@ -334,6 +334,30 @@ class PollyTasks < Thor def receive_pack(origin = nil) exe = ::Polly::Execute.new + git_config_cmd = [ + "git", "config", "--global", "--add", "safe.directory", "/home/app/polly" + ] + + unless options["local"] + git_config_cmd = [ + "kubectl", "exec", exe.polly_pod, + "-i", + "--", + *git_config_cmd + ] + end + + #puts git_init_cmd + #exit + + o,e,s = exe.execute_simple(:output, git_config_cmd, {}) + puts o + unless s + puts e + exit(1) + end + exe.wait_child + git_init_cmd = [ "git", "init", "--bare", "/polly/safe/git/#{exe.current_app}", "--template=/home/app/config/git-repo/templates" From 564a512676831c12f478af24ec2a4e0c98e0a391 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 02:31:34 +0000 Subject: [PATCH 065/133] repair stdout --- bin/polly | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/polly b/bin/polly index 5c357e5..357ac76 100755 --- a/bin/polly +++ b/bin/polly @@ -351,8 +351,8 @@ class PollyTasks < Thor #exit o,e,s = exe.execute_simple(:output, git_config_cmd, {}) - puts o unless s + puts o puts e exit(1) end @@ -376,8 +376,8 @@ class PollyTasks < Thor #exit o,e,s = exe.execute_simple(:output, git_init_cmd, {}) - puts o unless s + puts o puts e exit(1) end From 865d41c6c4aef9036726c225902dedcabdb77960 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 02:32:54 +0000 Subject: [PATCH 066/133] use correct branch name on polly push --- bin/polly | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bin/polly b/bin/polly index 357ac76..8fa06b1 100755 --- a/bin/polly +++ b/bin/polly @@ -298,7 +298,8 @@ class PollyTasks < Thor # File.join($polly_dir, "config/git-repo/templates") #TODO: specify the remote follow branch with a toggle possibly??? - exe.systemx("git", "push", "-f", "polly", branch, "HEAD:#{branch}-#{Time.now.to_i}", "--exec=polly receive-pack#{options['local'] ? " --local" : ""}") + #exe.systemx("git", "push", "-f", "polly", branch, "HEAD:#{branch}-#{Time.now.to_i}", "--exec=polly receive-pack#{options['local'] ? " --local" : ""}") + exe.systemx("git", "push", "-f", "polly", branch, "HEAD:#{branch}", "--exec=polly receive-pack#{options['local'] ? " --local" : ""}") #TODO: #####cat /var/tmp/polly-safe/buildkit/example-510b1e33549a9f97b9fce43f1a30d13afe208390.tar | docker import - example:latest From af4edc85a49756ec9aaae7b71d3f4b8971be6767 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 02:41:53 +0000 Subject: [PATCH 067/133] better app tag support --- bin/polly | 6 +++--- lib/polly/build.rb | 12 ++++++++---- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/bin/polly b/bin/polly index 8fa06b1..a0d215a 100755 --- a/bin/polly +++ b/bin/polly @@ -500,9 +500,9 @@ class PollyTasks < Thor Polly::Build.buildkit_external(exe, app, branch, version, generated_dockerfile, options["no-cache"]) end + #TODO: ? raise if version.empty? - - Polly::Build.buildkit_workstation_to_controller(exe, app, "wkndr", version, generated_dockerfile, options["no-cache"]) + Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, "wkndr-todo", generated_dockerfile, options["no-cache"]) exit @@ -1619,7 +1619,7 @@ HEREDOC app = exe.current_app image_repo = Polly::Config.image_repo - tag = Polly::Build.build_image_to_tag(app, options["stage"] || branch, version) + tag = Polly::Build.build_image_to_tag(app, version, options["stage"]) #tag = Polly::Build.build_image_to_tag(app, "wkndr", version) puts tag.inspect diff --git a/lib/polly/build.rb b/lib/polly/build.rb index eb615f2..adedf5f 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -2,8 +2,12 @@ module Polly class Build - def self.build_image_to_tag(app, build_image_stage, version) - app + ":" + build_image_stage + "-" + version + def self.build_image_to_tag(app, version, build_image_stage=nil) + if build_image_stage + app + ":" + build_image_stage + "-" + version + else + app + ":" + version + end end def self.generated_string_fd(generated_dockerfile) @@ -14,7 +18,7 @@ def self.generated_string_fd(generated_dockerfile) end def self.buildkit_workstation_to_controller(exe, app, version, branch, dockerfile_path, build_image_stage, force_no_cache = nil, push_stage = nil) - tag = build_image_to_tag(app, build_image_stage || branch, version) + tag = build_image_to_tag(app, version, build_image_stage) buildctl_local_cmd = [ {"SSH_AUTH_SOCK" => ENV["SSH_AUTH_SOCK"]}, "buildctl", @@ -77,7 +81,7 @@ def self.buildkit_external(exe, app, build_image_stage, version, generated_docke end def self.buildkit_internal(exe, app, build_image_stage, version, generated_dockerfile, force_no_cache) - tag = build_image_to_tag(app, build_image_stage.stage, version) + tag = build_image_to_tag(app, version, build_image_stage.stage) stage = app + "-" + build_image_stage.stage polly_dockerfile_config = [] From 74e99fed7ca76668acfbf5191bbbace5ffcf2717 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 02:42:17 +0000 Subject: [PATCH 068/133] restore branch mode --- bin/polly | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/polly b/bin/polly index a0d215a..f7fc501 100755 --- a/bin/polly +++ b/bin/polly @@ -298,8 +298,8 @@ class PollyTasks < Thor # File.join($polly_dir, "config/git-repo/templates") #TODO: specify the remote follow branch with a toggle possibly??? - #exe.systemx("git", "push", "-f", "polly", branch, "HEAD:#{branch}-#{Time.now.to_i}", "--exec=polly receive-pack#{options['local'] ? " --local" : ""}") - exe.systemx("git", "push", "-f", "polly", branch, "HEAD:#{branch}", "--exec=polly receive-pack#{options['local'] ? " --local" : ""}") + exe.systemx("git", "push", "-f", "polly", branch, "HEAD:#{branch}-#{Time.now.to_i}", "--exec=polly receive-pack#{options['local'] ? " --local" : ""}") + #exe.systemx("git", "push", "-f", "polly", branch, "HEAD:#{branch}", "--exec=polly receive-pack#{options['local'] ? " --local" : ""}") #TODO: #####cat /var/tmp/polly-safe/buildkit/example-510b1e33549a9f97b9fce43f1a30d13afe208390.tar | docker import - example:latest From 2905862250cfa9d508af420621a4d444f1176a77 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 02:47:24 +0000 Subject: [PATCH 069/133] even better branch name repair --- lib/polly/execute.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index 1d57455..e2c3c1f 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -211,7 +211,7 @@ def start_job!(job) app = current_app #image_repo = Polly::Config.image_repo - "polly-registry:23443/polly-registry/#{app}:#{branch}-#{version}" + "polly-registry:23443/polly-registry/#{app}:#{version}" end end From 826e76342244252583f65d0084274ea807a5b4e4 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 03:10:36 +0000 Subject: [PATCH 070/133] more repair for polly test --- Pollyfile | 3 ++- lib/polly/build.rb | 2 +- lib/polly/execute.rb | 46 +++++++++++++++++++++++++++++++++++++------- 3 files changed, 42 insertions(+), 9 deletions(-) diff --git a/Pollyfile b/Pollyfile index 2e1027e..8785db4 100644 --- a/Pollyfile +++ b/Pollyfile @@ -132,12 +132,13 @@ workflow_image = "polly:latest" {"run"=>{"name"=>"demo","command"=>"echo DEMO!!!!"}}, {"run"=>{"name"=>"demo","command"=>"polly generate > Dockerfile"}}, {"run"=>{"name"=>"demo","command"=>"polly help"}}, + {"run"=>{"name"=>"demo","command"=>"sleep infinity"}}, {"run"=>{"name"=>"demo","command"=>"polly build"}}, #{"run"=>{"name"=>"config","command"=>"bundle config set --local path vendor/bundle"}}, #{"run"=>{"name"=>"bundler","command"=>"bundle install"}}, #{"run"=>{"name"=>"rspec","command"=>"bundle exec rspec"}}, #{"run"=>{"name"=>"build","command"=>"pwd && ls -l && buildctl --timeout 120 --addr tcp://polly-buildkitd:1234 --tlsservername polly-buildkitd --tlscacert /certs/client/ca.pem --tlscert /certs/client/cert.pem --tlskey /certs/client/key.pem build --frontend dockerfile.v0 --local context=. --local dockerfile=."}} - ],{},"/home/app/polly" + ],{},"/home/app/polly/tmp" ) } diff --git a/lib/polly/build.rb b/lib/polly/build.rb index adedf5f..9682e8e 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -20,7 +20,7 @@ def self.generated_string_fd(generated_dockerfile) def self.buildkit_workstation_to_controller(exe, app, version, branch, dockerfile_path, build_image_stage, force_no_cache = nil, push_stage = nil) tag = build_image_to_tag(app, version, build_image_stage) buildctl_local_cmd = [ - {"SSH_AUTH_SOCK" => ENV["SSH_AUTH_SOCK"]}, + {"SSH_AUTH_SOCK" => ENV["SSH_AUTH_SOCK"]}.compact, "buildctl", "--addr", "kube-pod://polly-buildkitd-0", "build", diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index e2c3c1f..a1aa156 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -179,7 +179,7 @@ def start_job!(job) extra_runtime_envs = begin if executor_hints[:setup_remote_docker] || clean_name.include?("bootstrap") - {"SSH_AUTH_SOCK" => "/home/app/.ssh-auth-sock"} + {} #{"SSH_AUTH_SOCK" => "/home/app/.ssh-auth-sock"} else {} end @@ -294,18 +294,20 @@ def start_job!(job) "initContainers" => [ { #"terminationGracePeriodSeconds" => 5, - "name" => "git-clone", + "name" => "git-config", "image" => "alpine/git:latest", #TODO: more bits rebootstrap "workingDir" => "/home/app/#{current_app}", #TODO: local executor support "imagePullPolicy" => "IfNotPresent", "args" => [ #origin = "/polly-safe/git/#{app}" #"http://polly-app:8080/#{current_app}" - "clone", "-b", current_branch, "/polly/safe/git/#{current_app}", "." + #"clone", "-b", current_branch, "/polly/safe/git/#{current_app}", ".", + "config", "--global", "--add", "safe.directory", "/home/app/polly", ], - "env" => { "GIT_DISCOVERY_ACROSS_FILESYSTEM" => "true" }.collect { |k,v| {"name" => k, "value" => v } }, + "env" => { "GIT_CONFIG_GLOBAL" => "/home/app/polly/.gitconfig", "GIT_DISCOVERY_ACROSS_FILESYSTEM" => "true" }.collect { |k,v| {"name" => k, "value" => v } }, "securityContext" => { - "runAsUser" => username_to_uid("root"), #TODO: bootstrap module + "runAsUser" => 1000, #TODO: ??username_to_uid("app"), #TODO: bootstrap module + "runAsGroup" => 1000, #TODO: ??username_to_uid("app"), #TODO: bootstrap module "allowPrivilegeEscalation" => false, "readOnlyRootFilesystem" => true }, @@ -320,6 +322,35 @@ def start_job!(job) }, ] + }, + { + #"terminationGracePeriodSeconds" => 5, + "name" => "git-clone", + "image" => "alpine/git:latest", #TODO: more bits rebootstrap + "workingDir" => "/home/app/#{current_app}", #TODO: local executor support + "imagePullPolicy" => "IfNotPresent", + "args" => [ + #origin = "/polly-safe/git/#{app}" + #"http://polly-app:8080/#{current_app}" + "clone", "-b", current_branch, "/polly/safe/git/#{current_app}", "tmp" + ], + "env" => { "GIT_CONFIG_GLOBAL" => "/home/app/polly/.gitconfig", "GIT_DISCOVERY_ACROSS_FILESYSTEM" => "true" }.collect { |k,v| {"name" => k, "value" => v } }, + "securityContext" => { + "runAsUser" => 1000, #TODO: ??username_to_uid("app"), #TODO: bootstrap module + "runAsGroup" => 1000, #TODO: ??username_to_uid("app"), #TODO: bootstrap module + "allowPrivilegeEscalation" => false, + "readOnlyRootFilesystem" => true + }, + "volumeMounts" => [ + { + "mountPath" => "/home/app/#{current_app}", + "name" => "scratch-dir" + }, + { + "mountPath" => "/polly/safe/git/#{current_app}", + "name" => "git-repo" + }, + ] } ], @@ -358,7 +389,7 @@ def start_job!(job) "name" => clean_name, "image" => run_image, "imagePullPolicy" => "IfNotPresent", - "workingDir" => job.parameters[:working_directory] || "/home/app/#{current_app}", #TODO: local executor support + "workingDir" => job.parameters[:working_directory] || "/home/app/#{current_app}/tmp", #TODO: local executor support "command" => sleep_cmd_args, "volumeMounts" => [ { @@ -384,7 +415,7 @@ def start_job!(job) # "name" => "ssh-key" #}, ], - "env" => extra_runtime_envs.merge(job.parameters[:environment]).collect { |k,v| {"name" => k, "value" => v } } + "env" => extra_runtime_envs.merge(job.parameters[:environment]).merge({"GIT_DISCOVERY_ACROSS_FILESYSTEM" => "true"}).collect { |k,v| {"name" => k, "value" => v } } } ], "volumes" => [ @@ -429,6 +460,7 @@ def start_job!(job) ] } + #TODO: document ssh-key bootstrap if executor_hints[:setup_remote_docker] && (ENV["POLLY_SSH_AUTH_SOCK"] || ENV["SSH_AUTH_SOCK"]) container_spec["volumes"] << { "name" => "ssh-auth-sock", From 3efad50540d705b5e1acb07d96cc606b9cf960c6 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 03:14:39 +0000 Subject: [PATCH 071/133] dont use ssh unless it is present --- lib/polly/build.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/polly/build.rb b/lib/polly/build.rb index 9682e8e..ca1e8c4 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -26,7 +26,7 @@ def self.buildkit_workstation_to_controller(exe, app, version, branch, dockerfil "build", ####"debug", "dump-llb", "--progress=plain", - "--ssh", "default", #"default=#{Dir.home}/.ssh/id_rsa", + *(ENV["SSH_AUTH_SOCK"] ? ["--ssh", "default"] : []), #"default=#{Dir.home}/.ssh/id_rsa", "--frontend", "dockerfile.v0", "--local", "context=.", "--local", "dockerfile=.", "--opt", "filename=#{dockerfile_path}", From c900346749f4a4ed71a4fdcb2cd2b3effcaf0e6d Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 03:19:32 +0000 Subject: [PATCH 072/133] simple build --- Pollyfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Pollyfile b/Pollyfile index 8785db4..9121412 100644 --- a/Pollyfile +++ b/Pollyfile @@ -132,8 +132,8 @@ workflow_image = "polly:latest" {"run"=>{"name"=>"demo","command"=>"echo DEMO!!!!"}}, {"run"=>{"name"=>"demo","command"=>"polly generate > Dockerfile"}}, {"run"=>{"name"=>"demo","command"=>"polly help"}}, - {"run"=>{"name"=>"demo","command"=>"sleep infinity"}}, - {"run"=>{"name"=>"demo","command"=>"polly build"}}, + #{"run"=>{"name"=>"demo","command"=>"sleep infinity"}}, + #{"run"=>{"name"=>"demo","command"=>"polly build"}}, #{"run"=>{"name"=>"config","command"=>"bundle config set --local path vendor/bundle"}}, #{"run"=>{"name"=>"bundler","command"=>"bundle install"}}, #{"run"=>{"name"=>"rspec","command"=>"bundle exec rspec"}}, From 087f57ab4f7de400583914e3efc29ef91ff0ebb5 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 03:25:10 +0000 Subject: [PATCH 073/133] try to confirm polly build in polly push --- Pollyfile | 2 +- lib/polly/execute.rb | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Pollyfile b/Pollyfile index 9121412..abd7d52 100644 --- a/Pollyfile +++ b/Pollyfile @@ -133,7 +133,7 @@ workflow_image = "polly:latest" {"run"=>{"name"=>"demo","command"=>"polly generate > Dockerfile"}}, {"run"=>{"name"=>"demo","command"=>"polly help"}}, #{"run"=>{"name"=>"demo","command"=>"sleep infinity"}}, - #{"run"=>{"name"=>"demo","command"=>"polly build"}}, + {"run"=>{"name"=>"demo","command"=>"polly build"}}, #{"run"=>{"name"=>"config","command"=>"bundle config set --local path vendor/bundle"}}, #{"run"=>{"name"=>"bundler","command"=>"bundle install"}}, #{"run"=>{"name"=>"rspec","command"=>"bundle exec rspec"}}, diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index a1aa156..d7dca4a 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -290,6 +290,7 @@ def start_job!(job) } container_spec = { + "serviceAccount" => "polly", ##TODO: converge this with workstion git context "initContainers" => [ { From c0f73190a26d28771a9fdaa8c34f102672a226a7 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 03:34:41 +0000 Subject: [PATCH 074/133] ensure capture of stderr --- lib/polly/execute.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index d7dca4a..9283d08 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -51,7 +51,7 @@ def systemx(*cmd) cmd.unshift("echo") if @explain end - status = Kernel.system(*cmd) + status = Kernel.system(*cmd, {:err => $stderr}) unless status Kernel.exit(1) end From ead3b451d52df3f8973c0a2f5ad4e6d6980928bd Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 03:39:12 +0000 Subject: [PATCH 075/133] repair thor option --- bin/polly | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/polly b/bin/polly index f7fc501..e1a15fe 100755 --- a/bin/polly +++ b/bin/polly @@ -1637,7 +1637,7 @@ HEREDOC exec("ssh", "-AX", "app@#{exe.multipass_ip(profile)}") end - desc "waitx", "[CLEAN_NAME] wait for pod availability, execute subsequent command" + desc "waitx [CLEAN_NAME]", "wait for pod availability, execute subsequent command" def waitx(clean_name = nil, *cmd) puts "waiting for #{clean_name}" From ec1baac7c58955114348fc8050f5d3c533d42c29 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 03:40:51 +0000 Subject: [PATCH 076/133] better checkout dir --- Pollyfile | 2 +- lib/polly/execute.rb | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Pollyfile b/Pollyfile index abd7d52..0d4cb04 100644 --- a/Pollyfile +++ b/Pollyfile @@ -138,7 +138,7 @@ workflow_image = "polly:latest" #{"run"=>{"name"=>"bundler","command"=>"bundle install"}}, #{"run"=>{"name"=>"rspec","command"=>"bundle exec rspec"}}, #{"run"=>{"name"=>"build","command"=>"pwd && ls -l && buildctl --timeout 120 --addr tcp://polly-buildkitd:1234 --tlsservername polly-buildkitd --tlscacert /certs/client/ca.pem --tlscert /certs/client/cert.pem --tlskey /certs/client/key.pem build --frontend dockerfile.v0 --local context=. --local dockerfile=."}} - ],{},"/home/app/polly/tmp" + ],{},"/home/app/polly" ) } diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index 9283d08..6de38cd 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -305,7 +305,7 @@ def start_job!(job) #"clone", "-b", current_branch, "/polly/safe/git/#{current_app}", ".", "config", "--global", "--add", "safe.directory", "/home/app/polly", ], - "env" => { "GIT_CONFIG_GLOBAL" => "/home/app/polly/.gitconfig", "GIT_DISCOVERY_ACROSS_FILESYSTEM" => "true" }.collect { |k,v| {"name" => k, "value" => v } }, + "env" => { "GIT_CONFIG_GLOBAL" => "/home/app/.gitconfig", "GIT_DISCOVERY_ACROSS_FILESYSTEM" => "true" }.collect { |k,v| {"name" => k, "value" => v } }, "securityContext" => { "runAsUser" => 1000, #TODO: ??username_to_uid("app"), #TODO: bootstrap module "runAsGroup" => 1000, #TODO: ??username_to_uid("app"), #TODO: bootstrap module @@ -333,9 +333,9 @@ def start_job!