Skip to content

Create shared dock ami #611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 37 commits into from
Apr 7, 2017
Merged

Create shared dock ami #611

Show file tree
Hide file tree
Changes from 31 commits
Commits
Show all changes
37 commits
Select commit Hold shift + click to select a range
3b1b007
Remove loggly
thejsj Mar 13, 2017
392f95e
Replace local registry with docker hub
thejsj Mar 13, 2017
96d9044
Make sure user is sudo
thejsj Mar 13, 2017
ffd27ad
Push images to docker hub. Not local registry
thejsj Mar 13, 2017
be570dd
Remove registry.runnable.com
thejsj Mar 13, 2017
eeca2c8
Dock should not be bound to any other enviroment. Remove commands tha…
thejsj Mar 13, 2017
e4db52b
Remove docks-psad
thejsj Mar 13, 2017
55f3ff6
Re add roles. Must be run with skip-tags in order to work
thejsj Mar 13, 2017
a7b1a87
Change node service config to tag. Skip tags if running dock
thejsj Mar 13, 2017
e5f2fcb
Remove unused tag
thejsj Mar 13, 2017
c41a0b5
Add primary functions for init
thejsj Mar 13, 2017
425548c
Add vault tokens
thejsj Mar 13, 2017
8df4393
Add tokens
thejsj Mar 13, 2017
982098d
Add tag to ensure_registry
thejsj Mar 13, 2017
9400c65
Fix vault port. Remove amazon-ssm-agent
thejsj Mar 14, 2017
936f71b
Add line to run dock-init
thejsj Mar 14, 2017
60bd667
Add vault port
thejsj Mar 14, 2017
3b27d32
Fix script to run on localhost
thejsj Mar 15, 2017
e0023b2
Merge branch 'create-shared-dock-ami' of github.com:CodeNow/devops-sc…
thejsj Mar 15, 2017
b44c6c6
Remove pushing of image
thejsj Mar 15, 2017
76ec750
Make image-builder public
thejsj Mar 15, 2017
b1468d0
Merge branch 'master' of github.com:CodeNow/devops-scripts into creat…
thejsj Mar 21, 2017
c4ebcba
Update dock images. Add consul_values tag
thejsj Mar 24, 2017
15fee45
Update krain image
thejsj Mar 24, 2017
d1c5bd3
Merge branch 'master' of github.com:CodeNow/devops-scripts into creat…
thejsj Mar 24, 2017
41afba3
Add docker-listener image inspect list
thejsj Mar 24, 2017
0cb5bfd
Add CA certs. Convert to single template. Overwrite existing files
thejsj Mar 24, 2017
cbd2587
Add more comments
thejsj Mar 24, 2017
ed929f7
Update vault port
thejsj Mar 24, 2017
df930de
Add user-local to delta
thejsj Mar 24, 2017
23dda55
Fix host addresses. Remove NODE_ENV from krain (default). Change loca…
thejsj Mar 25, 2017
6d18554
Change image inspect list. Change author
thejsj Mar 25, 2017
ee5737c
Merge branch 'master' of github.com:CodeNow/devops-scripts into creat…
thejsj Apr 4, 2017
be0ec5f
Re-add restart docker
thejsj Apr 4, 2017
e56c257
Change port to consul_api_port
thejsj Apr 6, 2017
d2b5e7b
Fix api port and echo in launch config
thejsj Apr 7, 2017
e632e45
Re-add image-builder. Change order for Docker startups purposes. Tag
thejsj Apr 7, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions ansible/consul-values.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
with_items: "{{ consul_seed }}"

- name: get values from consul
tags: consul_values
run_once: true
when: read_values is defined
uri:
Expand All @@ -26,6 +27,7 @@
register: values

- name: print values to screen
tags: consul_values
run_once: true
when: read_values is defined
debug: msg="{{ item.item.key }}" -> "{{ item.json[0].Value | b64decode }}"
Expand Down
4 changes: 4 additions & 0 deletions ansible/delta-hosts/hosts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
[bastion]
delta-bastion

