feat(controller): use Docker for last-mile layer

Author: mboersma

controller/Makefile

@@ -78,7 +78,7 @@ test-style: setup-venv
 	shellcheck $(SHELL_SCRIPTS)
 
 test-unit: setup-venv test-style
-	venv/bin/coverage run manage.py test --noinput web api
+	venv/bin/coverage run manage.py test --noinput web registry api
 	venv/bin/coverage report -m
 
 test-functional:

controller/api/models.py

@@ -880,29 +880,13 @@ def new(self, user, config, build, summary=None, source_version='latest'):
     def publish(self, source_version='latest'):
         if self.build is None:
             raise EnvironmentError('No build associated with this release to publish')
-        source_tag = 'git-{}'.format(self.build.sha) if self.build.sha else source_version
-        source_image = '{}:{}'.format(self.build.image, source_tag)
-        # IOW, this image did not come from the builder
-        if not self.build.sha:
-            # we assume that the image is not present on our registry,
-            # so shell out a task to pull in the repository
-            data = {
-                'src': self.build.image
-            }
-            requests.post(
-                '{}/v1/repositories/{}/tags'.format(settings.REGISTRY_URL,
-                                                    self.app.id),
-                data=data,
-            )
-            # update the source image to the repository we just imported
-            source_image = self.app.id
-            # if the image imported had a tag specified, use that tag as the source
-            if ':' in self.build.image:
-                if '/' not in self.build.image[self.build.image.rfind(':') + 1:]:
-                    source_image += self.build.image[self.build.image.rfind(':'):]
-        publish_release(source_image,
-                        self.config.values,
-                        self.image)
+        source_image = self.build.image
+        if ':' not in source_image:
+            source_tag = 'git-{}'.format(self.build.sha) if self.build.sha else source_version
+            source_image = "{}:{}".format(source_image, source_tag)
+        # If the build has a SHA, assume it's from deis-builder and in the deis-registry already
+        deis_registry = bool(self.build.sha)
+        publish_release(source_image, self.config.values, self.image, deis_registry)
 
     def previous(self):
         """

controller/deis/settings.py

@@ -152,6 +152,7 @@
     'corsheaders',
     # Deis apps
     'api',
+    'registry',
     'web',
 )
 
@@ -272,6 +273,11 @@
             'level': 'INFO',
             'propagate': True,
         },
+        'registry': {
+            'handlers': ['console', 'mail_admins', 'rsyslog'],
+            'level': 'INFO',
+            'propagate': True,
+        },
     }
 }
 TEST_RUNNER = 'api.tests.SilentDjangoTestSuiteRunner'

controller/registry/__init__.py

@@ -1 +1 @@
-from private import publish_release  # noqa
+from dockerclient import publish_release  # noqa