(job) "args" => [ #origin = "/polly-safe/git/#{app}" #"http://polly-app:8080/#{current_app}" - "clone", "-b", current_branch, "/polly/safe/git/#{current_app}", "tmp" + "clone", "-b", current_branch, "/polly/safe/git/#{current_app}", "." ], - "env" => { "GIT_CONFIG_GLOBAL" => "/home/app/polly/.gitconfig", "GIT_DISCOVERY_ACROSS_FILESYSTEM" => "true" }.collect { |k,v| {"name" => k, "value" => v } }, + "env" => { "GIT_CONFIG_GLOBAL" => "/home/app/.gitconfig", "GIT_DISCOVERY_ACROSS_FILESYSTEM" => "true" }.collect { |k,v| {"name" => k, "value" => v } }, "securityContext" => { "runAsUser" => 1000, #TODO: ??username_to_uid("app"), #TODO: bootstrap module "runAsGroup" => 1000, #TODO: ??username_to_uid("app"), #TODO: bootstrap module @@ -390,7 +390,7 @@ def start_job!(job) "name" => clean_name, "image" => run_image, "imagePullPolicy" => "IfNotPresent", - "workingDir" => job.parameters[:working_directory] || "/home/app/#{current_app}/tmp", #TODO: local executor support + "workingDir" => job.parameters[:working_directory] || "/home/app/#{current_app}", #TODO: local executor support "command" => sleep_cmd_args, "volumeMounts" => [ { From 254390bda16a1227648a23bf6ffb1aa95f372bd8 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 03:44:14 +0000 Subject: [PATCH 077/133] use a better tmpdir --- lib/polly/execute.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index 6de38cd..5fd333a 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -305,7 +305,7 @@ def start_job!(job) #"clone", "-b", current_branch, "/polly/safe/git/#{current_app}", ".", "config", "--global", "--add", "safe.directory", "/home/app/polly", ], - "env" => { "GIT_CONFIG_GLOBAL" => "/home/app/.gitconfig", "GIT_DISCOVERY_ACROSS_FILESYSTEM" => "true" }.collect { |k,v| {"name" => k, "value" => v } }, + "env" => { "GIT_CONFIG_GLOBAL" => "/tmp/.gitconfig", "GIT_DISCOVERY_ACROSS_FILESYSTEM" => "true" }.collect { |k,v| {"name" => k, "value" => v } }, "securityContext" => { "runAsUser" => 1000, #TODO: ??username_to_uid("app"), #TODO: bootstrap module "runAsGroup" => 1000, #TODO: ??username_to_uid("app"), #TODO: bootstrap module @@ -335,7 +335,7 @@ def start_job!(job) #"http://polly-app:8080/#{current_app}" "clone", "-b", current_branch, "/polly/safe/git/#{current_app}", "." ], - "env" => { "GIT_CONFIG_GLOBAL" => "/home/app/.gitconfig", "GIT_DISCOVERY_ACROSS_FILESYSTEM" => "true" }.collect { |k,v| {"name" => k, "value" => v } }, + "env" => { "GIT_CONFIG_GLOBAL" => "/tmp/.gitconfig", "GIT_DISCOVERY_ACROSS_FILESYSTEM" => "true" }.collect { |k,v| {"name" => k, "value" => v } }, "securityContext" => { "runAsUser" => 1000, #TODO: ??username_to_uid("app"), #TODO: bootstrap module "runAsGroup" => 1000, #TODO: ??username_to_uid("app"), #TODO: bootstrap module From 582322dd47fb8cacea60609acea5cf5400d9d58b Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 03:48:58 +0000 Subject: [PATCH 078/133] better config dir --- lib/polly/execute.rb | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index 5fd333a..476bac9 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -305,7 +305,7 @@ def start_job!(job) #"clone", "-b", current_branch, "/polly/safe/git/#{current_app}", ".", "config", "--global", "--add", "safe.directory", "/home/app/polly", ], - "env" => { "GIT_CONFIG_GLOBAL" => "/tmp/.gitconfig", "GIT_DISCOVERY_ACROSS_FILESYSTEM" => "true" }.collect { |k,v| {"name" => k, "value" => v } }, + "env" => { "GIT_CONFIG_GLOBAL" => "/home/app/.config/.gitconfig", "GIT_DISCOVERY_ACROSS_FILESYSTEM" => "true" }.collect { |k,v| {"name" => k, "value" => v } }, "securityContext" => { "runAsUser" => 1000, #TODO: ??username_to_uid("app"), #TODO: bootstrap module "runAsGroup" => 1000, #TODO: ??username_to_uid("app"), #TODO: bootstrap module @@ -317,6 +317,10 @@ def start_job!(job) "mountPath" => "/home/app/#{current_app}", "name" => "scratch-dir" }, + { + "mountPath" => "/home/app/.config", + "name" => "config-dir" + }, { "mountPath" => "/polly/safe/git/#{current_app}", "name" => "git-repo" @@ -335,7 +339,7 @@ def start_job!(job) #"http://polly-app:8080/#{current_app}" "clone", "-b", current_branch, "/polly/safe/git/#{current_app}", "." ], - "env" => { "GIT_CONFIG_GLOBAL" => "/tmp/.gitconfig", "GIT_DISCOVERY_ACROSS_FILESYSTEM" => "true" }.collect { |k,v| {"name" => k, "value" => v } }, + "env" => { "GIT_CONFIG_GLOBAL" => "/home/app/config/.gitconfig", "GIT_DISCOVERY_ACROSS_FILESYSTEM" => "true" }.collect { |k,v| {"name" => k, "value" => v } }, "securityContext" => { "runAsUser" => 1000, #TODO: ??username_to_uid("app"), #TODO: bootstrap module "runAsGroup" => 1000, #TODO: ??username_to_uid("app"), #TODO: bootstrap module @@ -347,6 +351,14 @@ def start_job!(job) "mountPath" => "/home/app/#{current_app}", "name" => "scratch-dir" }, + { + "mountPath" => "/home/app/.config", + "name" => "config-dir" + }, + { + "mountPath" => "/home/app/.config", + "name" => "config-dir" + }, { "mountPath" => "/polly/safe/git/#{current_app}", "name" => "git-repo" @@ -406,6 +418,10 @@ def start_job!(job) "mountPath" => "/home/app/#{current_app}", "name" => "scratch-dir" }, + { + "mountPath" => "/home/app/.config", + "name" => "config-dir" + }, { "mountPath" => "/var/tmp/artifacts", "name" => "build-artifacts" @@ -439,6 +455,13 @@ def start_job!(job) "path" => "/var/tmp/polly-safe/git/#{current_app}" } }, + { + "name" => "config-dir", + "emptyDir" => {}, + #"hostPath" => { + # "path" => "/var/tmp/polly-safe/scratch/#{current_app}" + #} + }, { "name" => "scratch-dir", "emptyDir" => {}, From 2ab0f4cfdf04920548d7fd5cc5128c535241c73a Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 03:51:49 +0000 Subject: [PATCH 079/133] just one config dir --- lib/polly/execute.rb | 4 ---- 1 file changed, 4 deletions(-) diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index 476bac9..61f82a7 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -355,10 +355,6 @@ def start_job!(job) "mountPath" => "/home/app/.config", "name" => "config-dir" }, - { - "mountPath" => "/home/app/.config", - "name" => "config-dir" - }, { "mountPath" => "/polly/safe/git/#{current_app}", "name" => "git-repo" From c4502c63da69ede802190688e21325635c940cf7 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 03:55:51 +0000 Subject: [PATCH 080/133] use correct name --- lib/polly/execute.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index 61f82a7..5e33f62 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -339,7 +339,7 @@ def start_job!(job) #"http://polly-app:8080/#{current_app}" "clone", "-b", current_branch, "/polly/safe/git/#{current_app}", "." ], - "env" => { "GIT_CONFIG_GLOBAL" => "/home/app/config/.gitconfig", "GIT_DISCOVERY_ACROSS_FILESYSTEM" => "true" }.collect { |k,v| {"name" => k, "value" => v } }, + "env" => { "GIT_CONFIG_GLOBAL" => "/home/app/.config/.gitconfig", "GIT_DISCOVERY_ACROSS_FILESYSTEM" => "true" }.collect { |k,v| {"name" => k, "value" => v } }, "securityContext" => { "runAsUser" => 1000, #TODO: ??username_to_uid("app"), #TODO: bootstrap module "runAsGroup" => 1000, #TODO: ??username_to_uid("app"), #TODO: bootstrap module @@ -428,7 +428,7 @@ def start_job!(job) # "name" => "ssh-key" #}, ], - "env" => extra_runtime_envs.merge(job.parameters[:environment]).merge({"GIT_DISCOVERY_ACROSS_FILESYSTEM" => "true"}).collect { |k,v| {"name" => k, "value" => v } } + "env" => extra_runtime_envs.merge(job.parameters[:environment]).merge({"GIT_CONFIG_GLOBAL" => "/home/app/.config/.gitconfig", "GIT_DISCOVERY_ACROSS_FILESYSTEM" => "true"}).collect { |k,v| {"name" => k, "value" => v } } } ], "volumes" => [ From b4011c5cd3e4aa904cd5331be1dcacb5f9186daf Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 04:09:26 +0000 Subject: [PATCH 081/133] simpler shell command run.sh setup --- lib/polly/execute.rb | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index 5e33f62..8ccbf71 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -217,7 +217,8 @@ def start_job!(job) build_run_dir = Dir.mktmpdir #"/polly/safe/run" build_manifest_dir = File.join(build_run_dir, clean_name, current_revision) - run_shell_path = File.join(build_manifest_dir, "run.sh") + + #run_shell_path = File.join(build_manifest_dir, "run.sh") sleep_cmd_args = ["sleep", "infinity"] @@ -226,13 +227,13 @@ def start_job!(job) #####TODO: better input for cmd: [] support ######run_cmd_args = ["bash", "-e", run_shell_path] - FileUtils.mkdir_p(build_manifest_dir) - File.write(run_shell_path, job.parameters[:command]) + #FileUtils.mkdir_p(build_manifest_dir) + #File.write(run_shell_path, job.parameters[:command]) #run_cmd_args = ["bash", "-e", "-x", "-o", "pipefail", run_shell_path] #if true #TODO: bits #run_cmd_args = ["bash", "-e", "-o", "pipefail", "-c", "bash #{run_shell_path} > /proc/1/fd/1 2> /proc/1/fd/2"] - run_cmd_args = ["/bin/bash #{run_shell_path}"] # > /proc/1/fd/1 2> /proc/1/fd/2"] + run_cmd_args = ["/bin/bash /home/app/workflows/run.sh"] # > /proc/1/fd/1 2> /proc/1/fd/2"] #puts run_shell_path #run_cmd_args = ["sleep infinity"] # > /proc/1/fd/1 2> /proc/1/fd/2"] @@ -392,7 +393,7 @@ def start_job!(job) "privileged" => true, #TODO: figure out un-privd case, use kaniko??? #"runAsUser" => 0 "runAsUser" => username_to_uid(first_docker_executor_hint["user"]), - "runAsGroup" => 999 + "runAsGroup" => 999 #T!!!!! #"fsGroup" => 999 }, "name" => clean_name, @@ -407,7 +408,7 @@ def start_job!(job) "readOnly" => true }, { - "mountPath" => build_manifest_dir, + "mountPath" => "/home/app/workflows", "name" => "fd-config-volume" }, { @@ -441,7 +442,7 @@ def start_job!(job) { "name" => "fd-config-volume", "configMap" => { - "name" => "fd-#{clean_name}-#{current_revision}" + "name" => "fd-#{clean_name}-#{Digest::SHA2.new(256).hexdigest(job.parameters[:command])}" } }, { @@ -503,7 +504,7 @@ def start_job!(job) "apiVersion" => "v1", "kind" => "ConfigMap", "metadata" => { - "name" => "fd-#{clean_name}-#{current_revision}" + "name" => "fd-#{clean_name}-#{Digest::SHA2.new(256).hexdigest(job.parameters[:command])}" }, "data" => { "run.sh" => job.parameters[:command] From 1833b83eb42472320bfc155bba3973727045d6ed Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 04:10:23 +0000 Subject: [PATCH 082/133] bits --- .dockerignore | 1 + .gitignore | 1 + 2 files changed, 2 insertions(+) diff --git a/.dockerignore b/.dockerignore index b539298..b3cf2fc 100644 --- a/.dockerignore +++ b/.dockerignore @@ -8,3 +8,4 @@ Dockerfile Dockerfile.default .dockerignore Gemfile +*.swp diff --git a/.gitignore b/.gitignore index 3c4bc78..7103391 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ vendor Gemfile.lock Dockerfile-pollygen* +*.swp From 33db805d2050b2f7e426db2a6e80e38aad9af4d0 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Apr 2024 04:18:32 +0000 Subject: [PATCH 083/133] possibly dont export client-side cache --- lib/polly/build.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/polly/build.rb b/lib/polly/build.rb index ca1e8c4..87dd92f 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -38,8 +38,8 @@ def self.buildkit_workstation_to_controller(exe, app, version, branch, dockerfil "type=inline", "--export-cache", "type=registry,ref=polly-registry:23443/#{app}", - "--export-cache", - "type=local,dest=/var/tmp/polly-safe/buildkit,mode=max" # this is client-side + #"--export-cache", + #"type=local,dest=/var/tmp/polly-safe/buildkit,mode=max" # this is client-side ] if build_image_stage From 0b7f2be970b70a68cc289e89d43fe73d7a559c38 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Tue, 2 Apr 2024 03:46:00 +0000 Subject: [PATCH 084/133] bits --- Pollyfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Pollyfile b/Pollyfile index 0d4cb04..4531eaa 100644 --- a/Pollyfile +++ b/Pollyfile @@ -27,7 +27,7 @@ run %q{test -e /usr/lib/locale/locale-archive || ((locale-gen --purge en_US); (echo -e "LANG=$LANG\nLANGUAGE=$LANGUAGE\n" | tee /etc/default/locale); (locale-gen $LANGUAGE); (dpkg-reconfigure locales))} - apt %w{vim git curl apt-transport-https aptitude ca-certificates apt-utils software-properties-common docker.io build-essential libyaml-dev ruby3* libruby3* ruby-bundler rubygems-integration rake amazon-ecr-credential-helper} + apt %w{vim git curl apt-transport-https aptitude ca-certificates apt-utils software-properties-common docker.io build-essential libyaml-dev ruby3* libruby3* ruby-bundler rubygems-integration rake amazon-ecr-credential-helper procps} #run %q{curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add} #run %q{apt-add-repository "deb http://apt.kubernetes.io/ kubernetes-xenial main"} From afa566f7b69a801af8519f1452751c30e9854449 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Wed, 10 Apr 2024 02:08:35 +0000 Subject: [PATCH 085/133] repair test --- spec/lib/polly/execute_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/lib/polly/execute_spec.rb b/spec/lib/polly/execute_spec.rb index 44803dd..46adb94 100644 --- a/spec/lib/polly/execute_spec.rb +++ b/spec/lib/polly/execute_spec.rb @@ -8,10 +8,10 @@ context "performing locally" do it "has a simple method that exits on failure" do - expect(Kernel).to receive(:system).with('true').and_return(true) + expect(Kernel).to receive(:system).with('true', {:err => $stderr}).and_return(true) exe.systemx('true') - expect(Kernel).to receive(:system).with('false').and_return(false) + expect(Kernel).to receive(:system).with('false', {:err => $stderr}).and_return(false) expect(Kernel).to receive(:exit).with(1).and_return(true) exe.systemx('false') end From 99f458f5eb10280230c61024b10d5dae2bd4e3bf Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Wed, 10 Apr 2024 02:14:14 +0000 Subject: [PATCH 086/133] simplify --- Pollyfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Pollyfile b/Pollyfile index 4531eaa..ec9f688 100644 --- a/Pollyfile +++ b/Pollyfile @@ -130,10 +130,10 @@ workflow_image = "polly:latest" [{"image"=>workflow_image}], [ {"run"=>{"name"=>"demo","command"=>"echo DEMO!!!!"}}, - {"run"=>{"name"=>"demo","command"=>"polly generate > Dockerfile"}}, - {"run"=>{"name"=>"demo","command"=>"polly help"}}, + #{"run"=>{"name"=>"demo","command"=>"polly generate > Dockerfile"}}, + #{"run"=>{"name"=>"demo","command"=>"polly help"}}, #{"run"=>{"name"=>"demo","command"=>"sleep infinity"}}, - {"run"=>{"name"=>"demo","command"=>"polly build"}}, + #{"run"=>{"name"=>"demo","command"=>"polly build"}}, #{"run"=>{"name"=>"config","command"=>"bundle config set --local path vendor/bundle"}}, #{"run"=>{"name"=>"bundler","command"=>"bundle install"}}, #{"run"=>{"name"=>"rspec","command"=>"bundle exec rspec"}}, From 7b973e7668c875d6c256c5fdbda6c84800e8c10d Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Wed, 10 Apr 2024 02:23:50 +0000 Subject: [PATCH 087/133] new bits --- Pollyfile | 4 +++- lib/polly/build.rb | 6 ++++-- lib/polly/execute.rb | 20 ++++++++++---------- 3 files changed, 17 insertions(+), 13 deletions(-) diff --git a/Pollyfile b/Pollyfile index ec9f688..7a98f5e 100644 --- a/Pollyfile +++ b/Pollyfile @@ -123,12 +123,14 @@ #workflow_image = "ghcr.io/unhookd/polly:3.0-rc1" #TODO: !!!! make this make sense to configure -workflow_image = "polly:latest" +workflow_image = "polly-registry:23443/polly-registry/polly:latest" @plain_workflow = plan { job("primary", [{"image"=>workflow_image}], [ + {"run"=>{"name"=>"demo","command"=>"echo DEMO??"}}, + {"run"=>{"name"=>"demo","command"=>"sleep 10"}}, {"run"=>{"name"=>"demo","command"=>"echo DEMO!!!!"}}, #{"run"=>{"name"=>"demo","command"=>"polly generate > Dockerfile"}}, #{"run"=>{"name"=>"demo","command"=>"polly help"}}, diff --git a/lib/polly/build.rb b/lib/polly/build.rb index 87dd92f..a291b6e 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -19,6 +19,7 @@ def self.generated_string_fd(generated_dockerfile) def self.buildkit_workstation_to_controller(exe, app, version, branch, dockerfile_path, build_image_stage, force_no_cache = nil, push_stage = nil) tag = build_image_to_tag(app, version, build_image_stage) + buildctl_local_cmd = [ {"SSH_AUTH_SOCK" => ENV["SSH_AUTH_SOCK"]}.compact, "buildctl", @@ -47,9 +48,10 @@ def self.buildkit_workstation_to_controller(exe, app, version, branch, dockerfil end if push_stage - buildctl_local_cmd += ["--output", "type=image,name=#{push_stage}/#{tag.split(":").last},push=true"] + buildctl_local_cmd += ["--output", "type=image,name=#{push_stage}/#{tag.split(':').last},push=true"] else - buildctl_local_cmd += ["--output", "type=image,name=polly-registry:23443/polly-registry/#{tag},push=true"] + buildctl_local_cmd += ["--output", "type=image,name=polly-registry:23443/polly-registry/#{tag},name=polly-registry:23443/polly-registry/#{app}:latest,push=true"] + #buildctl_local_cmd += ["--output", "type=image,name=polly-registry:23443/polly-registry/#{app}:latest,push=true"] end puts buildctl_local_cmd.inspect diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index 8ccbf71..94b912e 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -198,20 +198,20 @@ def start_job!