[user-local]
127.0.0.1

[hipache]
delta-hipache httpsCheckForBackend80=false prependIncomingPort=true subDomainDepth=4

Expand Down Expand Up @@ -172,6 +175,7 @@ shiva
socket-server
socket-server-proxy
swarm-manager
user-local
userland
web
worker
Expand Down
8 changes: 8 additions & 0 deletions ansible/dock-generate-launch-config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
- hosts: redis
- hosts: consul

- hosts: user-local
connection: local
roles:
- { role: dock_launch_config }
2 changes: 1 addition & 1 deletion ansible/dock.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@

- include: charon.yml git_branch="v5.0.1"
- include: dock-init.yml git_branch="v10.1.2"
- include: krain.yml git_branch="v0.3.0"
- include: krain.yml git_branch="v0.3.1"

- hosts: "{{ dock }}"
tasks:
Expand Down
4 changes: 4 additions & 0 deletions ansible/gamma-hosts/hosts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
[bastion]
gamma-bastion

[user-local]
127.0.0.1

[hipache]
gamma-hipache httpsCheckForBackend80=false prependIncomingPort=true subDomainDepth=4

Expand Down Expand Up @@ -171,6 +174,7 @@ socket-server
socket-server-proxy
swarm-manager
userland
user-local
web
worker

Expand Down
3 changes: 3 additions & 0 deletions ansible/group_vars/all.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,9 @@ navi_mongo_port: 27017

npm_token: c76363e9-78e0-4667-82ac-e2ac01efcfe2

# remote vault
vault_port: 8200

# local-vault
vault_local_port: 31836
vault_addr: http://127.0.0.1:{{ vault_local_port }}
Expand Down
1 change: 1 addition & 0 deletions ansible/group_vars/alpha-docker-listener.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ container_envs: >
-e DATADOG_HOST={{ datadog_host_address }}
-e DATADOG_PORT={{ datadog_port }}
-e DOCKER_CERT_PATH=/etc/ssl/docker
-e IMAGE_INSPECT_LIST=localhost,registry.runnable.com,runnable
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this might be bad, we will now inspect all hemindal containers, can you make this runnable/image-builder? and test it works? also you can remove registry.runnable.com

Copy link
Member Author

@thejsj thejsj Mar 25, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed.

-e LOGGLY_TOKEN={{ loggly_token }}
-e NODE_ENV={{ node_env }}
-e RABBITMQ_HOSTNAME={{ rabbit_host_address }}
Expand Down
1 change: 0 additions & 1 deletion ansible/group_vars/alpha-krain.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ krain_env: default
# upstart template variables
app_name: krain
app_repo: git@github.com:CodeNow/krain.git
node_env: "{{ krain_env }}"

enviroment_vars: {}

Expand Down
2 changes: 1 addition & 1 deletion ansible/group_vars/alpha-vault.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ container_run_opts: >
-v /opt/vault/client-consul:/opt/vault/client-consul:ro
-v /opt/vault/server:/opt/vault/server:ro
-v {{ app_log_dir }}:{{ app_log_dir }}:rw
-p {{ ansible_default_ipv4.address }}:8200:8200
-p {{ ansible_default_ipv4.address }}:{{ vault_port }}:{{ vault_port }}
-p {{ ansible_default_ipv4.address }}:8201:8201
--cap-add IPC_LOCK
--restart=always
Expand Down
1 change: 1 addition & 0 deletions ansible/roles/base_ubuntu/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
---
- name: ensure registry.runnable in /etc/hosts
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wait why do you still have this? we can remove this now right

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

become: true
tags: ensure_registry
when: dock is not defined
lineinfile:
dest=/etc/hosts
Expand Down
2 changes: 1 addition & 1 deletion ansible/roles/consul_value/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
cache_valid_time=604800

- name: put values into consul
tags: deploy
tags: deploy, consul_values
run_once: true
when: consul_host_address is defined and consul_api_port is defined and consul_values is defined and dock is not defined
uri:
Expand Down
9 changes: 0 additions & 9 deletions ansible/roles/dock-images/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,19 +5,10 @@
name=docker
state=started