controller/registry/dockerclient.py

@@ -0,0 +1,120 @@
+# -*- coding: utf-8 -*-
+"""Support the Deis workflow by manipulating and publishing Docker images."""
+
+from __future__ import unicode_literals
+import io
+import logging
+
+from django.conf import settings
+from rest_framework.exceptions import PermissionDenied
+from simpleflock import SimpleFlock
+import docker
+
+logger = logging.getLogger(__name__)
+
+
+class DockerClient(object):
+    """Use the Docker API to pull, tag, build, and push images to deis-registry."""
+
+    FLOCKFILE = '/tmp/controller-pull'
+
+    def __init__(self):
+        self.client = docker.Client(version='auto')
+        self.registry = settings.REGISTRY_HOST + ':' + str(settings.REGISTRY_PORT)
+
+    def publish_release(self, source, config, target, deis_registry):
+        """Update a source Docker image with environment config and publish it to deis-registry."""
+        # get the source repository name and tag
+        src_name, src_tag = docker.utils.parse_repository_tag(source)
+        # get the target repository name and tag
+        name, tag = docker.utils.parse_repository_tag(target)
+        # strip any "http://host.domain:port" prefix from the target repository name,
+        # since we always publish to the Deis registry
+        name = strip_prefix(name)
+
+        # pull the source image from the registry
+        # NOTE: this relies on an implementation detail of deis-builder, that
+        # the image has been uploaded already to deis-registry
+        if deis_registry:
+            repo = "{}/{}".format(self.registry, src_name)
+        else:
+            repo = src_name
+        self.pull(repo, src_tag)
+
+        # tag the image locally without the repository URL
+        image = "{}:{}".format(repo, src_tag)
+        self.tag(image, src_name, tag=src_tag)
+
+        # build a Docker image that adds a "last-mile" layer of environment
+        config.update({'DEIS_APP': name, 'DEIS_RELEASE': tag})
+        self.build(source, config, name, tag)
+
+        # push the image to deis-registry
+        self.push("{}/{}".format(self.registry, name), tag)
+
+    def build(self, source, config, repo, tag):
+        """Add a "last-mile" layer of environment config to a Docker image for deis-registry."""
+        check_blacklist(repo)
+        env = ' '.join("{}='{}'".format(
+            k, v.encode('unicode-escape').replace("'", "\\'")) for k, v in config.viewitems())
+        dockerfile = "FROM {}\nENV {}".format(source, env)
+        f = io.BytesIO(dockerfile.encode('utf-8'))
+        target_repo = "{}/{}:{}".format(self.registry, repo, tag)
+        logger.info("Building Docker image {}".format(target_repo))
+        with SimpleFlock(self.FLOCKFILE, timeout=1200):
+            stream = self.client.build(fileobj=f, tag=target_repo, stream=True, rm=True)
+            log_output(stream)
+
+    def pull(self, repo, tag):
+        """Pull a Docker image into the local storage graph."""
+        check_blacklist(repo)
+        logger.info("Pulling Docker image {}:{}".format(repo, tag))
+        with SimpleFlock(self.FLOCKFILE, timeout=1200):
+            stream = self.client.pull(repo, tag=tag, stream=True, insecure_registry=True)
+            log_output(stream)
+
+    def push(self, repo, tag):
+        """Push a local Docker image to a registry."""
+        logger.info("Pushing Docker image {}:{}".format(repo, tag))
+        stream = self.client.push(repo, tag=tag, stream=True, insecure_registry=True)
+        log_output(stream)
+
+    def tag(self, image, repo, tag):
+        """Tag a local Docker image with a new name and tag."""
+        check_blacklist(repo)
+        logger.info("Tagging Docker image {} as {}:{}".format(image, repo, tag))
+        if not self.client.tag(image, repo, tag=tag, force=True):
+            raise docker.errors.DockerException("tagging failed")
+
+
+def check_blacklist(repo):
+    """Check a Docker repository name for collision with deis/* components."""
+    blacklisted = [  # NOTE: keep this list up to date!
+        'builder', 'cache', 'controller', 'database', 'logger', 'logspout',
+        'publisher', 'registry', 'router', 'store-admin', 'store-daemon',
+        'store-gateway', 'store-metadata', 'store-monitor', 'swarm', 'mesos-master',
+        'mesos-marathon', 'mesos-slave', 'zookeeper',
+    ]
+    if any("deis/{}".format(c) in repo for c in blacklisted):
+        raise PermissionDenied("Repository name {} is not allowed".format(repo))
+
+
+def log_output(stream):
+    """Log a stream at DEBUG level, and raise DockerException if it contains "error"."""
+    for chunk in stream:
+        logger.debug(chunk)
+        # error handling requires looking at the response body
+        if '"error"' in chunk.lower():
+            raise docker.errors.DockerException(chunk)
+
+
+def strip_prefix(name):
+    """Strip the schema and host:port from a Docker repository name."""
+    paths = name.split('/')
+    return '/'.join(p for p in paths if p and '.' not in p and ':' not in p)
+
+
+def publish_release(source, config, target, deis_registry):
+
+    client = DockerClient()
+    return client.publish_release(source, config, target, deis_registry)