(job) Kernel.exit(1) end + first_docker_executor_hint["image"] + #docker_image_url = URI.parse("http://local/#{first_docker_executor_hint["image"]}") #repo = docker_image_url.host - ##TODO: ???? File.basename(docker_image_url.path) + ###TODO: ???? File.basename(docker_image_url.path) #Pathname.new(docker_image_url.path).relative_path_from(Pathname.new("/")).to_s - #add_circleci_job - - #buildctl_local_cmd += ["--output", "type=image,name=polly-registry:23443/polly-registry/#{tag},push=true"] - - version = current_revision - branch = current_branch.gsub("/", "-") - app = current_app - #image_repo = Polly::Config.image_repo - "polly-registry:23443/polly-registry/#{app}:#{version}" + ##add_circleci_job + ##buildctl_local_cmd += ["--output", "type=image,name=polly-registry:23443/polly-registry/#{tag},push=true"] + #version = current_revision + #branch = current_branch.gsub("/", "-") + #app = current_app + ##image_repo = Polly::Config.image_repo + #"polly-registry:23443/polly-registry/#{app}:#{version}" end end From 2d75d5fb3bab3f606d6a7813198789567f09107a Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Wed, 10 Apr 2024 02:32:17 +0000 Subject: [PATCH 088/133] new bits --- bin/polly | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/polly b/bin/polly index e1a15fe..7851c46 100755 --- a/bin/polly +++ b/bin/polly @@ -201,7 +201,7 @@ class PollyTasks < Thor plan.jobs_ready_to_start.each do |job_proc| job_to_start = job_proc.call - + obv.report_stdout("plan", "started #{job_to_start.run_name}") obv.flush($stdout, $stderr) exe.start_job!(job_to_start) From 779ca1130829ec486ddfb198fc84622caa84d7c3 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Wed, 10 Apr 2024 03:14:09 +0000 Subject: [PATCH 089/133] better circleci compat --- Pollyfile | 7 +++---- bin/polly | 33 ++++++++++++++++++--------------- lib/polly/generate.rb | 6 ++++-- lib/polly/plan.rb | 39 +++++++++++++++++++++++++-------------- 4 files changed, 50 insertions(+), 35 deletions(-) diff --git a/Pollyfile b/Pollyfile index 7a98f5e..b968269 100644 --- a/Pollyfile +++ b/Pollyfile @@ -123,14 +123,13 @@ #workflow_image = "ghcr.io/unhookd/polly:3.0-rc1" #TODO: !!!! make this make sense to configure -workflow_image = "polly-registry:23443/polly-registry/polly:latest" +#workflow_image = "polly-registry:23443/polly-registry/polly:latest" @plain_workflow = plan { job("primary", - [{"image"=>workflow_image}], [ - {"run"=>{"name"=>"demo","command"=>"echo DEMO??"}}, - {"run"=>{"name"=>"demo","command"=>"sleep 10"}}, + {"run"=>{"name"=>"demo","command"=>"echo DEMO?????"}}, + {"run"=>{"name"=>"demo","command"=>"sleep 15"}}, {"run"=>{"name"=>"demo","command"=>"echo DEMO!!!!"}}, #{"run"=>{"name"=>"demo","command"=>"polly generate > Dockerfile"}}, #{"run"=>{"name"=>"demo","command"=>"polly help"}}, diff --git a/bin/polly b/bin/polly index 7851c46..6424129 100755 --- a/bin/polly +++ b/bin/polly @@ -148,7 +148,7 @@ class PollyTasks < Thor desc "test [PIPELINE]", "Run the CI pipeline" option "concurrency", :type => :numeric, :default => Polly::Plan::DEFAULT_CONCURRENCY, :desc => "Number of divergent paths to process simultaneously" - option "config", :type => :string, :default => "Pollyfile", :desc => "Declaration of config" + #option "config", :type => :string, :default => "Pollyfile", :desc => "Declaration of config" option "with-bootstrap", :type => :string, :default => nil, :desc => "Docker image to use as the build context" option "dry-run", :type => :boolean, :default => false, :desc => "Emit the plan but do not run the pipeline" option "keep-completed", :type => :boolean, :default => false, :desc => "Retain completed pods in kubectl get pods list" @@ -159,7 +159,9 @@ class PollyTasks < Thor option "only", :type => :string, :default => nil, :desc => "Only run specified jobs (comma-separated list)" option "no-init", :type => :boolean, :default => false, :desc => "Do not run pod initialization (eg git-checkout container) before each job (this can speed up debug looping)" option "ident", :type => :string, :default => nil, :desc => "todo" - def test(run_pipeline_upto_these_jobs = nil) + def test(config = nil) + default_config = "Pollyfile" + run_pipeline_upto_these_jobs = nil start_time = Time.now exe = ::Polly::Execute.new(options) @@ -171,23 +173,22 @@ class PollyTasks < Thor obv.register_channels(["debug", "plan", "exe"]) - config = options["config"] + #config = options["config"] - #TODO: switch plan based on detected hueristics here - if File.exists?(config) - #obv.report_stdout("debug", "using #{config} for config") - if config.include?("Pollyfile") - pollyfile_ruby = File.read(config) - Kernel.eval(pollyfile_ruby, Polly::Generate.get_binding, config) - generated_circleci_config_yml = YAML.dump(Polly::Generate.read_circleci_output(options["ident"])) + ##TODO: switch plan based on detected hueristics here + detected_config = config || default_config + if File.exists?(detected_config) + if detected_config == default_config + pollyfile_ruby = File.read(detected_config) + Kernel.eval(pollyfile_ruby, Polly::Generate.get_binding, detected_config) + exe_image = "polly-registry:23443/polly-registry/#{exe.current_app}:latest" + generated_circleci_config_yml = YAML.dump(Polly::Generate.read_circleci_output(exe_image, options["ident"])) plan.load_circleci(generated_circleci_config_yml) else - plan.load_circleci(File.read(config)) + plan.load_circleci(File.read(detected_config)) end - elsif File.exists?(".circleci/config.yml") - plan.load_circleci(File.read(".circleci/config.yml")) else - raise "must create #{config} first ..." + raise "must create #{detected_config} first ..." end obv.register_channels(plan.all_jobs.collect { |key, _| key }) @@ -1738,11 +1739,13 @@ HEREDOC Kernel.eval(pollyfile_ruby, Polly::Generate.get_binding, pollyfile) + exe_image = "polly-registry:23443/polly-registry/#{exe.current_app}:latest" + case options["mirror"] when "circleci" pollyfile_ruby = File.read("Pollyfile") Kernel.eval(pollyfile_ruby, Polly::Generate.get_binding, "Pollyfile") - generated_circleci_config_yml = YAML.dump(Polly::Generate.read_circleci_output) + generated_circleci_config_yml = YAML.dump(Polly::Generate.read_circleci_output(exe_image)) $stdout.write(generated_circleci_config_yml) when "github" diff --git a/lib/polly/generate.rb b/lib/polly/generate.rb index 67f8cc4..cc5d005 100644 --- a/lib/polly/generate.rb +++ b/lib/polly/generate.rb @@ -22,7 +22,7 @@ def all_images @all_images end - def read_circleci_output(ident = nil) + def read_circleci_output(image, ident = nil) jobs_repacked = {} @pl_wk = ident.nil? ? @workflows_by_ident[@workflows_by_ident.keys.first] : @workflows_by_ident[ident] @@ -42,8 +42,10 @@ def read_circleci_output(ident = nil) } ].compact }.merge({ - "docker" => job_spec.parameters[:executor_hints][:docker] + "docker" => [{"image" => image}] }) + #job_spec.parameters[:executor_hints][:docker] + #[{"image"=>workflow_image}], jobs_repacked[job_name].delete("environment") unless jobs_repacked[job_name]["environment"] && !jobs_repacked[job_name]["environment"].empty? jobs_repacked[job_name].delete("working_directory") unless jobs_repacked[job_name]["working_directory"] } diff --git a/lib/polly/plan.rb b/lib/polly/plan.rb index 5900c04..5d4ff28 100644 --- a/lib/polly/plan.rb +++ b/lib/polly/plan.rb @@ -211,23 +211,29 @@ def load_circleci(raw_yaml = File.read(DEFAULT_CIRCLECI_CONFIG_YML_PATH)) return unless circle_yaml && circle_yaml["workflows"] && circle_yaml["jobs"] add_job_to_stack = lambda { |job_run_name| + circleci_like_parameters = circle_yaml["jobs"][job_run_name] image = nil - if exe_found = circleci_like_parameters["executor"] - exe_name = exe_found["name"] - if exe_name - image = circle_yaml["executors"][exe_name]["docker"] - else - image = circle_yaml["executors"][exe_found]["docker"] - end - else - image = circleci_like_parameters["docker"] - end + + #if exe_found = circleci_like_parameters["executor"] + #raise exe_found.inspect + # exe_name = exe_found["name"] + # if exe_name + # image = circle_yaml["executors"][exe_name]["docker"] + # else + # image = circle_yaml["executors"][exe_found]["docker"] + # end + #else + #image = circleci_like_parameters["docker"] + #end + + #raise image.inspect #TODO: Regen module #puts "add_circleci_job(#{job_run_name.inspect}, #{image.inspect}, #{circleci_like_parameters["steps"].inspect}, #{circleci_like_parameters["environment"].inspect}, #{circleci_like_parameters["working_directory"].inspect}" - add_circleci_job(job_run_name, image, circleci_like_parameters["steps"], circleci_like_parameters["environment"], circleci_like_parameters["working_directory"]) + ##### !!!! + add_circleci_job(job_run_name, circleci_like_parameters["steps"], circleci_like_parameters["environment"], circleci_like_parameters["working_directory"], circleci_like_parameters["docker"]) } circle_yaml["workflows"].each do |workflow_key, workflow| @@ -254,12 +260,15 @@ def load_circleci(raw_yaml = File.read(DEFAULT_CIRCLECI_CONFIG_YML_PATH)) end end - def add_circleci_job(job_run_name, docker_params, steps, job_env, working_directory) #, pre_calc_dep = nil) + def add_circleci_job(job_run_name, steps, job_env, working_directory, image = nil) executor_hints = { - :docker => docker_params #TODO: || "polly:latest" } - #steps = circleci_like_parameters["steps"] + if image + executor_hints.merge!({ + :docker => image + }) + end pro_fd = StringIO.new @@ -324,6 +333,8 @@ def add_circleci_job(job_run_name, docker_params, steps, job_env, working_direct :command => pro_fd.read, :working_directory => working_directory, :executor_hints => executor_hints + #.merge({ + # :docker => docker_params #TODO: || "polly:latest" } if count_of_steps > 0 From 2b54c4161cb15de982b6e7263f6178f9391fe8f8 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Wed, 10 Apr 2024 03:21:19 +0000 Subject: [PATCH 090/133] updates in CHANGELOG.md --- CHANGELOG.md | 6 ++++++ VERSION | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f0e81a0..86ebaff 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +# [4.29.0] - 2024-04-10 - Jon Bardin + +new version bits + +####### + # [4.28.0] - 2024-04-01 - Jon Bardin Upgrade base images and to ruby3 diff --git a/VERSION b/VERSION index 4e940ae..a7e74fd 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.28.0 \ No newline at end of file +4.29.0 \ No newline at end of file From a3dd75d69e76fb1a4521ffee92d1bc1e519e10e1 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Wed, 10 Apr 2024 03:25:31 +0000 Subject: [PATCH 091/133] bits --- Pollyfile | 14 +++++++------- bin/polly | 4 ++-- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/Pollyfile b/Pollyfile index b968269..e4f5157 100644 --- a/Pollyfile +++ b/Pollyfile @@ -128,16 +128,16 @@ @plain_workflow = plan { job("primary", [ - {"run"=>{"name"=>"demo","command"=>"echo DEMO?????"}}, - {"run"=>{"name"=>"demo","command"=>"sleep 15"}}, - {"run"=>{"name"=>"demo","command"=>"echo DEMO!!!!"}}, - #{"run"=>{"name"=>"demo","command"=>"polly generate > Dockerfile"}}, + #{"run"=>{"name"=>"demo","command"=>"echo DEMO?????"}}, + #{"run"=>{"name"=>"demo","command"=>"sleep 15"}}, + #{"run"=>{"name"=>"demo","command"=>"echo DEMO!!!!"}}, + {"run"=>{"name"=>"demo","command"=>"polly generate > Dockerfile"}}, #{"run"=>{"name"=>"demo","command"=>"polly help"}}, #{"run"=>{"name"=>"demo","command"=>"sleep infinity"}}, #{"run"=>{"name"=>"demo","command"=>"polly build"}}, - #{"run"=>{"name"=>"config","command"=>"bundle config set --local path vendor/bundle"}}, - #{"run"=>{"name"=>"bundler","command"=>"bundle install"}}, - #{"run"=>{"name"=>"rspec","command"=>"bundle exec rspec"}}, + {"run"=>{"name"=>"config","command"=>"bundle config set --local path vendor/bundle"}}, + {"run"=>{"name"=>"bundler","command"=>"bundle install"}}, + {"run"=>{"name"=>"rspec","command"=>"bundle exec rspec"}}, #{"run"=>{"name"=>"build","command"=>"pwd && ls -l && buildctl --timeout 120 --addr tcp://polly-buildkitd:1234 --tlsservername polly-buildkitd --tlscacert /certs/client/ca.pem --tlscert /certs/client/cert.pem --tlskey /certs/client/key.pem build --frontend dockerfile.v0 --local context=. --local dockerfile=."}} ],{},"/home/app/polly" ) diff --git a/bin/polly b/bin/polly index 6424129..1c96677 100755 --- a/bin/polly +++ b/bin/polly @@ -1460,7 +1460,7 @@ spec: name: buildkit-client-certs readOnly: true image: #{git_image} - imagePullPolicy: IfNotPresent + imagePullPolicy: Always env: resources: requests: @@ -1589,7 +1589,7 @@ HEREDOC end desc "xxh", "debug shell into polly controller" - def xxh(service = "controller", sh_cmd = "sh") + def xxh(service = "controller", sh_cmd = "bash") exe = ::Polly::Execute.new exec(*["kubectl", "exec", exe.polly_pod(service), "-i", $stdin.tty? ? "-t" : nil, "--", sh_cmd].compact) From 6eb2273192e8d669f752084997ad4bb44e075cdc Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Wed, 10 Apr 2024 03:33:23 +0000 Subject: [PATCH 092/133] rebootstrap --- Pollyfile | 4 ++-- lib/polly/plan.rb | 2 +- spec/lib/polly/plan_spec.rb | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Pollyfile b/Pollyfile index e4f5157..06cbe46 100644 --- a/Pollyfile +++ b/Pollyfile @@ -129,9 +129,9 @@ job("primary", [ #{"run"=>{"name"=>"demo","command"=>"echo DEMO?????"}}, - #{"run"=>{"name"=>"demo","command"=>"sleep 15"}}, + #{"run"=>{"name"=>"demo","command"=>"sleep 300"}}, #{"run"=>{"name"=>"demo","command"=>"echo DEMO!!!!"}}, - {"run"=>{"name"=>"demo","command"=>"polly generate > Dockerfile"}}, + #{"run"=>{"name"=>"demo","command"=>"polly generate > Dockerfile"}}, #{"run"=>{"name"=>"demo","command"=>"polly help"}}, #{"run"=>{"name"=>"demo","command"=>"sleep infinity"}}, #{"run"=>{"name"=>"demo","command"=>"polly build"}}, diff --git a/lib/polly/plan.rb b/lib/polly/plan.rb index 5d4ff28..d6b78a4 100644 --- a/lib/polly/plan.rb +++ b/lib/polly/plan.rb @@ -206,7 +206,7 @@ def load_circleci(raw_yaml = File.read(DEFAULT_CIRCLECI_CONFIG_YML_PATH)) raise "empty config" if raw_yaml.nil? || raw_yaml.empty? yaml_template_rendered = raw_yaml.gsub("$CIRCLE_SHA1", @revision) - circle_yaml = YAML.load(yaml_template_rendered) + circle_yaml = YAML.load(yaml_template_rendered, :aliases => true) return unless circle_yaml && circle_yaml["workflows"] && circle_yaml["jobs"] diff --git a/spec/lib/polly/plan_spec.rb b/spec/lib/polly/plan_spec.rb index fe8718d..7c207ea 100644 --- a/spec/lib/polly/plan_spec.rb +++ b/spec/lib/polly/plan_spec.rb @@ -281,8 +281,8 @@ def plain_workflow(plan) #TODO: more testing, wtf was this for ???? puts "debug stuff here 3" - plan.add_circleci_job("bootstrap", "ubuntu:latest", [{"run"=>{"name"=>"bootstrap", "command"=>"true\n"}}], {}, nil) - plan.add_circleci_job("primary", "polly:latest", [{"run"=>{"name"=>"rspec", "command"=>"bundle exec rspec\n"}}], {}, nil) + plan.add_circleci_job("bootstrap", [{"run"=>{"name"=>"bootstrap", "command"=>"true\n"}}], {}, nil, "ubuntu:latest") + plan.add_circleci_job("primary", [{"run"=>{"name"=>"rspec", "command"=>"bundle exec rspec\n"}}], {}, nil, "polly:latest") plan.depends("primary", "bootstrap") plain_workflow(plan) From c6a48553ed9b330dce21cc2d76794228cc3a76b2 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Wed, 10 Apr 2024 04:00:21 +0000 Subject: [PATCH 093/133] better async intermediate output for polly test --- Pollyfile | 1 + bin/polly | 9 ++++++--- lib/polly/execute.rb | 42 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 49 insertions(+), 3 deletions(-) diff --git a/Pollyfile b/Pollyfile index 06cbe46..1524e0e 100644 --- a/Pollyfile +++ b/Pollyfile @@ -138,6 +138,7 @@ {"run"=>{"name"=>"config","command"=>"bundle config set --local path vendor/bundle"}}, {"run"=>{"name"=>"bundler","command"=>"bundle install"}}, {"run"=>{"name"=>"rspec","command"=>"bundle exec rspec"}}, + {"run"=>{"name"=>"demo","command"=>"polly help"}}, #{"run"=>{"name"=>"build","command"=>"pwd && ls -l && buildctl --timeout 120 --addr tcp://polly-buildkitd:1234 --tlsservername polly-buildkitd --tlscacert /certs/client/ca.pem --tlscert /certs/client/cert.pem --tlskey /certs/client/key.pem build --frontend dockerfile.v0 --local context=. --local dockerfile=."