- name: add runnable registry to /etc/hosts
become: true
blockinfile:
dest: /etc/hosts
insertafter: EOF
block: |
{{ registry_address }} registry.runnable.com

- name: pulling docker images
become: true
command: docker pull {{ item }}
with_items:
- "registry.runnable.com/runnable/image-builder:v4.3.0"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@anandkumarpatel and I talked about this. We DO want to bake this image into the AMI in order to make first builds fast, but we have to push image-builder into docker hub as a public image.

- "swarm:1.2.5"
- "registry:2.3.1"
- "google/cadvisor:v0.24.1"
Expand Down
5 changes: 2 additions & 3 deletions ansible/roles/dock-init/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
---
- fail: msg="value tokens need to be defined for this role"
tags: vault_files
when: vault_auth_token is not defined or vault_token_01 is not defined or vault_token_02 is not defined or vault_token_03 is not defined

- name: create vault auth directory
Expand All @@ -25,12 +26,10 @@
- { file_name: 'token-02', value: "{{ vault_token_02 }}" }
- { file_name: 'token-03', value: "{{ vault_token_03 }}" }

- fail: msg="docks_rollbar_key needs to be defined for this role"
when: docks_rollbar_key is not defined

- name: copy rollbar token
tags: rollbar
become: true
when: docks_rollbar_key is defined
lineinfile:
dest="/opt/runnable/dock-init/key/rollbar.token"
line="{{ docks_rollbar_key }}"
Expand Down
72 changes: 72 additions & 0 deletions ansible/roles/dock_launch_config/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
---
- name: load variables
include_vars: "group_vars/alpha-krain.yml"

- name: create new config file for krain
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

doesn't dock-init do this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not right now, no. Seems like it should though. Do we want to move it there? Would need some guidance on how to do this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, we can't do that because we start the services (krain and charon) before running dock-init.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where did you get these files from? why not just use/update the regular roles to install this? scared of something new

template:
src=upstart.conf
dest=~/{{ app_name }}.conf
backup=yes
vars:
- app_name: "krain"
- enviroment_vars: enviroment_vars

- name: encode krain config to base64
shell: cat ~/{{ app_name }}.conf | base64 -w 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are you encoding this for a reason?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So that we don't have to deal with weird formatting/spacing issues, since we're just adding this to a file to echo it into a file.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are we echoing instead of copying it directly to host? does not look like you are transforming this file at all

echo {{ krain_base64['stdout'] }} | base64 --decode >> /etc/init/krain.conf

no transform just a decode?

register: krain_base64
vars:
- app_name: "krain"

- name: load variables
include_vars: "group_vars/alpha-charon.yml"

- name: create new config file for charon
template:
src=upstart.conf
dest=~/{{ app_name }}.conf
backup=yes
vars:
- app_name: "charon"
- enviroment_vars: enviroment_vars

- name: encode krain config to base64
shell: cat ~/{{ app_name }}.conf | base64 -w 0
register: charon_base64
vars:
- app_name: "charon"

- name: register tokens
set_fact:
vault_tokens:
- { file_name: 'auth-token', value: "{{ vault_auth_token }}" }
- { file_name: 'token-01', value: "{{ vault_token_01 }}" }
- { file_name: 'token-02', value: "{{ vault_token_02 }}" }
- { file_name: 'token-03', value: "{{ vault_token_03 }}" }

- name: encode ca.pem to base64
shell: cat ./certs/ca.pem | base64 -w 0
register: ca_pem_base64

- name: encode ca-key.pem to base64
shell: cat ./certs/ca-key.pem | base64 -w 0
register: ca_key_pem_base64

- name: encode pass to base64
shell: cat ./certs/pass | base64 -w 0
register: pass_base64

- name: Generate dock script
template:
src=init.tmpl
dest=~/dock.sh
vars:
tokens: "{{ vault_tokens }}"
is_dock_pool: false