}} ],{},"/home/app/polly" ) diff --git a/bin/polly b/bin/polly index 1c96677..b2f60e1 100755 --- a/bin/polly +++ b/bin/polly @@ -1681,13 +1681,16 @@ HEREDOC #puts kube_exec_cmd.inspect #join(" ") - o,e,s = exe.execute_simple(:output, kube_exec_cmd, {}) + s = exe.execute_simple(:async_wait_status, kube_exec_cmd, {}) #{:out => $stdout, :err => $stderr}) if s - puts o + #puts o + puts "OKOK" else - puts e + #puts e #fail + puts "fail" + fail end end end diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index 94b912e..7a2660e 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -836,6 +836,48 @@ def execute_simple(mode, cmd, options) o, e, s = Open3.capture3(*cmd, options) return exit_proc.call(o, e, s, false) + when :async_wait_status + #o, e, s = Open3.capture3(*cmd, options) + #puts options.inspect + $stdout.sync = true + $stderr.sync = true + + i, o, e, s = Open3.popen3(*cmd, options) + + read_io = Proc.new { + chunk = 65432 + begin + stdout = o.read_nonblock(chunk) + $stdout.write(stdout) + rescue IO::EAGAINWaitReadable, Errno::EIO, Errno::EAGAIN, Errno::EINTR => err + #_r, _w, _e = IO.select(process_fds, nil, process_fds, 0.5) + sleep 0.1 + rescue EOFError => err + end + + begin + stderr = e.read_nonblock(chunk) + $stderr.write(stderr) + rescue IO::EAGAINWaitReadable, Errno::EIO, Errno::EAGAIN, Errno::EINTR => err + #_r, _w, _e = IO.select(process_fds, nil, process_fds, 0.5) + sleep 0.1 + rescue EOFError => err + end + } + + while s.alive? + #$stdout.write(".") + + read_io.call + + s.join(0.1) + end + + read_io.call + + return s.value.success? + #return exit_proc.call(o, e, s, false) + when :async stdin, stdout, stderr, wait_thr = Open3.popen3(*cmd, options) return [stdin, stdout, stderr, wait_thr, exit_proc] From 79e55d1376fdceaf0fbbcf54ca857040ebba0f92 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Wed, 10 Apr 2024 04:05:19 +0000 Subject: [PATCH 094/133] add updated circleci regen'd bootstrap test suite --- .circleci/config.yml | 5 +++-- bin/polly | 7 ++++++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index fb5af0b..cf5b12b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,3 +1,4 @@ +#generated via: polly generate --mirror=circleci --registry=ghcr.io/unhookd > .circleci/config.yml --- workflows: version: 2 @@ -14,9 +15,9 @@ jobs: - run: name: primary command: |- - echo DEMO!!!! bundle config set --local path vendor/bundle bundle install bundle exec rspec + polly help docker: - - image: ghcr.io/unhookd/polly:3.0-rc1 + - image: ghcr.io/unhookd/polly:4.0-rc-3 diff --git a/bin/polly b/bin/polly index b2f60e1..f00e9e2 100755 --- a/bin/polly +++ b/bin/polly @@ -1730,6 +1730,8 @@ HEREDOC desc "generate", "emits CI structure yaml" option "mirror", :type => :string, :default => "dockerfile" + option "registry", :type => :string, :default => "polly-registry:23443/polly-registry" + #ghcr.io/unhookd #TODO: cleanup these bits #option "pipeline-fu", :type => :string, :default => "circleci" #option "image-fu", :type => :string, :default => "buildkit" @@ -1742,7 +1744,9 @@ HEREDOC Kernel.eval(pollyfile_ruby, Polly::Generate.get_binding, pollyfile) - exe_image = "polly-registry:23443/polly-registry/#{exe.current_app}:latest" + #ghcr.io/unhookd/polly:3.0-rc1 + + exe_image = "#{options['registry']}/#{exe.current_app}:#{exe.current_branch}" case options["mirror"] when "circleci" @@ -1756,6 +1760,7 @@ HEREDOC when "dockerfile" $stdout.write(Polly::Generate.read_output) + else $stderr.puts "unknown option #{options.inspect}" end From 45a1d249d35f246234bc42133647fa170329663b Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Wed, 10 Apr 2024 04:09:13 +0000 Subject: [PATCH 095/133] updates in CHANGELOG.md --- CHANGELOG.md | 6 ++++++ VERSION | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 86ebaff..250df1b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +# [4.30.0] - 2024-04-10 - Jon Bardin + +better async output + +####### + # [4.29.0] - 2024-04-10 - Jon Bardin new version bits diff --git a/VERSION b/VERSION index a7e74fd..37798a5 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.29.0 \ No newline at end of file +4.30.0 \ No newline at end of file From 2fb4fa4b81f777dfcc5f39efba339c5a07edecb5 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Wed, 10 Apr 2024 04:15:17 +0000 Subject: [PATCH 096/133] bits --- lib/polly/build.rb | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/lib/polly/build.rb b/lib/polly/build.rb index a291b6e..0f23800 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -47,15 +47,16 @@ def self.buildkit_workstation_to_controller(exe, app, version, branch, dockerfil buildctl_local_cmd += ["--opt", "target=#{build_image_stage}"] end - if push_stage - buildctl_local_cmd += ["--output", "type=image,name=#{push_stage}/#{tag.split(':').last},push=true"] - else - buildctl_local_cmd += ["--output", "type=image,name=polly-registry:23443/polly-registry/#{tag},name=polly-registry:23443/polly-registry/#{app}:latest,push=true"] - #buildctl_local_cmd += ["--output", "type=image,name=polly-registry:23443/polly-registry/#{app}:latest,push=true"] - end + #if push_stage + # buildctl_local_cmd += ["--output", "type=image,name=#{push_stage}/#{tag.split(':').last},push=true"] + #else + # buildctl_local_cmd += ["--output", "type=image,name=polly-registry:23443/polly-registry/#{tag},name=polly-registry:23443/polly-registry/#{app}:latest,push=true"] + # #buildctl_local_cmd += ["--output", "type=image,name=polly-registry:23443/polly-registry/#{app}:latest,push=true"] + #end puts buildctl_local_cmd.inspect - exe.systemx(*buildctl_local_cmd) || fail("unable to build") + exe.systemx(*buildctl_local_cmd, "--output", "type=image,name=polly-registry:23443/polly-registry/#{tag},push=true") || fail("unable to build") + exe.systemx(*buildctl_local_cmd, "--output", "type=image,name=polly-registry:23443/polly-registry/#{app}:latest,push=true") || fail("unable to build") puts "Built and tagged: #{tag} OK" end From 3010856c11ae3e395d1de10a57c99d82000d2cba Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Wed, 10 Apr 2024 07:27:41 +0000 Subject: [PATCH 097/133] add container_image syntax support --- Pollyfile | 4 +-- bin/polly | 73 ++++++++++++++++++++++++++----------------- lib/polly/generate.rb | 12 +++++++ 3 files changed, 58 insertions(+), 31 deletions(-) diff --git a/Pollyfile b/Pollyfile index 1524e0e..e576609 100644 --- a/Pollyfile +++ b/Pollyfile @@ -145,7 +145,7 @@ } @gitch_pipeline = continuous { - #TODO: !!!! - #publish @bootstrap_artifact + publish @bootstrap_artifact test @plain_workflow + #TODO: !!! deploy @example_instance } diff --git a/bin/polly b/bin/polly index f00e9e2..3240f9c 100755 --- a/bin/polly +++ b/bin/polly @@ -141,7 +141,7 @@ class PollyTasks < Thor puts cmd_list if options["exec"] - exec(*cmd_list) + exec("bash", "-ex", "-c", cmd_list) end end end @@ -454,7 +454,7 @@ class PollyTasks < Thor generated_dockerfile = nil - if (container_definition == nil || container_definition == "-" || container_definition == default_pollyfile) && File.exists?(default_pollyfile) + if (container_definition == nil && File.exists?(default_pollyfile)) || (container_definition && container_definition.includes?(default_pollyfile) && File.exists?(container_defintion)) pollyfile_ruby = File.read(default_pollyfile) #TODO: ??? Polly::Generate.options = options Kernel.eval(pollyfile_ruby, Polly::Generate.get_binding, default_pollyfile) @@ -466,6 +466,7 @@ class PollyTasks < Thor File.write(file_path, generated_dockerfile) puts file_path + #tag = build_image_to_tag(app, build_image_stage, version) #buildctl_local_cmd = [ # {"SSH_AUTH_SOCK" => ENV["SSH_AUTH_SOCK"]}, @@ -479,31 +480,38 @@ class PollyTasks < Thor raise if version.empty? Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, File.basename(file_path), options["stage"], options["no-cache"], options["push"]) exit + end - elsif (container_definition != nil || container_definition == "-" || container_definition == default_dockerfile) && File.exists?(container_definition) - #generated_dockerfile = File.read(default_dockerfile) - raise if version.empty? - Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, container_definition, options["stage"], options["no-cache"], options["push"]) - exit + #elsif ((container_definition == nil && File.exists?(default_dockerfile)) + # raise if version.empty? + # Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, default_dockerfile, options["stage"], options["no-cache"], options["push"]) + # exit - #elsif container_definition == nil && File.exists?(default_dockerfile) - # generated_dockerfile = File.read(default_dockerfile) - else - generated_dockerfile = File.read(container_definition) - end + #elsif File.exists?(container_definition) + #container_definition == default_dockerfile) && + # #generated_dockerfile = File.read(default_dockerfile) + # raise if version.empty? + # Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, container_definition, options["stage"], options["no-cache"], options["push"]) + # exit - if options["in-cluster"] - Polly::Generate.all_images.each { |build_image| - Polly::Build.buildkit_internal(exe, app, build_image, version, generated_dockerfile, options["no-cache"]) - } - else - raise if version.empty? - Polly::Build.buildkit_external(exe, app, branch, version, generated_dockerfile, options["no-cache"]) - end + ##elsif container_definition == nil && File.exists?(default_dockerfile) + ## generated_dockerfile = File.read(default_dockerfile) + #else + # generated_dockerfile = File.read(container_definition) + #end - #TODO: ? - raise if version.empty? - Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, "wkndr-todo", generated_dockerfile, options["no-cache"]) + #if options["in-cluster"] + # Polly::Generate.all_images.each { |build_image| + # Polly::Build.buildkit_internal(exe, app, build_image, version, generated_dockerfile, options["no-cache"]) + # } + #else + # raise if version.empty? + # Polly::Build.buildkit_external(exe, app, branch, version, generated_dockerfile, options["no-cache"]) + #end + + ##TODO: ? + #raise if version.empty? + #Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, "wkndr-todo", generated_dockerfile, options["no-cache"]) exit @@ -533,6 +541,7 @@ class PollyTasks < Thor end desc "deploy", "deploys kubernetes resources" + option "debug", :type => :boolean, :default => false def deploy(glob = "kubernetes/**/*yaml") exe = ::Polly::Execute.new(options) @@ -561,11 +570,13 @@ class PollyTasks < Thor when "Deployment", "ReplicationController" description["metadata"]["labels"].merge!(exe.polly_labels) description["spec"]["template"]["metadata"]["labels"].merge!(exe.polly_labels) - description["spec"]["template"]["spec"]["initContainers"].each { |c| - if c["image"] == app + ":latest" - c["image"] = (image_repo + "/polly-registry/" + (app + ":" + branch + "-" + version)) - end - } + if description["spec"]["template"]["spec"]["initContainers"] + description["spec"]["template"]["spec"]["initContainers"].each { |c| + if c["image"] == app + ":latest" + c["image"] = (image_repo + "/polly-registry/" + (app + ":" + branch + "-" + version)) + end + } + end description["spec"]["template"]["spec"]["containers"].each { |c| if c["image"] == app + ":latest" c["image"] = (image_repo + "/polly-registry/" + (app + ":" + branch + "-" + version)) @@ -583,7 +594,11 @@ class PollyTasks < Thor resource_paths.each { |resource_path| parser.parse(File.read(resource_path), resource_path) } - #puts all_resources_yaml + + if options["debug"] + puts all_resources_yaml + exit + end apply_yaml = ["kubectl", "apply", "-f", "-"] create_options = {:stdin_data => all_resources_yaml} diff --git a/lib/polly/generate.rb b/lib/polly/generate.rb index cc5d005..a0eedaf 100644 --- a/lib/polly/generate.rb +++ b/lib/polly/generate.rb @@ -312,6 +312,10 @@ def job(*args) @this_plan.add_circleci_job(*args) end + def container_image(filename) + emit(File.read(filename)) + end + def plan @workflows_by_ident ||= {} @@ -334,6 +338,14 @@ def test(plan) @shell_commands << ["polly", "test", "--ident", plan.ident] end + def publish(container_image) + @shell_commands << ["polly", "build"] + end + + def deploy(instance) + @shell_commands << ["polly", "deploy"] + end + def read_shell_commands @shell_commands.collect! { |shell_cmd_array| shell_cmd_array.join(" ") From dde85a0329c35528c4939de245f08dc07468ab2e Mon Sep 17 00:00:00 2001 From: Jon Date: Thu, 11 Apr 2024 17:36:24 -0400 Subject: [PATCH 098/133] extra tag support --- bin/polly | 5 +++-- lib/polly/build.rb | 6 +++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/bin/polly b/bin/polly index e1a15fe..dfef8fa 100755 --- a/bin/polly +++ b/bin/polly @@ -440,6 +440,7 @@ class PollyTasks < Thor option "in-cluster", :type => :boolean, :default => false option "stage", :type => :string, :default => nil option "push", :type => :string, :default => nil + option "extra-tag", :type => :string, :default => nil def build(container_definition=nil) default_pollyfile = "Pollyfile" default_dockerfile = "Dockerfile" @@ -476,13 +477,13 @@ class PollyTasks < Thor # "--local", "context=.", "--local", "dockerfile=.", #"--opt", "filename=#{File.basename(file.path)}", raise if version.empty? - Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, File.basename(file_path), options["stage"], options["no-cache"], options["push"]) + Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, File.basename(file_path), options["stage"], options["no-cache"], options["push"], options["extra-tag"]) exit elsif (container_definition != nil || container_definition == "-" || container_definition == default_dockerfile) && File.exists?(container_definition) #generated_dockerfile = File.read(default_dockerfile) raise if version.empty? - Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, container_definition, options["stage"], options["no-cache"], options["push"]) + Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, container_definition, options["stage"], options["no-cache"], options["push"], options["extra-tag"]) exit #elsif container_definition == nil && File.exists?(default_dockerfile) diff --git a/lib/polly/build.rb b/lib/polly/build.rb index 87dd92f..91f7e26 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -17,7 +17,7 @@ def self.generated_string_fd(generated_dockerfile) fd end - def self.buildkit_workstation_to_controller(exe, app, version, branch, dockerfile_path, build_image_stage, force_no_cache = nil, push_stage = nil) + def self.buildkit_workstation_to_controller(exe, app, version, branch, dockerfile_path, build_image_stage, force_no_cache = nil, push_stage = nil, extra_tag = nil) tag = build_image_to_tag(app, version, build_image_stage) buildctl_local_cmd = [ {"SSH_AUTH_SOCK" => ENV["SSH_AUTH_SOCK"]}.compact, @@ -52,6 +52,10 @@ def self.buildkit_workstation_to_controller(exe, app, version, branch, dockerfil buildctl_local_cmd += ["--output", "type=image,name=polly-registry:23443/polly-registry/#{tag},push=true"] end + if extra_tag + buildctl_local_cmd += ["--output", "type=image,name=#{extra_tag}"] + end + puts buildctl_local_cmd.inspect exe.systemx(*buildctl_local_cmd) || fail("unable to build") puts "Built and tagged: #{tag} OK" From 84fc4c3d8903c8ebe156fef3d41c8639d0351724 Mon Sep 17 00:00:00 2001 From: Jon Date: Thu, 11 Apr 2024 22:57:52 -0400 Subject: [PATCH 099/133] TODO: figure out why polly build + polly rxn is not working --- bin/polly | 1 + 1 file changed, 1 insertion(+) diff --git a/bin/polly b/bin/polly index b1ca355..9eb0018 100755 --- a/bin/polly +++ b/bin/polly @@ -1624,6 +1624,7 @@ HEREDOC tag = Polly::Build.build_image_to_tag(app, version, options["stage"]) #tag = Polly::Build.build_image_to_tag(app, "wkndr", version) puts tag.inspect + tag = "#{app}:latest" cmd = ["kubectl", "run", "rxn-#{app}", "--attach=true", "-it", "--pod-running-timeout=3m0s", *env_flags, "--image=polly-registry:23443/polly-registry/#{tag}", "--image-pull-policy=Always", "--rm=true", "--quiet=true", "--command", "--", rxn_cmd].compact # cmd = ["kubectl", "run", "rxn", "--attach=true", "-it", "--pod-running-timeout=3m0s", *env_flags, "--image=polly-registry:23443/polly-registry/#{tag}", "--image-pull-policy=Always", "--rm=true", "--quiet=true", "--command", "--", rxn_cmd].compact From 9bf8ca9b3d2f43c7d71ebbf6e5f5a028e2250e6a Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 12 Apr 2024 03:51:09 +0000 Subject: [PATCH 100/133] split init and certificates --- bin/polly | 552 ++---------------------------------------------------- 1 file changed, 17 insertions(+), 535 deletions(-) diff --git a/bin/polly b/bin/polly index 3240f9c..67ced09 100755 --- a/bin/polly +++ b/bin/polly @@ -542,6 +542,9 @@ class PollyTasks < Thor desc "deploy", "deploys kubernetes resources" option "debug", :type => :boolean, :default => false + option "re-init", :type => :boolean, :default => false + option "with-registry", :type => :boolean, :default => false + option "with-bootstrap", :type => :string, :default => "ghcr.io/unhookd/polly:4.0-rc-3" def deploy(glob = "kubernetes/**/*yaml") exe = ::Polly::Execute.new(options) @@ -949,10 +952,7 @@ HEREDOC end end - desc "init [CERTS]", "bootstraps project polly controller pod" - option "re-init", :type => :boolean, :default => false - option "with-registry", :type => :boolean, :default => false - option "with-bootstrap", :type => :string, :default => "ghcr.io/unhookd/polly:4.0-rc-3" + desc "init [CERTS]", "bootstraps certificates into cluster" def init(cert_package_dir) exe = ::Polly::Execute.new @@ -966,14 +966,6 @@ HEREDOC polly_deployments = [] polly_pvcs = [] - #polly_image = "#{exe.current_app}:#{exe.current_revision}" - #polly_command = ["polly", "dev", "/var/lib/polly/Procfile.init", "--rename=polly-init"].to_json - #apache2: /usr/sbin/apache2 -D FOREGROUND - #nginx-apt-proxy: /usr/sbin/nginx -g 'daemon off;' - - git_image = options["with-bootstrap"] # "alpine/git:latest" - git_command = ["sleep", "infinity"].to_json - #etc_slash_ssh_slash_ssh_host_rsa_key #etc_slash_ssh_slash_ssh_host_rsa_key.pub #from-workstation-ca.crt @@ -987,7 +979,7 @@ HEREDOC #File.write("#{dir}/from-workstation-ca.crt", a) #File.write("#{dir}/polly-root-ca.crt", b) #File.write("#{dir}/multipass-mega.crt", c) - # + a = File.open(File.join(cert_package_dir, "from-workstation-ca.crt")).read b = File.open(File.join(cert_package_dir, "polly-root-ca.crt")).read c = File.open(File.join(cert_package_dir, "multipass-mega.crt")).read @@ -1000,18 +992,6 @@ HEREDOC key3 = File.open(File.join(cert_package_dir, "buildkit-client-cert.key")).read cert3 = File.open(File.join(cert_package_dir, "buildkit-client-cert.crt")).read -#--- -#apiVersion: v1 -#kind: Secret -#metadata: -# name: sshd -#type: Opaque -#data: -# rsa: #{Base64.strict_encode64(data)} -# dsa: #{Base64.strict_encode64(data_dsa)} -# dsa_pub: #{Base64.strict_encode64(key_dsa.public_key.to_s)} -# rsa_pub: #{Base64.strict_encode64(key.public_key.to_s)} -#... polly_certificates = <<-HEREDOC --- apiVersion: v1 @@ -1077,515 +1057,17 @@ HEREDOC # obv.flush($stdout, $stderr, true) - polly_resources << polly_certificates << <<-HEREDOC ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: polly - namespace: default -... ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: polly - namespace: default -rules: -- apiGroups: ["*"] - resources: ["*"] - verbs: ["*"] -... ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: polly-bindings - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: polly -subjects: -- kind: ServiceAccount - name: polly - namespace: default -... -HEREDOC - - polly_pvcs << <<-HEREDOC ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - annotations: - labels: - stack: polly - name: polly-mount -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 5Gi - storageClassName: local-path -... ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: polly-mount - labels: - stack: polly -spec: - capacity: - storage: 5Gi - accessModes: - - ReadWriteMany - storageClassName: local-path - hostPath: - path: /var/tmp/polly-safe -... -HEREDOC - - polly_services << <<-HEREDOC ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: buildkitd - name: polly-buildkitd -spec: - ports: - - port: 1234 - protocol: TCP - selector: - app: buildkitd -... -HEREDOC - -# polly_services << <<-HEREDOC -#--- -#apiVersion: v1 -#kind: Service -#metadata: -# name: "polly-headless" -#spec: -# clusterIP: "None" -# ports: -# - port: 8111 -# name: nginx-apt-proxy -# protocol: TCP -# - port: 8080 -# name: apache2 -# protocol: TCP -# - port: 5000 -# name: docker-registry -# protocol: TCP -# selector: -# name: "polly-app" -#... -#HEREDOC - -# polly_services << <<-HEREDOC -#--- -#apiVersion: v1 -#kind: Service -#metadata: -# name: "polly-app" -#spec: -# ports: -# - port: 8111 -# name: nginx-apt-proxy -# protocol: TCP -# - port: 8080 -# name: apache2 -# protocol: TCP -# selector: -# name: "polly-app" -#... -#HEREDOC - - if options["with-registry"] - polly_services << <<-HEREDOC ---- -apiVersion: v1 -kind: Service -metadata: - name: "polly-registry" -spec: - ports: - - port: 23443 - targetPort: 23443 - name: https - protocol: TCP - selector: - name: "polly-registry" -... -HEREDOC - end - -# polly_services << <<-HEREDOC -#--- -#apiVersion: v1 -#kind: Service -#metadata: -# name: "polly-app-node" -#spec: -# type: NodePort -# ports: -# - port: 5000 -# nodePort: 31500 -# name: docker-registry-node -# protocol: TCP -# selector: -# name: "polly-app" -#... -#HEREDOC - - polly_deployments << <<-HEREDOC ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: polly-buildkitd-configuration -data: - buildkitd.toml: |- - debug = true - [registry."polly-registry:23443"] - ca=["/certs/ca.polly.crt"] - insecure = true -... ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - labels: - app: buildkitd - stack: polly - name: polly-buildkitd -spec: - serviceName: polly-buildkitd - replicas: 1 - podManagementPolicy: Parallel - selector: - matchLabels: - app: buildkitd - template: - metadata: - labels: - name: polly-buildkitd - app: buildkitd - stack: polly - annotations: - container.apparmor.security.beta.kubernetes.io/buildkitd: unconfined - container.seccomp.security.alpha.kubernetes.io/buildkitd: unconfined - spec: - terminationGracePeriodSeconds: 180 - containers: -#####<<<<<<< HEAD - - name: buildkitd - image: moby/buildkit:v0.13.1-rootless - #image: moby/buildkit:master-rootless - args: - - --oci-worker-no-process-sandbox - readinessProbe: - exec: - command: - - buildctl - - debug - - workers - initialDelaySeconds: 5 - periodSeconds: 30 - livenessProbe: - exec: - command: - - buildctl - - debug - - workers - initialDelaySeconds: 5 - periodSeconds: 30 - securityContext: - # Needs Kubernetes >= 1.19 - seccompProfile: - type: Unconfined - # To change UID/GID, you need to rebuild the image - runAsUser: 1000 - runAsGroup: 1000 - volumeMounts: - # Dockerfile has `VOLUME /home/user/.local/share/buildkit` by default too, - # but the default VOLUME does not work with rootless on Google's Container-Optimized OS - # as it is mounted with `nosuid,nodev`. - # https://github.com/moby/buildkit/issues/879#issuecomment-1240347038 - - mountPath: /home/user/.local/share/buildkit - name: buildkitd - - name: configurations - subPath: buildkitd.toml - mountPath: /home/user/.config/buildkit/buildkitd.toml - - name: ca-certificates - mountPath: /certs - volumes: - - name: buildkitd - emptyDir: {} - - name: configurations - configMap: - name: polly-buildkitd-configuration - - name: ca-certificates - secret: - secretName: ca-certificates -####======= -# - name: buildkitd -# image: moby/buildkit:master-rootless -# resources: -# requests: -# memory: 10Mi -# cpu: 10m -# limits: -# memory: 12000Mi -# args: -# - --addr -# - tcp://0.0.0.0:1234 -# - --tlscacert -# - /certs/server/ca.pem -# - --tlscert -# - /certs/server/cert.pem -# - --tlskey -# - /certs/server/key.pem -# - --oci-worker=true -# - --oci-worker-rootless=true -# - --oci-worker-no-process-sandbox=true -# - --oci-worker-gc=true -# - --oci-worker-gc-keepstorage=20000 -# - --oci-worker-snapshotter=overlayfs -# readinessProbe: -# exec: -# command: -# - buildctl -# - --addr -# - tcp://127.0.0.1:1234 -# - --tlscacert -# - /certs/client/ca.pem -# - --tlscert -# - /certs/client/cert.pem -# - --tlskey -# - /certs/client/key.pem -# - debug -# - workers -# initialDelaySeconds: 30 -# periodSeconds: 60 -# successThreshold: 1 -# failureThreshold: 16 -# timeoutSeconds: 30 -# livenessProbe: -# exec: -# command: -# - buildctl -# - --addr -# - tcp://127.0.0.1:1234 -# - --tlscacert -# - /certs/client/ca.pem -# - --tlscert -# - /certs/client/cert.pem -# - --tlskey -# - /certs/client/key.pem -# - debug -# - workers -# initialDelaySeconds: 30 -# periodSeconds: 60 -# successThreshold: 1 -# failureThreshold: 16 -# timeoutSeconds: 30 -# securityContext: -# runAsUser: 1000 -# runAsGroup: 1000 -# ports: -# - containerPort: 1234 -# volumeMounts: -# - name: "share-dir" -# mountPath: /home/user/.local/share/buildkit -# - name: buildkit-daemon-certs -# readOnly: true -# mountPath: /certs/server -# - name: buildkit-client-certs -# readOnly: true -# mountPath: /certs/client -# securityContext: -# fsGroup: 1000 -# volumes: -# - name: buildkit-daemon-certs -# secret: -# secretName: buildkit-daemon-certs -# - name: buildkit-client-certs -# secret: -# secretName: buildkit-client-certs -# - name: share-dir -# emptyDir: {} -... ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: polly-controller - labels: - app: polly-controller - stack: polly -spec: - revisionHistoryLimit: 1 - strategy: - type: Recreate - replicas: 1 - selector: - matchLabels: - name: polly-controller - template: - metadata: - labels: - name: polly-controller - stack: polly - spec: - serviceAccountName: polly - volumes: - - name: buildkit-client-certs - secret: - secretName: buildkit-client-certs - - name: polly-mount - persistentVolumeClaim: - claimName: polly-mount - - name: registry-certificates - secret: - secretName: registry-certificates - securityContext: - runAsUser: 1000 - fsGroup: 1000 - #supplementalGroups: [121, 123, 134, 999, 1000, 1001] - initContainers: - containers: - - name: polly-controller - securityContext: - runAsUser: 1000 - runAsGroup: 1000 - volumeMounts: - - mountPath: /polly/safe - name: polly-mount - - mountPath: /etc/ssl/private - name: registry-certificates - readOnly: true - - mountPath: /certs/client - name: buildkit-client-certs - readOnly: true - image: #{git_image} - imagePullPolicy: Always - env: - resources: - requests: - memory: 500Mi - cpu: 10m - limits: - memory: 8000Mi - cpu: 5000m - command: #{git_command} -... -HEREDOC - - if options["with-registry"] - polly_deployments << <<-HEREDOC ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: registry-config -data: - registry.conf: | - version: 0.1 - storage: - filesystem: - rootdirectory: /polly/safe/registry -... ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: polly-registry - labels: - app: polly-registry - stack: polly -spec: - revisionHistoryLimit: 1 - strategy: - type: Recreate - replicas: 1 - selector: - matchLabels: - name: polly-registry - template: - metadata: - labels: - name: polly-registry - stack: polly - spec: - hostNetwork: true - volumes: - - name: registry-config - configMap: - name: registry-config - - name: polly-mount - persistentVolumeClaim: - claimName: polly-mount - - name: registry-certificates - secret: - secretName: registry-certificates - initContainers: - containers: - - name: polly-registry - volumeMounts: - - mountPath: /polly/safe - name: polly-mount - - mountPath: /etc/ssl/private - name: registry-certificates - readOnly: true - - mountPath: /registry.conf - subPath: registry.conf - name: registry-config - image: registry:2 - imagePullPolicy: IfNotPresent - resources: - requests: - memory: 500Mi - cpu: 500m - limits: - memory: 1000Mi - cpu: 2000m - ports: - - containerPort: 23443 - name: https - command: - - /bin/registry - args: - - serve - - /registry.conf - env: - - name: REGISTRY_HTTP_TLS_CERTIFICATE - value: /etc/ssl/private/registry.polly.pem - - name: REGISTRY_HTTP_TLS_KEY - value: /etc/ssl/private/registry.polly.key - - name: REGISTRY_HTTP_ADDR - value: 0.0.0.0:23443 -... -HEREDOC - end - - polly_run = polly_resources.join + polly_pvcs.join + polly_services.join + polly_deployments.join + polly_run = polly_certificates if options["re-init"] - deploy_polly_app = ["kubectl", "delete", "-f", "-"] + delete_polly_init = ["kubectl", "delete", "-f", "-"] options = {:stdin_data => polly_run} - o,e,s = exe.execute_simple(:output, deploy_polly_app, options) + o,e,s = exe.execute_simple(:output, deploy_polly_init, options) puts [o, e, s] - wait_polly_app_deleted = ["kubectl", "wait", "--for=delete", "pod", "-l", "stack=polly"] - o,e,s = exe.execute_simple(:output, wait_polly_app_deleted, {}) - puts [o, e, s] + #wait_polly_app_deleted = ["kubectl", "wait", "--for=delete", "pod", "-l", "stack=polly"] + #o,e,s = exe.execute_simple(:output, wait_polly_app_deleted, {}) + #puts [o, e, s] end deploy_polly_app = ["kubectl", "apply", "--server-side=true", "-f", "-"] @@ -1594,13 +1076,13 @@ HEREDOC o,e,s = exe.execute_simple(:output, deploy_polly_app, options) puts [o, e, s] - wait_polly_app = ["kubectl", "wait", "--for=condition=available", "deployment/polly-controller"] - o,e,s = exe.execute_simple(:output, wait_polly_app, {}) - puts [o, e, s] + #wait_polly_app = ["kubectl", "wait", "--for=condition=available", "deployment/polly-controller"] + #o,e,s = exe.execute_simple(:output, wait_polly_app, {}) + #puts [o, e, s] - wait_polly_app = ["kubectl", "rollout", "status", "deployment/polly-controller"] - o,e,s = exe.execute_simple(:output, wait_polly_app, {}) - puts [o, e, s] + #wait_polly_app = ["kubectl", "rollout", "status", "deployment/polly-controller"] + #o,e,s = exe.execute_simple(:output, wait_polly_app, {}) + #puts [o, e, s] end desc "xxh", "debug shell into polly controller" From 870bc6c653dc8388800d10f17302f503f236f1bf Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 12 Apr 2024 07:15:32 +0000 Subject: [PATCH 101/133] better polly deploy debug construction --- bin/polly | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/bin/polly b/bin/polly index 851cec5..b665a36 100755 --- a/bin/polly +++ b/bin/polly @@ -565,7 +565,7 @@ class PollyTasks < Thor resource_paths = Dir.glob(glob) - all_resources_yaml = "" + all_resources = [] document_handler_switch = Proc.new do |document| add_to_pending_documents = false @@ -599,7 +599,7 @@ class PollyTasks < Thor else end - all_resources_yaml << description.to_yaml + "\n...\n" + all_resources << description.to_yaml end handler = Polly::DocumentStreamHandler.new(&document_handler_switch) @@ -608,6 +608,8 @@ class PollyTasks < Thor parser.parse(File.read(resource_path), resource_path) } + all_resources_yaml = all_resources.join("...\n") + if options["debug"] puts all_resources_yaml exit From 244cd64825b80d6ca66430fe3c9f9141987e31c2 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 12 Apr 2024 07:30:32 +0000 Subject: [PATCH 102/133] better tag support --- bin/polly | 21 +++++++++++++++++++-- lib/polly.rb | 1 + lib/polly/build.rb | 4 ++-- lib/polly/execute.rb | 12 ++++++++++++ 4 files changed, 34 insertions(+), 4 deletions(-) diff --git a/bin/polly b/bin/polly index b665a36..6927c1a 100755 --- a/bin/polly +++ b/bin/polly @@ -1132,7 +1132,7 @@ HEREDOC tag = Polly::Build.build_image_to_tag(app, version, options["stage"]) #tag = Polly::Build.build_image_to_tag(app, "wkndr", version) puts tag.inspect - tag = "#{app}:latest" + #tag = "#{app}:latest" cmd = ["kubectl", "run", "rxn-#{app}", "--attach=true", "-it", "--pod-running-timeout=3m0s", *env_flags, "--image=polly-registry:23443/polly-registry/#{tag}", "--image-pull-policy=Always", "--rm=true", "--quiet=true", "--command", "--", rxn_cmd].compact # cmd = ["kubectl", "run", "rxn", "--attach=true", "-it", "--pod-running-timeout=3m0s", *env_flags, "--image=polly-registry:23443/polly-registry/#{tag}", "--image-pull-policy=Always", "--rm=true", "--quiet=true", "--command", "--", rxn_cmd].compact @@ -1708,9 +1708,26 @@ HEREDOC end end + desc "tags", "todo" + def tags + exe = ::Polly::Execute.new + polly_registry_ip = exe.polly_service("registry") + uri = URI("https://polly.local:23443/v2/polly-registry/polly/tags/list") + Net::HTTP.start(uri.host, uri.port, use_ssl: true, ipaddr: polly_registry_ip) do |http| + request = Net::HTTP::Get.new(uri) + response = http.request(request) + if response.code == "200" + parsed_response = JSON.parse(response.body) + puts parsed_response["tags"].sort + else + puts response.body + end + end + end + private - def fetch_from_registry(path) + def fetch_from_registry(path) #TODO: delete this? exe = ::Polly::Execute.new #registry_label = "name=polly-registry" diff --git a/lib/polly.rb b/lib/polly.rb index 158a3c7..a42cb37 100644 --- a/lib/polly.rb +++ b/lib/polly.rb @@ -19,6 +19,7 @@ require 'pathname' require 'fileutils' require 'net/ssh' +require 'net/http' module Polly POLLY = "polly" diff --git a/lib/polly/build.rb b/lib/polly/build.rb index 6955c74..3f18fdf 100644 --- a/lib/polly/build.rb +++ b/lib/polly/build.rb @@ -59,8 +59,8 @@ def self.buildkit_workstation_to_controller(exe, app, version, branch, dockerfil end puts buildctl_local_cmd.inspect - exe.systemx(*buildctl_local_cmd, "--output", "type=image,name=polly-registry:23443/polly-registry/#{tag},push=true") || fail("unable to build") - exe.systemx(*buildctl_local_cmd, "--output", "type=image,name=polly-registry:23443/polly-registry/#{app}:latest,push=true") || fail("unable to build") + exe.systemx(*buildctl_local_cmd, "--output", "type=image,\"name=polly-registry:23443/polly-registry/#{tag},polly-registry:23443/polly-registry/#{app}:latest\",push=true") || fail("unable to build") + #exe.systemx(*buildctl_local_cmd, "--output", "type=image,name=polly-registry:23443/polly-registry/#{app}:latest,push=true") || fail("unable to build") puts "Built and tagged: #{tag} OK" end diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index 7a2660e..3aa5308 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -1086,6 +1086,18 @@ def polly_pod(service = "controller") end end + def polly_service(service) + label = "name=#{POLLY}-#{service}" + @polly_services ||= {} + @polly_services[label] ||= begin + cmd = "kubectl get services -l #{label} -o json" + a = IO.popen(cmd) + wait_child + parsed_services = JSON.parse(a.read) + parsed_services["items"][0]["spec"]["clusterIP"] + end + end + def in_polly? current_app == POLLY end From 139d2bb2fee9b04aa9f325a34f60d326eaed8bc7 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 12 Apr 2024 07:35:58 +0000 Subject: [PATCH 103/133] match polly deploy tag to polly rxn tag --- bin/polly | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/bin/polly b/bin/polly index 6927c1a..ef91161 100755 --- a/bin/polly +++ b/bin/polly @@ -555,6 +555,7 @@ class PollyTasks < Thor option "re-init", :type => :boolean, :default => false option "with-registry", :type => :boolean, :default => false option "with-bootstrap", :type => :string, :default => "ghcr.io/unhookd/polly:4.0-rc-3" + option "stage", :type => :string, :default => nil def deploy(glob = "kubernetes/**/*yaml") exe = ::Polly::Execute.new(options) @@ -563,6 +564,8 @@ class PollyTasks < Thor app = exe.current_app image_repo = Polly::Config.image_repo + tag = Polly::Build.build_image_to_tag(app, version, options["stage"]) + resource_paths = Dir.glob(glob) all_resources = [] @@ -586,13 +589,13 @@ class PollyTasks < Thor if description["spec"]["template"]["spec"]["initContainers"] description["spec"]["template"]["spec"]["initContainers"].each { |c| if c["image"] == app + ":latest" - c["image"] = (image_repo + "/polly-registry/" + (app + ":" + branch + "-" + version)) + c["image"] = (image_repo + "/polly-registry/" + tag) #(app + ":" + branch + "-" + version)) end } end description["spec"]["template"]["spec"]["containers"].each { |c| if c["image"] == app + ":latest" - c["image"] = (image_repo + "/polly-registry/" + (app + ":" + branch + "-" + version)) + c["image"] = (image_repo + "/polly-registry/" + tag) #(app + ":" + branch + "-" + version)) end } From 1361e490675672deb6e5b6ddeea2ec530ef80863 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 12 Apr 2024 07:37:09 +0000 Subject: [PATCH 104/133] refactor polly-controller/registry/buildkit resources to match polly deploy kubernetes dir pattern --- kubernetes/resources.yaml | 376 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 376 insertions(+) create mode 100644 kubernetes/resources.yaml diff --git a/kubernetes/resources.yaml b/kubernetes/resources.yaml new file mode 100644 index 0000000..e22376d --- /dev/null +++ b/kubernetes/resources.yaml @@ -0,0 +1,376 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: polly + namespace: default +... +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: polly + namespace: default +rules: +- apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] +... +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: polly-bindings + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: polly +subjects: +- kind: ServiceAccount + name: polly + namespace: default +... +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + annotations: + labels: + stack: polly + name: polly-mount +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 50Gi + storageClassName: local-path +... +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: polly-mount + labels: + stack: polly +spec: + capacity: + storage: 50Gi + accessModes: + - ReadWriteMany + storageClassName: local-path + hostPath: + path: /var/tmp/polly-safe +... +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: buildkitd + name: polly-buildkitd +spec: + ports: + - port: 1234 + protocol: TCP + selector: + app: buildkitd +... +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: polly-buildkitd-configuration +data: + buildkitd.toml: |- + debug = true + [registry."polly-registry:23443"] + ca=["/certs/ca.polly.crt"] + insecure = true +... +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + app: buildkitd + stack: polly + name: polly-buildkitd +spec: + serviceName: polly-buildkitd + replicas: 1 + podManagementPolicy: Parallel + selector: + matchLabels: + app: buildkitd + template: + metadata: + labels: + name: polly-buildkitd + app: buildkitd + stack: polly + annotations: + container.apparmor.security.beta.kubernetes.io/buildkitd: unconfined + container.seccomp.security.alpha.kubernetes.io/buildkitd: unconfined + spec: + terminationGracePeriodSeconds: 180 + containers: + - name: buildkitd + image: moby/buildkit:v0.13.1-rootless + args: + - --oci-worker-no-process-sandbox + readinessProbe: + exec: + command: + - buildctl + - debug + - workers + initialDelaySeconds: 5 + periodSeconds: 30 + livenessProbe: + exec: + command: + - buildctl + - debug + - workers + initialDelaySeconds: 5 + periodSeconds: 30 + securityContext: + # Needs Kubernetes >= 1.19 + seccompProfile: + type: Unconfined + # To change UID/GID, you need to rebuild the image + runAsUser: 1000 + runAsGroup: 1000 + volumeMounts: + # Dockerfile has `VOLUME /home/user/.local/share/buildkit` by default too, + # but the default VOLUME does not work with rootless on Google's Container-Optimized OS + # as it is mounted with `nosuid,nodev`. + # https://github.com/moby/buildkit/issues/879#issuecomment-1240347038 + - mountPath: /home/user/.local/share/buildkit + name: buildkitd + - name: configurations + subPath: buildkitd.toml + mountPath: /home/user/.config/buildkit/buildkitd.toml + - name: ca-certificates + mountPath: /certs + volumes: + - name: buildkitd + emptyDir: {} + - name: configurations + configMap: + name: polly-buildkitd-configuration + - name: ca-certificates + secret: + secretName: ca-certificates +... +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: polly-controller + labels: + app: polly-controller + stack: polly +spec: + revisionHistoryLimit: 1 + strategy: + type: Recreate + replicas: 1 + selector: + matchLabels: + name: polly-controller + template: + metadata: + labels: + name: polly-controller + stack: polly + spec: + serviceAccountName: polly + volumes: + - name: buildkit-client-certs + secret: + secretName: buildkit-client-certs + - name: polly-mount + persistentVolumeClaim: + claimName: polly-mount + - name: registry-certificates + secret: + secretName: registry-certificates + securityContext: + runAsUser: 1000 + fsGroup: 1000 + #supplementalGroups: [121, 123, 134, 999, 1000, 1001] + initContainers: + containers: + - name: polly-controller + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + volumeMounts: + - mountPath: /polly/safe + name: polly-mount + - mountPath: /etc/ssl/private + name: registry-certificates + readOnly: true + - mountPath: /certs/client + name: buildkit-client-certs + readOnly: true + image: polly:latest + imagePullPolicy: Always + env: + resources: + requests: + memory: 500Mi + cpu: 10m + limits: + memory: 8000Mi + cpu: 5000m + command: ["sleep", "infinity"] +... +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: registry-config +data: + registry.conf: | + version: 0.1 + storage: + filesystem: + rootdirectory: /polly/safe/registry +... +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: polly-registry + labels: + app: polly-registry + stack: polly +spec: + revisionHistoryLimit: 1 + strategy: + type: Recreate + replicas: 1 + selector: + matchLabels: + name: polly-registry + template: + metadata: + labels: + name: polly-registry + stack: polly + spec: + hostNetwork: true + volumes: + - name: registry-config + configMap: + name: registry-config + - name: polly-mount + persistentVolumeClaim: + claimName: polly-mount + - name: registry-certificates + secret: + secretName: registry-certificates + initContainers: + containers: + - name: polly-registry + volumeMounts: + - mountPath: /polly/safe + name: polly-mount + - mountPath: /etc/ssl/private + name: registry-certificates + readOnly: true + - mountPath: /registry.conf + subPath: registry.conf + name: registry-config + image: registry:2 + imagePullPolicy: IfNotPresent + resources: + requests: + memory: 500Mi + cpu: 500m + limits: + memory: 1000Mi + cpu: 2000m + ports: + - containerPort: 23443 + name: https + command: + - /bin/registry + args: + - serve + - /registry.conf + env: + - name: REGISTRY_HTTP_TLS_CERTIFICATE + value: /etc/ssl/private/registry.polly.pem + - name: REGISTRY_HTTP_TLS_KEY + value: /etc/ssl/private/registry.polly.key + - name: REGISTRY_HTTP_ADDR + value: 0.0.0.0:23443 +... +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: polly-registry-vhost + annotations: + #traefik.ingress.kubernetes.io/service.serversscheme: https + #traefik.ingress.kubernetes.io/router.tls: "true" + #traefik.ingress.kubernetes.io/router.insecureSkipVerify: "true" + #ingress.kubernetes.io/protocol: https + #traefik.ingress.kubernetes.io/router.tls: "false" + #traefik.ingress.kubernetes.io/router.entrypoints: websecure +spec: + rules: + - host: polly-registry + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: polly-registry + port: + name: https + #number: 23443 +... +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: ServersTransport +metadata: + name: polly-registry-transport +spec: + insecureSkipVerify: true # Skip SSL verification +... +--- +apiVersion: v1 +kind: Service +metadata: + name: "polly-registry" + labels: + name: "polly-registry" + annotations: + #traefik.ingress.kubernetes.io/service.serversscheme: "https" + #traefik.ingress.kubernetes.io/service.passhostheader: "true" + #traefik.ingress.kubernetes.io/service.serverstransport: nginx-skipverify@kubernetescrd + #traefik.ingress.kubernetes.io/service.serversscheme: https + #traefik.ingress.kubernetes.io/router.tls: "false" + #traefik.ingress.kubernetes.io/service.serverstransport: polly-registry-transport@default + #traefik.ingress.kubernetes.io/service.nativelb: "true" + #traefik.ingress.kubernetes.io/service.nativelb: "true" + #traefik.ingress.kubernetes.io/service.serverstransport: polly-registry-transport@kubernetescrd + #traefik.ingress.kubernetes.io/service.serversscheme: "https" + #traefik.ingress.kubernetes.io/service.serverstransport: "polly-registry-transport" + traefik.ingress.kubernetes.io/service.serverstransport: default-polly-registry-transport@kubernetescrd +spec: + ports: + - port: 23443 + targetPort: 23443 + name: https + protocol: TCP + selector: + name: "polly-registry" +... From e9c1019fc3a62ef9df7c4361714144e866430ce3 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 12 Apr 2024 07:39:21 +0000 Subject: [PATCH 105/133] comment out polly-registry ingress --- kubernetes/resources.yaml | 74 +++++++++++++++------------------------ 1 file changed, 28 insertions(+), 46 deletions(-) diff --git a/kubernetes/resources.yaml b/kubernetes/resources.yaml index e22376d..0a5b383 100644 --- a/kubernetes/resources.yaml +++ b/kubernetes/resources.yaml @@ -312,40 +312,6 @@ spec: value: 0.0.0.0:23443 ... --- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: polly-registry-vhost - annotations: - #traefik.ingress.kubernetes.io/service.serversscheme: https - #traefik.ingress.kubernetes.io/router.tls: "true" - #traefik.ingress.kubernetes.io/router.insecureSkipVerify: "true" - #ingress.kubernetes.io/protocol: https - #traefik.ingress.kubernetes.io/router.tls: "false" - #traefik.ingress.kubernetes.io/router.entrypoints: websecure -spec: - rules: - - host: polly-registry - http: - paths: - - pathType: Prefix - path: / - backend: - service: - name: polly-registry - port: - name: https - #number: 23443 -... ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: ServersTransport -metadata: - name: polly-registry-transport -spec: - insecureSkipVerify: true # Skip SSL verification -... ---- apiVersion: v1 kind: Service metadata: @@ -353,18 +319,7 @@ metadata: labels: name: "polly-registry" annotations: - #traefik.ingress.kubernetes.io/service.serversscheme: "https" - #traefik.ingress.kubernetes.io/service.passhostheader: "true" - #traefik.ingress.kubernetes.io/service.serverstransport: nginx-skipverify@kubernetescrd - #traefik.ingress.kubernetes.io/service.serversscheme: https - #traefik.ingress.kubernetes.io/router.tls: "false" - #traefik.ingress.kubernetes.io/service.serverstransport: polly-registry-transport@default - #traefik.ingress.kubernetes.io/service.nativelb: "true" - #traefik.ingress.kubernetes.io/service.nativelb: "true" - #traefik.ingress.kubernetes.io/service.serverstransport: polly-registry-transport@kubernetescrd - #traefik.ingress.kubernetes.io/service.serversscheme: "https" - #traefik.ingress.kubernetes.io/service.serverstransport: "polly-registry-transport" - traefik.ingress.kubernetes.io/service.serverstransport: default-polly-registry-transport@kubernetescrd + #traefik.ingress.kubernetes.io/service.serverstransport: default-polly-registry-transport@kubernetescrd spec: ports: - port: 23443 @@ -374,3 +329,30 @@ spec: selector: name: "polly-registry" ... +#TODO: should polly-registry be an Ingress???? security issues exposing polly-registry to wide internet? +#--- +#apiVersion: networking.k8s.io/v1 +#kind: Ingress +#metadata: +# name: polly-registry-vhost +#spec: +# rules: +# - host: polly-registry +# http: +# paths: +# - pathType: Prefix +# path: / +# backend: +# service: +# name: polly-registry +# port: +# name: https +#... +#--- +#apiVersion: traefik.containo.us/v1alpha1 +#kind: ServersTransport +#metadata: +# name: polly-registry-transport +#spec: +# insecureSkipVerify: true # Skip SSL verification +#... From b72d93c4527af590b8202d8b9029928f256058e3 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 12 Apr 2024 07:48:06 +0000 Subject: [PATCH 106/133] use polly continuous --exec as polly push driver --- config/git-repo/templates/hooks/post-update | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/config/git-repo/templates/hooks/post-update b/config/git-repo/templates/hooks/post-update index 023a3e4..0de7f44 100755 --- a/config/git-repo/templates/hooks/post-update +++ b/config/git-repo/templates/hooks/post-update @@ -22,10 +22,12 @@ then cd ${TMPCHECKOUT} unset GIT_DIR - GENERATED_CI=$(polly continuous) - if [ $? -eq 0 ]; then - ${GENERATED_CI} - fi + polly continuous --exec + + #GENERATED_CI=$(polly continuous) + #if [ $? -eq 0 ]; then + # ${GENERATED_CI} + #fi # bash -x -e -c "${GENERATED_CI}" & # wait From ef56e5c82f734d505a1cc00322bbd04269ce80a7 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 12 Apr 2024 07:56:23 +0000 Subject: [PATCH 107/133] deploy polly-controller from polly push in polly repo --- Pollyfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Pollyfile b/Pollyfile index e576609..9923f37 100644 --- a/Pollyfile +++ b/Pollyfile @@ -147,5 +147,5 @@ @gitch_pipeline = continuous { publish @bootstrap_artifact test @plain_workflow - #TODO: !!! deploy @example_instance + deploy @example_instance } From 3172b0860789003f67ac446625625691b1a58bd9 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 12 Apr 2024 07:58:15 +0000 Subject: [PATCH 108/133] just build on polly push --- Pollyfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Pollyfile b/Pollyfile index 9923f37..f7be244 100644 --- a/Pollyfile +++ b/Pollyfile @@ -146,6 +146,6 @@ @gitch_pipeline = continuous { publish @bootstrap_artifact - test @plain_workflow - deploy @example_instance + #test @plain_workflow + #deploy @example_instance } From d9457c6174791116fbd204fbbaa445abf0226361 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 12 Apr 2024 07:59:10 +0000 Subject: [PATCH 109/133] build and test --- Pollyfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Pollyfile b/Pollyfile index f7be244..a0c46b0 100644 --- a/Pollyfile +++ b/Pollyfile @@ -147,5 +147,5 @@ @gitch_pipeline = continuous { publish @bootstrap_artifact #test @plain_workflow - #deploy @example_instance + deploy @example_instance } From b5779fdcc414023b3ef4eb5fed206d51b2fb288e Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 12 Apr 2024 08:01:43 +0000 Subject: [PATCH 110/133] update rbac --- kubernetes/resources.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/kubernetes/resources.yaml b/kubernetes/resources.yaml index 0a5b383..0fae17b 100644 --- a/kubernetes/resources.yaml +++ b/kubernetes/resources.yaml @@ -15,6 +15,16 @@ rules: - apiGroups: ["*"] resources: ["*"] verbs: ["*"] +- apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - create + - delete ... --- apiVersion: rbac.authorization.k8s.io/v1 From f1efc6bb97986bc66c88bb55c2e9f7bcce4f8ac6 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 12 Apr 2024 08:05:30 +0000 Subject: [PATCH 111/133] add cluster-wide rbac bits TODO: sort and minimize reqd RBAC for polly-controller --- kubernetes/resources.yaml | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/kubernetes/resources.yaml b/kubernetes/resources.yaml index 0fae17b..fcbec0a 100644 --- a/kubernetes/resources.yaml +++ b/kubernetes/resources.yaml @@ -15,9 +15,32 @@ rules: - apiGroups: ["*"] resources: ["*"] verbs: ["*"] +... +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: polly-bindings + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: polly +subjects: +- kind: ServiceAccount + name: polly + namespace: default +... +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: polly +rules: - apiGroups: - "" resources: + - nodes - persistentvolumes verbs: - get @@ -28,13 +51,12 @@ rules: ... --- apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: name: polly-bindings - namespace: default roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role + kind: ClusterRole name: polly subjects: - kind: ServiceAccount From 0cad6b5a76acfb611736f5cc212c5e5bec68031a Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 12 Apr 2024 08:07:03 +0000 Subject: [PATCH 112/133] add even more mega sudo root level RBAC ... TODO: reduce reqd privs --- kubernetes/resources.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kubernetes/resources.yaml b/kubernetes/resources.yaml index fcbec0a..745a708 100644 --- a/kubernetes/resources.yaml +++ b/kubernetes/resources.yaml @@ -42,6 +42,8 @@ rules: resources: - nodes - persistentvolumes + - clusterroles + - clusterrolebindings verbs: - get - list From 7188fc4bbe558cb9c3e8436bf71b704dbc1b6bad Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 12 Apr 2024 08:09:03 +0000 Subject: [PATCH 113/133] use correct apiGroups rbac policy spec --- kubernetes/resources.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/kubernetes/resources.yaml b/kubernetes/resources.yaml index 745a708..08ab030 100644 --- a/kubernetes/resources.yaml +++ b/kubernetes/resources.yaml @@ -50,6 +50,17 @@ rules: - watch - create - delete +- apiGroups: + - "rbac.authorization.k8s.io" + resources: + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch + - create + - delete ... --- apiVersion: rbac.authorization.k8s.io/v1 From 78a3380138f68a53c8f708844d5959dbb352a7eb Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 12 Apr 2024 08:12:14 +0000 Subject: [PATCH 114/133] rename command --- Pollyfile | 4 ++-- lib/polly/generate.rb | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Pollyfile b/Pollyfile index a0c46b0..2d5a189 100644 --- a/Pollyfile +++ b/Pollyfile @@ -145,7 +145,7 @@ } @gitch_pipeline = continuous { - publish @bootstrap_artifact + #build @bootstrap_artifact #test @plain_workflow - deploy @example_instance + #deploy @example_instance } diff --git a/lib/polly/generate.rb b/lib/polly/generate.rb index a0eedaf..35276ec 100644 --- a/lib/polly/generate.rb +++ b/lib/polly/generate.rb @@ -338,7 +338,7 @@ def test(plan) @shell_commands << ["polly", "test", "--ident", plan.ident] end - def publish(container_image) + def build(container_image) @shell_commands << ["polly", "build"] end From b8203da35d4315831d176a3e7b7c7bb263cba811 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 12 Apr 2024 08:14:32 +0000 Subject: [PATCH 115/133] build, test and deploy --- Pollyfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Pollyfile b/Pollyfile index 2d5a189..32767f9 100644 --- a/Pollyfile +++ b/Pollyfile @@ -145,7 +145,7 @@ } @gitch_pipeline = continuous { - #build @bootstrap_artifact - #test @plain_workflow - #deploy @example_instance + build @bootstrap_artifact + test @plain_workflow + deploy @example_instance } From d2eab14a73ba395363fbf498bb9a16251ef8418b Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 12 Apr 2024 08:23:03 +0000 Subject: [PATCH 116/133] updates in CHANGELOG.md --- CHANGELOG.md | 6 ++++++ VERSION | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 250df1b..0bda8a3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +# [4.31.0] - 2024-04-12 - Jon Bardin + +Add `polly tags` and initial prototype of build,test,deploy gitch ci + +####### + # [4.30.0] - 2024-04-10 - Jon Bardin better async output diff --git a/VERSION b/VERSION index 37798a5..e8d959f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.30.0 \ No newline at end of file +4.31.0 \ No newline at end of file From 3f2afe354658412de9e7d574a6493c6bf20c5384 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 12 Apr 2024 08:29:36 +0000 Subject: [PATCH 117/133] repair chown warning --- Dockerfile.default | 8 ++++++-- Pollyfile | 4 ++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/Dockerfile.default b/Dockerfile.default index e100640..7d6e901 100644 --- a/Dockerfile.default +++ b/Dockerfile.default @@ -13,7 +13,7 @@ RUN set -ex; \ (getent passwd runner || useradd --uid 1001 --home-dir /home/runner --create-home --shell /bin/bash runner --groups alpha,beta,docker,theta,zeta,tau); \ apt-get update; apt-get install -y locales locales-all; apt-get clean; \ test -e /usr/lib/locale/locale-archive || ((locale-gen --purge en_US); (echo -e "LANG=$LANG\nLANGUAGE=$LANGUAGE\n" | tee /etc/default/locale); (locale-gen $LANGUAGE); (dpkg-reconfigure locales)); \ - apt-get update; apt-get install -y vim git curl apt-transport-https aptitude ca-certificates apt-utils software-properties-common docker.io build-essential libyaml-dev ruby3* libruby3* ruby-bundler rubygems-integration rake amazon-ecr-credential-helper; apt-get clean; \ + apt-get update; apt-get install -y vim git curl apt-transport-https aptitude ca-certificates apt-utils software-properties-common docker.io build-essential libyaml-dev ruby3* libruby3* ruby-bundler rubygems-integration rake amazon-ecr-credential-helper procps; apt-get clean; \ test -e /etc/apt/keyrings/kubernetes-apt-keyring.gpg || (curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --batch --no-tty --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg); \ echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list; \ apt-get update; apt-get install -y kubectl; apt-get clean; \ @@ -33,7 +33,7 @@ COPY --chown=app bin /__w/polly/polly/bin COPY --chown=app doc /__w/polly/polly/doc RUN set -ex; \ mkdir -p /polly/app /app /__w/polly/polly; \ - chown -R app.alpha /home/app /polly /app /__w/polly/polly; \ + chown -R app:alpha /home/app /polly /app /__w/polly/polly; \ chown -R app /home/app /polly /app /__w/polly/polly; \ chown -R app /home/app; \ su app -s /bin/bash -c 'cd /__w/polly/polly && gem build polly.gemspec -o /home/app/polly-latest.gem'; \ @@ -47,5 +47,9 @@ RUN set -ex; \ ln -sf /usr/local/bin/polly /bin/dockerfile-frontend; \ true; COPY --chown=app Pollyfile /home/app/Pollyfile +COPY --chown=app config/git-repo/templates /home/app/config/git-repo/templates +RUN set -ex; \ + mkdir -p /polly/safe/git/polly/hooks && chown -R app:app /polly/safe; \ + true; USER app ENTRYPOINT ["/bin/dockerfile-frontend"] diff --git a/Pollyfile b/Pollyfile index 32767f9..adbd5ee 100644 --- a/Pollyfile +++ b/Pollyfile @@ -80,7 +80,7 @@ } run %q{mkdir -p /polly/app /app /__w/polly/polly} - run %q{chown -R app.alpha /home/app /polly /app /__w/polly/polly} + run %q{chown -R app:alpha /home/app /polly /app /__w/polly/polly} run %q{chown -R app /home/app /polly /app /__w/polly/polly} run %q{chown -R app /home/app} run %q{su app -s /bin/bash -c 'cd /__w/polly/polly && gem build polly.gemspec -o /home/app/polly-latest.gem'} @@ -110,7 +110,7 @@ "--chown=app config/git-repo/templates /home/app/config/git-repo/templates" } - run %q{mkdir -p /polly/safe/git/polly/hooks && chown -R app.app /polly/safe} + run %q{mkdir -p /polly/safe/git/polly/hooks && chown -R app:app /polly/safe} app From 8cc9f3c43df46c3f4fc8c57d67b3302e358d8c5f Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 12 Apr 2024 08:35:22 +0000 Subject: [PATCH 118/133] resync build outputs generated auto gha --- .github/workflows/primary.yml | 4 ++-- Dockerfile.default | 2 +- Pollyfile | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/primary.yml b/.github/workflows/primary.yml index 2db27db..b55022e 100644 --- a/.github/workflows/primary.yml +++ b/.github/workflows/primary.yml @@ -42,7 +42,7 @@ jobs: (getent passwd runner || useradd --uid 1001 --home-dir /home/runner --create-home --shell /bin/bash runner --groups alpha,beta,docker,theta,zeta,tau); apt-get update; apt-get install -y locales locales-all; apt-get clean; test -e /usr/lib/locale/locale-archive || ((locale-gen --purge en_US); (echo -e "LANG=$LANG\nLANGUAGE=$LANGUAGE\n" | tee /etc/default/locale); (locale-gen $LANGUAGE); (dpkg-reconfigure locales)); - apt-get update; apt-get install -y vim git curl apt-transport-https aptitude ca-certificates apt-utils software-properties-common docker.io build-essential libyaml-dev ruby3* libruby3* ruby-bundler rubygems-integration rake amazon-ecr-credential-helper; apt-get clean; + apt-get update; apt-get install -y vim git curl apt-transport-https aptitude ca-certificates apt-utils software-properties-common docker.io build-essential libyaml-dev ruby3* libruby3* ruby-bundler rubygems-integration rake amazon-ecr-credential-helper procps; apt-get clean; test -e /etc/apt/keyrings/kubernetes-apt-keyring.gpg || (curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --batch --no-tty --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg); echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list; apt-get update; apt-get install -y kubectl; apt-get clean; @@ -51,7 +51,7 @@ jobs: mkdir /tmp/buildkit && cd /tmp/buildkit && curl -sL -o buildkit.tar.gz "https://github.com/moby/buildkit/releases/download/v0.13.1/buildkit-v0.13.1.linux-amd64.tar.gz" && tar zxf buildkit.tar.gz && mv bin/buildctl /usr/local/bin && cd && rm -Rf /tmp/buildkit; mkdir -p /polly/safe/git /polly/safe/run /polly/safe/tmp /polly/app /app /__w/polly/polly; - chown -R app.alpha /home/app /polly /app /__w/polly/polly; + chown -R app:alpha /home/app /polly /app /__w/polly/polly; chown -R app /home/app /polly /app /__w/polly/polly; chown -R app /home/app; su app -s /bin/bash -c 'cd /__w/polly/polly && gem build polly.gemspec -o /home/app/polly-latest.gem'; diff --git a/Dockerfile.default b/Dockerfile.default index 7d6e901..11b612c 100644 --- a/Dockerfile.default +++ b/Dockerfile.default @@ -32,7 +32,7 @@ COPY --chown=app lib /__w/polly/polly/lib COPY --chown=app bin /__w/polly/polly/bin COPY --chown=app doc /__w/polly/polly/doc RUN set -ex; \ - mkdir -p /polly/app /app /__w/polly/polly; \ + mkdir -p /polly/safe/git /polly/safe/run /polly/safe/tmp /polly/app /app /__w/polly/polly; \ chown -R app:alpha /home/app /polly /app /__w/polly/polly; \ chown -R app /home/app /polly /app /__w/polly/polly; \ chown -R app /home/app; \ diff --git a/Pollyfile b/Pollyfile index adbd5ee..8db6959 100644 --- a/Pollyfile +++ b/Pollyfile @@ -79,7 +79,7 @@ "--chown=app doc /__w/polly/polly/doc" } - run %q{mkdir -p /polly/app /app /__w/polly/polly} + run %q{mkdir -p /polly/safe/git /polly/safe/run /polly/safe/tmp /polly/app /app /__w/polly/polly} run %q{chown -R app:alpha /home/app /polly /app /__w/polly/polly} run %q{chown -R app /home/app /polly /app /__w/polly/polly} run %q{chown -R app /home/app} From 9031d34148193538c48073c439983ec8a35e2af3 Mon Sep 17 00:00:00 2001 From: Jon Date: Thu, 27 Jun 2024 18:08:45 -0400 Subject: [PATCH 119/133] add def exe --- bin/polly | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/bin/polly b/bin/polly index 9eb0018..a504bf6 100755 --- a/bin/polly +++ b/bin/polly @@ -1603,9 +1603,9 @@ HEREDOC exec(*["kubectl", "run", "shr", "-it", "--pod-running-timeout=3m0s", "--image=ghcr.io/unhookd/polly:master", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", shr_cmd].compact) end - desc "rxn", "run app pod" + desc "rxn [CMD]", "rxn app pod" option "stage", :type => :string, :default => nil - def rxn(rxn_cmd = "bash") + def rxn(rxn_cmd = "/bin/bash") exe = ::Polly::Execute.new environment_overrides = nil @@ -1633,6 +1633,36 @@ HEREDOC exec(*cmd) end + desc "exe", "exe app pod" + option "stage", :type => :string, :default => nil + def exe + exe = ::Polly::Execute.new + + environment_overrides = nil + if File.exist?("vertical.yaml") + vertical_lookup = YAML.load(File.read("vertical.yaml")) + environment_overrides = vertical_lookup["environment-overrides"] + end + + env_flags = (environment_overrides || []).collect { |env| "--env=#{env["name"]}=#{env["value"]}" } + + version = exe.current_revision + branch = exe.current_branch.gsub("/", "-") + app = exe.current_app + image_repo = Polly::Config.image_repo + + tag = Polly::Build.build_image_to_tag(app, version, options["stage"]) + #tag = Polly::Build.build_image_to_tag(app, "wkndr", version) + puts tag.inspect + tag = "#{app}:latest" + + cmd = ["kubectl", "run", "exe-#{app}", "--attach=true", "--pod-running-timeout=3m0s", *env_flags, "--image=polly-registry:23443/polly-registry/#{tag}", "--image-pull-policy=Always", "--rm=true", "--quiet=true"].compact + # cmd = ["kubectl", "run", "rxn", "--attach=true", "-it", "--pod-running-timeout=3m0s", *env_flags, "--image=polly-registry:23443/polly-registry/#{tag}", "--image-pull-policy=Always", "--rm=true", "--quiet=true", "--command", "--", rxn_cmd].compact + puts cmd.inspect + + exec(*cmd) + end + desc "wxh", "workstation instance" def wxh(profile) exe = ::Polly::Execute.new From 0349fb5ebbc921be95a1abd9d3a764db77bbfd47 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Thu, 27 Jun 2024 22:59:32 +0000 Subject: [PATCH 120/133] fix bits --- bin/polly | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/polly b/bin/polly index ef91161..f869ab7 100755 --- a/bin/polly +++ b/bin/polly @@ -455,7 +455,7 @@ class PollyTasks < Thor generated_dockerfile = nil - if (container_definition == nil && File.exists?(default_pollyfile)) || (container_definition && container_definition.includes?(default_pollyfile) && File.exists?(container_defintion)) + if (container_definition == nil && File.exists?(default_pollyfile)) || (container_definition && container_definition.include?(default_pollyfile) && File.exists?(container_defintion)) pollyfile_ruby = File.read(default_pollyfile) #TODO: ??? Polly::Generate.options = options Kernel.eval(pollyfile_ruby, Polly::Generate.get_binding, default_pollyfile) @@ -481,7 +481,7 @@ class PollyTasks < Thor raise if version.empty? Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, File.basename(file_path), options["stage"], options["no-cache"], options["push"], options["extra-tag"]) exit - elsif (container_definition == nil && File.exists(default_dockerfile)) || (container_definition && container_definition.includes?(default_dockerfile) && File.exists?(container_definition)) + elsif (container_definition == nil && File.exist?(default_dockerfile)) || (container_definition && container_definition.include?(default_dockerfile) && File.exist?(container_definition)) raise if version.empty? Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, container_definition, options["stage"], options["no-cache"], options["push"], options["extra-tag"]) exit From 7ded9baf622034aa40aaef4e57938bcae37d543c Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 1 Jul 2024 14:56:05 -0400 Subject: [PATCH 121/133] add simple httpd static file server --- bin/polly | 12 ++++++++++++ lib/polly.rb | 2 ++ polly.gemspec | 2 ++ 3 files changed, 16 insertions(+) diff --git a/bin/polly b/bin/polly index b1f3256..dee1aa0 100755 --- a/bin/polly +++ b/bin/polly @@ -9,6 +9,18 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib) require 'polly' class PollyTasks < Thor + desc "static [PUBDIR]", "serves static files over http" + def static(pubdir = "public") + app = Rack::Builder.new do + map "/" do + use Rack::Static, :urls => [""], :root => 'public', :index => 'index.html', :header_rules => [[:all, {'cache-control' => 'private,max-age=0,must-revalidate,no-store'}]] + run proc { |env| } + end + end + + Rackup::Server.start(app: app) + end + desc "changelog [CHANGELOG]", "appends changelog item to CHANGELOG.md" def changelog(changelog = "CHANGELOG.md") exe = Polly::Execute.new diff --git a/lib/polly.rb b/lib/polly.rb index 5e236b5..90805b7 100644 --- a/lib/polly.rb +++ b/lib/polly.rb @@ -19,6 +19,8 @@ require 'pathname' require 'fileutils' require 'net/ssh' +require 'rack' +require 'rackup' module Polly POLLY = "polly" diff --git a/polly.gemspec b/polly.gemspec index bbd00d1..6660e1d 100644 --- a/polly.gemspec +++ b/polly.gemspec @@ -22,4 +22,6 @@ Gem::Specification.new do |spec| spec.add_dependency "net-ssh", "~> 6.0" spec.add_dependency "yajl-ruby", "= 1.4.1" spec.add_dependency "guard", "~> 2.18" + spec.add_dependency "rack", "~> 3.0" + spec.add_dependency "rackup", "~> 2.1" end From 89da494b9c719bd35119091693280eaa78bc6844 Mon Sep 17 00:00:00 2001 From: Jon Date: Thu, 5 Dec 2024 13:34:33 -0500 Subject: [PATCH 122/133] update rxn utilz --- bin/polly | 76 +++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 60 insertions(+), 16 deletions(-) diff --git a/bin/polly b/bin/polly index 286e058..672fb80 100755 --- a/bin/polly +++ b/bin/polly @@ -455,7 +455,7 @@ class PollyTasks < Thor generated_dockerfile = nil - if (container_definition == nil && File.exists?(default_pollyfile)) || (container_definition && container_definition.includes?(default_pollyfile) && File.exists?(container_defintion)) + if (container_definition == nil && File.exist?(default_pollyfile)) || (container_definition && container_definition.include?(default_pollyfile) && File.exist?(container_defintion)) pollyfile_ruby = File.read(default_pollyfile) #TODO: ??? Polly::Generate.options = options Kernel.eval(pollyfile_ruby, Polly::Generate.get_binding, default_pollyfile) @@ -481,7 +481,7 @@ class PollyTasks < Thor raise if version.empty? Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, File.basename(file_path), options["stage"], options["no-cache"], options["push"], options["extra-tag"]) exit - elsif (container_definition == nil && File.exists(default_dockerfile)) || (container_definition && container_definition.includes?(default_dockerfile) && File.exists?(container_definition)) + elsif (container_definition == nil && File.exist?(default_dockerfile)) || (container_definition && container_definition.include?(default_dockerfile) && File.exist?(container_definition)) raise if version.empty? Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, container_definition, options["stage"], options["no-cache"], options["push"], options["extra-tag"]) exit @@ -1114,37 +1114,81 @@ HEREDOC exec(*["kubectl", "run", "shr", "-it", "--pod-running-timeout=3m0s", "--image=ghcr.io/unhookd/polly:master", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", shr_cmd].compact) end - desc "rxn [CMD]", "rxn app pod" + desc "rxn [CMD]", "rxn app pod" # uses --command override of ENTRYPOINT/CMD option "stage", :type => :string, :default => nil def rxn(rxn_cmd = "/bin/bash") exe = ::Polly::Execute.new - environment_overrides = nil - if File.exist?("vertical.yaml") - vertical_lookup = YAML.load(File.read("vertical.yaml")) - environment_overrides = vertical_lookup["environment-overrides"] - end - - env_flags = (environment_overrides || []).collect { |env| "--env=#{env["name"]}=#{env["value"]}" } - version = exe.current_revision branch = exe.current_branch.gsub("/", "-") app = exe.current_app image_repo = Polly::Config.image_repo tag = Polly::Build.build_image_to_tag(app, version, options["stage"]) - #tag = Polly::Build.build_image_to_tag(app, "wkndr", version) puts tag.inspect - #tag = "#{app}:latest" - cmd = ["kubectl", "run", "rxn-#{app}", "--attach=true", "-it", "--pod-running-timeout=3m0s", *env_flags, "--image=polly-registry:23443/polly-registry/#{tag}", "--image-pull-policy=Always", "--rm=true", "--quiet=true", "--command", "--", rxn_cmd].compact - # cmd = ["kubectl", "run", "rxn", "--attach=true", "-it", "--pod-running-timeout=3m0s", *env_flags, "--image=polly-registry:23443/polly-registry/#{tag}", "--image-pull-policy=Always", "--rm=true", "--quiet=true", "--command", "--", rxn_cmd].compact + pod_name = "rxn-#{app}" + pod_image = "polly-registry:23443/polly-registry/#{tag}" + + spec_overrides = { + "spec" => { + "containers" => [{ + "name" => pod_name, + "image" => pod_image, + "imagePullPolicy" => "Always", + "command" => [ + rxn_cmd + ], + "stdin" => true, + "stdinOnce" => true, + "tty" => true + }] + } + } + + environment_overrides = nil + if File.exist?("vertical.yaml") + vertical_lookup = YAML.load(File.read("vertical.yaml")) + environment_overrides = vertical_lookup["environment-overrides"] + + volume_mounts = vertical_lookup["volume-mounts"] + volumes = vertical_lookup["volumes"] + + envs = (environment_overrides || []) + + spec_overrides["spec"]["containers"][0]["env"] = envs + spec_overrides["spec"]["containers"][0]["volumeMounts"] = volume_mounts + spec_overrides["spec"]["volumes"] = volumes + end + + #"containers": [ + # { + # "name": "polly-bootstrap", + # "image": "alpine/git:latest", + # "command": ["/bin/sh"], + # "stdin": true, + # "stdinOnce": true, + # "tty": false, + # "volumeMounts": [{ + # "mountPath": "/polly-safe", + # "name": "polly-mount" + # }] + # } + #], + #"volumes": [{ + # "name":"polly-mount", + # "persistentVolumeClaim": { + # "claimName": "polly-mount" + # } + #}] + + cmd = ["kubectl", "run", pod_name, "--attach=true", "-it", "--pod-running-timeout=3m0s", "--image=#{pod_image}", "--image-pull-policy=Always", "--rm=true", "--quiet=true", "--overrides", JSON.dump(spec_overrides), "--command", "--", rxn_cmd].compact puts cmd.inspect exec(*cmd) end - desc "exe", "exe app pod" + desc "exe", "exe app pod" # matches docker run use case, invokes ENTRYPOINT/CMD option "stage", :type => :string, :default => nil def exe exe = ::Polly::Execute.new From fad178d48445b4d4c84409b437b6ccd9b0d93edd Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 13 Jan 2025 14:33:18 -0500 Subject: [PATCH 123/133] ruby3 compat names --- lib/polly.rb | 2 +- lib/polly/execute.rb | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/polly.rb b/lib/polly.rb index b28348b..1ef0417 100644 --- a/lib/polly.rb +++ b/lib/polly.rb @@ -1,4 +1,4 @@ -if Dir.exists?(File.expand_path("../.bundle", __dir__)) +if Dir.exist?(File.expand_path("../.bundle", __dir__)) ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../Gemfile", __dir__) require "bundler/setup" # Set up gems listed in the Gemfile. diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index 3aa5308..599fb33 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -59,7 +59,7 @@ def systemx(*cmd) end def check_current_kube_context_is_safe! - if File.exists?(File.join(Etc.getpwuid.dir, ".kube/config")) || ENV['KUBE_CONFIG'] + if File.exist?(File.join(Etc.getpwuid.dir, ".kube/config")) || ENV['KUBE_CONFIG'] begin current_kube_context = IO.popen("kubectl config current-context").read.strip return true if current_kube_context.empty? @@ -383,7 +383,7 @@ def start_job!(job) "runAsUser" => username_to_uid(first_docker_executor_hint["user"]), #"runAsGroup" => 134 "fsGroup" => 999, - "supplementalGroups" => [999, 1000, File.exists?("/var/run/docker.sock") ? File.stat("/var/run/docker.sock").gid : 1001] #TODO: fix this hack + "supplementalGroups" => [999, 1000, File.exist?("/var/run/docker.sock") ? File.stat("/var/run/docker.sock").gid : 1001] #TODO: fix this hack }, "containers" => [ { From 9b7324222888c3b9ee70495a77fb8192773bda5e Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 24 Mar 2025 23:47:48 +0000 Subject: [PATCH 124/133] add polly xxx --- bin/polly | 7 +++++++ lib/polly/execute.rb | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/bin/polly b/bin/polly index f496c26..2bc52e6 100755 --- a/bin/polly +++ b/bin/polly @@ -1119,6 +1119,13 @@ HEREDOC exec(*["kubectl", "exec", exe.polly_pod(service), "-i", $stdin.tty? ? "-t" : nil, "--", sh_cmd].compact) end + desc "xxx", "debug shell into app" + def xxx(*sh_cmd) + exe = ::Polly::Execute.new + + exec(*["kubectl", "exec", exe.app_pod, "-i", $stdin.tty? ? "-t" : nil, "--", *sh_cmd].compact) + end + desc "shr", "run a polly shell" def shr(shr_cmd = "bash") exe = ::Polly::Execute.new diff --git a/lib/polly/execute.rb b/lib/polly/execute.rb index 3aa5308..3e050de 100644 --- a/lib/polly/execute.rb +++ b/lib/polly/execute.rb @@ -1086,6 +1086,13 @@ def polly_pod(service = "controller") end end + def app_pod + cmd = "kubectl get pods --field-selector=status.phase=Running -l #{polly_labels.flatten.each_slice(2).collect { |x| x.join("=") }.join(",")} -o name | cut -d/ -f2" + a = IO.popen(cmd).read.strip.split("\n")[0] + #wait_child + a + end + def polly_service(service) label = "name=#{POLLY}-#{service}" @polly_services ||= {} From 7e8bae84ad3514e8515aceda2fa9e523f0548226 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 24 Mar 2025 23:48:54 +0000 Subject: [PATCH 125/133] repair spelling --- bin/polly | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/polly b/bin/polly index 2bc52e6..7a8c01a 100755 --- a/bin/polly +++ b/bin/polly @@ -467,7 +467,7 @@ class PollyTasks < Thor generated_dockerfile = nil - if (container_definition == nil && File.exist?(default_pollyfile)) || (container_definition && container_definition.include?(default_pollyfile) && File.exist?(container_defintion)) + if (container_definition == nil && File.exist?(default_pollyfile)) || (container_definition && container_definition.include?(default_pollyfile) && File.exist?(container_definition)) pollyfile_ruby = File.read(default_pollyfile) #TODO: ??? Polly::Generate.options = options Kernel.eval(pollyfile_ruby, Polly::Generate.get_binding, default_pollyfile) From 0e4b08a8007c38e053fa422f58c4662a2e64fede Mon Sep 17 00:00:00 2001 From: Jon Date: Wed, 26 Mar 2025 15:17:59 -0400 Subject: [PATCH 126/133] add --port to polly rxn --- bin/polly | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/bin/polly b/bin/polly index f496c26..1952858 100755 --- a/bin/polly +++ b/bin/polly @@ -495,7 +495,7 @@ class PollyTasks < Thor exit elsif (container_definition == nil && File.exist?(default_dockerfile)) || (container_definition && container_definition.include?(default_dockerfile) && File.exist?(container_definition)) raise if version.empty? - Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, container_definition, options["stage"], options["no-cache"], options["push"], options["extra-tag"]) + Polly::Build.buildkit_workstation_to_controller(exe, app, version, branch, container_definition || default_dockerfile, options["stage"], options["no-cache"], options["push"], options["extra-tag"]) exit ##elsif container_definition == nil && File.exists?(default_dockerfile) @@ -1126,9 +1126,10 @@ HEREDOC exec(*["kubectl", "run", "shr", "-it", "--pod-running-timeout=3m0s", "--image=ghcr.io/unhookd/polly:master", "--image-pull-policy=IfNotPresent", "--rm=true", "--quiet=true", "--", shr_cmd].compact) end - desc "rxn [CMD]", "rxn app pod" # uses --command override of ENTRYPOINT/CMD + desc "rxn CMD", "rxn app pod" # uses --command override of ENTRYPOINT/CMD option "stage", :type => :string, :default => nil - def rxn(rxn_cmd = "/bin/bash") + option "port", :type => :numeric, :default => nil + def rxn(*cmd) exe = ::Polly::Execute.new version = exe.current_revision @@ -1142,6 +1143,8 @@ HEREDOC pod_name = "rxn-#{app}" pod_image = "polly-registry:23443/polly-registry/#{tag}" + cmd << "/bin/bash" if cmd.empty? + spec_overrides = { "spec" => { "containers" => [{ @@ -1149,7 +1152,7 @@ HEREDOC "image" => pod_image, "imagePullPolicy" => "Always", "command" => [ - rxn_cmd + *cmd ], "stdin" => true, "stdinOnce" => true, @@ -1194,7 +1197,13 @@ HEREDOC # } #}] - cmd = ["kubectl", "run", pod_name, "--attach=true", "-it", "--pod-running-timeout=3m0s", "--image=#{pod_image}", "--image-pull-policy=Always", "--rm=true", "--quiet=true", "--overrides", JSON.dump(spec_overrides), "--command", "--", rxn_cmd].compact + expose_port_args = [] + if options["port"] + expose_port_args << "--expose=true" + expose_port_args << "--port=#{options['port']}" + end + + cmd = ["kubectl", "run", pod_name, "--attach=true", "-it", "--pod-running-timeout=3m0s", "--image=#{pod_image}", "--image-pull-policy=Always", "--rm=true", "--quiet=true", *expose_port_args, "--overrides", JSON.dump(spec_overrides), "--command", "--", *cmd].compact puts cmd.inspect exec(*cmd) From fc97847ab9e041aeca251a98c04b14ab78e9fd78 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 2 Jun 2025 20:09:50 -0400 Subject: [PATCH 127/133] Update Pollyfile --- Pollyfile | 48 ++++++++++++++++++++++++++---------------------- 1 file changed, 26 insertions(+), 22 deletions(-) diff --git a/Pollyfile b/Pollyfile index 8db6959..8210628 100644 --- a/Pollyfile +++ b/Pollyfile @@ -20,7 +20,7 @@ group(1000, "theta") group(1001, "zeta") - useradd(1000, "app", "alpha,beta,docker,theta,zeta,tau") + useradd(1000, "polly", "alpha,beta,docker,theta,zeta,tau") useradd(1001, "runner", "alpha,beta,docker,theta,zeta,tau") apt %w{locales locales-all} @@ -36,10 +36,10 @@ apt %w{kubectl} - run %q{usermod -a -G $(grep docker /etc/group | cut -d: -f3) app} + run %q{usermod -a -G $(grep docker /etc/group | cut -d: -f3) polly} run %q{usermod -a -G $(grep docker /etc/group | cut -d: -f3) runner} - buildkit_version = "v0.13.1" + buildkit_version = "v0.22.0" run %Q{mkdir /tmp/buildkit && cd /tmp/buildkit && curl -sL -o buildkit.tar.gz "https://github.com/moby/buildkit/releases/download/#{buildkit_version}/buildkit-#{buildkit_version}.linux-amd64.tar.gz" && tar zxf buildkit.tar.gz && mv bin/buildctl /usr/local/bin && cd && rm -Rf /tmp/buildkit} } @@ -56,34 +56,34 @@ #TODO: more prototype-z detection command("COPY") { - "--chown=app polly.gemspec VERSION CHANGELOG.md /__w/polly/polly/" + "--chown=polly polly.gemspec VERSION CHANGELOG.md /__w/polly/polly/" } command("COPY") { - "--chown=app Thorfile /__w/polly/polly/" + "--chown=polly Thorfile /__w/polly/polly/" } command("COPY") { - "--chown=app config /__w/polly/polly/config/" + "--chown=polly config /__w/polly/polly/config/" } command("COPY") { - "--chown=app lib /__w/polly/polly/lib" + "--chown=polly lib /__w/polly/polly/lib" } command("COPY") { - "--chown=app bin /__w/polly/polly/bin" + "--chown=polly bin /__w/polly/polly/bin" } command("COPY") { - "--chown=app doc /__w/polly/polly/doc" + "--chown=polly doc /__w/polly/polly/doc" } - run %q{mkdir -p /polly/safe/git /polly/safe/run /polly/safe/tmp /polly/app /app /__w/polly/polly} - run %q{chown -R app:alpha /home/app /polly /app /__w/polly/polly} - run %q{chown -R app /home/app /polly /app /__w/polly/polly} - run %q{chown -R app /home/app} - run %q{su app -s /bin/bash -c 'cd /__w/polly/polly && gem build polly.gemspec -o /home/app/polly-latest.gem'} + run %q{mkdir -p /polly/safe/git /polly/safe/run /polly/safe/tmp /polly/polly /polly /__w/polly/polly} + run %q{chown -R polly:alpha /home/polly /polly /polly /__w/polly/polly} + run %q{chown -R polly /home/polly /polly /polly /__w/polly/polly} + run %q{chown -R polly /home/polly} + run %q{su polly -s /bin/bash -c 'cd /__w/polly/polly && gem build polly.gemspec -o /home/polly/polly-latest.gem'} } # final bits are just the .gem install as if on end-user box @@ -91,28 +91,32 @@ stage "deploy", @base.stage command("WORKDIR") { - "/home/app" + "/home/polly" } command("COPY") { - "--chown=app --from=gem /home/app/polly-latest.gem /home/app/polly-latest.gem" + "--chown=polly --from=gem /home/polly/polly-latest.gem /home/polly/polly-latest.gem" } - run %q{gem install --no-document --minimal-deps /home/app/polly-latest.gem && grep -Rn '\.gem\.' /var/lib 2>/dev/null | cut -d: -f1 | sort | uniq | xargs -I{} rm {} && rm /home/app/polly-latest.gem} + run %q{gem install --no-document --minimal-deps /home/polly/polly-latest.gem && grep -Rn '\.gem\.' /var/lib 2>/dev/null | cut -d: -f1 | sort | uniq | xargs -I{} rm {} && rm /home/polly/polly-latest.gem} run %q{ln -sf /usr/local/bin/polly /bin/dockerfile-frontend} command("COPY") { - "--chown=app Pollyfile /home/app/Pollyfile" + "--chown=polly Pollyfile /home/polly/Pollyfile" } command("COPY") { - "--chown=app config/git-repo/templates /home/app/config/git-repo/templates" + "--chown=polly config/git-repo/templates /home/polly/config/git-repo/templates" } - run %q{mkdir -p /polly/safe/git/polly/hooks && chown -R app:app /polly/safe} + command("COPY") { + "--chown=polly kubernetes /home/polly/kubernetes" + } + + run %q{mkdir -p /polly/safe/git/polly/hooks && chown -R polly:polly /polly/safe} - app + polly command("ENTRYPOINT") { '["/bin/dockerfile-frontend"]' @@ -140,7 +144,7 @@ {"run"=>{"name"=>"rspec","command"=>"bundle exec rspec"}}, {"run"=>{"name"=>"demo","command"=>"polly help"}}, #{"run"=>{"name"=>"build","command"=>"pwd && ls -l && buildctl --timeout 120 --addr tcp://polly-buildkitd:1234 --tlsservername polly-buildkitd --tlscacert /certs/client/ca.pem --tlscert /certs/client/cert.pem --tlskey /certs/client/key.pem build --frontend dockerfile.v0 --local context=. --local dockerfile=."}} - ],{},"/home/app/polly" + ],{},"/home/polly/polly" ) } From ce847736ee48517ffc07062b257e7b83b44409ed Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 2 Jun 2025 20:13:42 -0400 Subject: [PATCH 128/133] Update Pollyfile --- Pollyfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Pollyfile b/Pollyfile index 8210628..6b7a268 100644 --- a/Pollyfile +++ b/Pollyfile @@ -116,7 +116,7 @@ run %q{mkdir -p /polly/safe/git/polly/hooks && chown -R polly:polly /polly/safe} - polly + app command("ENTRYPOINT") { '["/bin/dockerfile-frontend"]' From 41a924c761fd4ae2bdf69af082c94ed1848b6a8c Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Mon, 2 Jun 2025 20:14:47 -0400 Subject: [PATCH 129/133] Update generate.rb --- lib/polly/generate.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/polly/generate.rb b/lib/polly/generate.rb index 35276ec..95b5de3 100644 --- a/lib/polly/generate.rb +++ b/lib/polly/generate.rb @@ -173,7 +173,7 @@ def root end def app - user("app") + user("polly") end def prototype1 From 36dcc7b890871a91b686d9ab10f91003b13c8259 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Wed, 4 Jun 2025 15:17:34 -0400 Subject: [PATCH 130/133] allow serviceAccountName override --- bin/polly | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bin/polly b/bin/polly index 5b55181..df0574d 100755 --- a/bin/polly +++ b/bin/polly @@ -1173,6 +1173,8 @@ HEREDOC vertical_lookup = YAML.load(File.read("vertical.yaml")) environment_overrides = vertical_lookup["environment-overrides"] + service_account_name = vertical_lookup["service-account-name"] + volume_mounts = vertical_lookup["volume-mounts"] volumes = vertical_lookup["volumes"] @@ -1181,6 +1183,7 @@ HEREDOC spec_overrides["spec"]["containers"][0]["env"] = envs spec_overrides["spec"]["containers"][0]["volumeMounts"] = volume_mounts spec_overrides["spec"]["volumes"] = volumes + spec_overrides["spec"]["serviceAccountName"] = service_account_name end #"containers": [ From 07991f71fd54761e51a43fa5cd4fc1fcd15b6410 Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 14 Nov 2025 18:02:31 -0500 Subject: [PATCH 131/133] add --privileged annotations for kubectl rxn --- bin/polly | 61 +++++++++++++++++++++++++++++++-------- kubernetes/resources.yaml | 2 +- 2 files changed, 50 insertions(+), 13 deletions(-) diff --git a/bin/polly b/bin/polly index df0574d..08086ea 100755 --- a/bin/polly +++ b/bin/polly @@ -1136,6 +1136,7 @@ HEREDOC desc "rxn CMD", "rxn app pod" # uses --command override of ENTRYPOINT/CMD option "stage", :type => :string, :default => nil option "port", :type => :numeric, :default => nil + option "privileged", :type => :boolean, :default => false def rxn(*cmd) exe = ::Polly::Execute.new @@ -1153,18 +1154,47 @@ HEREDOC cmd << "/bin/bash" if cmd.empty? spec_overrides = { + #"annotations" => { + # "container.apparmor.security.beta.kubernetes.io/#{pod_name}" => "unconfined", + # "container.seccomp.security.alpha.kubernetes.io/#{pod_name}" => "unconfined" + #}, "spec" => { - "containers" => [{ - "name" => pod_name, - "image" => pod_image, - "imagePullPolicy" => "Always", - "command" => [ - *cmd - ], - "stdin" => true, - "stdinOnce" => true, - "tty" => true - }] + "securityContext" => { + "appArmorProfile" => { + #"type" => "Unconfined" + "type" => "unconfined" + #"type" => "RuntimeDefault" + #"type" => "Localhost", + #"localhostProfile" => "Unconfined" + #"localhostProfile" => "Unconfined" + #"localhostProfile" => "k8s-apparmor-example-deny-write" + }, + #"fsGroup" => 1001 + }, + "containers" => [ + { + "name" => pod_name, + "image" => pod_image, + "imagePullPolicy" => "Always", + "command" => [ + *cmd + ], + "stdin" => true, + "stdinOnce" => true, + "tty" => true, + "privileged" => true, + "securityContext" => { + "seccompProfile" => { + "type" => "Unconfined" + #"type" => "unconfined" + }, + "appArmorProfile" => { + #"type" => "Unconfined" + "type" => "unconfined" + } + } + } + ] } } @@ -1213,7 +1243,14 @@ HEREDOC expose_port_args << "--port=#{options['port']}" end - cmd = ["kubectl", "run", pod_name, "--attach=true", "-it", "--pod-running-timeout=3m0s", "--image=#{pod_image}", "--image-pull-policy=Always", "--rm=true", "--quiet=true", *expose_port_args, "--overrides", JSON.dump(spec_overrides), "--command", "--", *cmd].compact + privileged_args = [] + if options["privileged"] + #privileged_args << "--privileged" + privileged_args << "--annotations=container.apparmor.security.beta.kubernetes.io/#{pod_name}=unconfined" + #privileged_args << "--annotations=container.seccomp.security.alpha.kubernetes.io/#{pod_name}=unconfined" + end + + cmd = ["kubectl", "run", pod_name, *privileged_args, "--attach=true", "-it", "--pod-running-timeout=3m0s", "--image=#{pod_image}", "--image-pull-policy=Always", "--rm=true", "--quiet=true", *expose_port_args, "--overrides", JSON.dump(spec_overrides), "--command", "--", *cmd].compact puts cmd.inspect exec(*cmd) diff --git a/kubernetes/resources.yaml b/kubernetes/resources.yaml index 08ab030..6c0ba8d 100644 --- a/kubernetes/resources.yaml +++ b/kubernetes/resources.yaml @@ -162,7 +162,7 @@ spec: terminationGracePeriodSeconds: 180 containers: - name: buildkitd - image: moby/buildkit:v0.13.1-rootless + image: moby/buildkit:v0.23.2-rootless args: - --oci-worker-no-process-sandbox readinessProbe: From 04e6dc2e1d9dceb399045e31f87f57c110e4a674 Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 14 Nov 2025 18:05:10 -0500 Subject: [PATCH 132/133] disable workdir chdir --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index cf5b12b..c2766d5 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -9,7 +9,7 @@ workflows: version: 2 jobs: primary: - working_directory: "/home/app/polly" + #working_directory: "/home/app/polly" steps: - checkout - run: From 3611edd6c79051b71805981a0c79b27c565226c3 Mon Sep 17 00:00:00 2001 From: Jon Bardin Date: Fri, 14 Nov 2025 18:20:16 -0500 Subject: [PATCH 133/133] remove un-used dep --- Gemfile | 1 - polly.gemspec | 5 ++--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/Gemfile b/Gemfile index 927cd61..174deac 100644 --- a/Gemfile +++ b/Gemfile @@ -4,7 +4,6 @@ gemspec ## https://github.com/rubygems/rubygems/issues/1104 group "development" do - gem "guard-rspec" gem "rake" gem "rspec" end diff --git a/polly.gemspec b/polly.gemspec index 15cbf55..3b05774 100644 --- a/polly.gemspec +++ b/polly.gemspec @@ -19,9 +19,8 @@ Gem::Specification.new do |spec| spec.require_paths = ["lib"] spec.add_dependency "thor", "~> 1.3" - spec.add_dependency "net-ssh", "~> 7.0" + spec.add_dependency "net-ssh", "~> 7.2" spec.add_dependency "yajl-ruby", "~> 1.4.3" - spec.add_dependency "guard", "~> 2.18" - spec.add_dependency "rack", "~> 3.0" + spec.add_dependency "rack", "~> 3.1" spec.add_dependency "rackup", "~> 2.1" end