- name: Generate dock script
template:
src=init.tmpl
dest=~/dock-pool.sh
vars:
tokens: "{{ vault_tokens }}"
is_dock_pool: true
38 changes: 38 additions & 0 deletions ansible/roles/dock_launch_config/templates/init.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
#!/bin/bash

# Set ENV files
export CONSUL_PORT={{ consul_https_port }}
export CONSUL_HOSTNAME={{ consul_host_address }}
export VAULT_PORT={{ vault_port }}

# Create directory for env
mkdir -p /opt/runnable/dock-init/consul-resources/vault/{{ node_env }}
chown ubuntu:ubuntu /opt/runnable/dock-init/consul-resources/vault/{{ node_env }}
chmod 0711 /opt/runnable/dock-init/consul-resources/vault/{{ node_env }}

# Set Vault Tokens (Used for fetching templates)
{% for item in tokens %}
echo {{ item.value }} > /opt/runnable/dock-init/consul-resources/vault/{{ node_env }}/{{ item.file_name }}
{% endfor %}

# Add upstart files for charon and krain
mkdir -p /docker/app-logs/
echo {{ krain_base64['stdout'] }} | base64 --decode > /etc/init/krain.conf
echo {{ charon_base64['stdout'] }} | base64 --decode > /etc/init/charon.conf

# Add Certs (Used for genereting Docker client keys + certs)
mkdir -p /etc/ssl/docker/
cho {{ ca_pem_base64['stdout'] }} | base64 --decode > /etc/ssl/docker/ca.pem
echo {{ ca_key_pem_base64['stdout'] }} | base64 --decode > /etc/ssl/docker/ca-key.pem
echo {{ pass_base64['stdout'] }} | base64 --decode > /etc/ssl/docker/pass
chmod -R 0440 /etc/ssl/docker/

# Start services
{% if is_dock_pool %}
start amazon-ssm-agent
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not needed for dock (only for hot pool)

{% endif %}
service krain start
service charon start
{% if not is_dock_pool %}
CONSUL_HOSTNAME={{ consul_host_address }} CONSUL_PORT={{ consul_https_port }} VAULT_PORT={{ vault_port }} bash /opt/runnable/dock-init/init.sh | tee /var/log/user-script-dock-init.log
{% endif %}
41 changes: 41 additions & 0 deletions ansible/roles/dock_launch_config/templates/upstart.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
#!upstart
description "{{ app_name }}"
author "Anandkumar Patel"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you made this, I am not taking the blame for its bugs

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

haha No problem!


env NPM_BIN=/usr/local/bin/npm
env APP_DIR=/opt/runnable/{{ app_name }}
env LOG_FILE={{ app_log_dir }}/{{ app_name }}.log
env NODE_ENV={{ node_env }}

{% if enviroment_vars is defined %}
{% for name, value in enviroment_vars.iteritems() %}
env {{ name }}={{ value }}
{% endfor %}
{% endif %}

start on (local-filesystems and net-device-up IFACE=eth0)
stop on shutdown

script
touch $LOG_FILE
chdir $APP_DIR
echo $$ > /var/run/{{ app_name }}.pid
exec $NPM_BIN start >> $LOG_FILE 2>&1
end script

pre-start script
# Date format same as (new Date()).toISOString() for consistency
echo "[`date -u +%Y-%m-%dT%T.%3NZ`] (sys) Starting" >> $LOG_FILE
end script

pre-stop script
rm /var/run/{{ app_name }}.pid
echo "[`date -u +%Y-%m-%dT%T.%3NZ`] (sys) Stopping" >> $LOG_FILE
end script

post-start script
echo "===== App restarted =====" >> $LOG_FILE
end script

respawn
respawn limit 5 1 # give up restart after 5 respawns in 1 seconds
15 changes: 0 additions & 15 deletions ansible/roles/docker/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,17 +15,6 @@
owner=root
group=root

- name: copy docker certs
become: true
tags: docker_certs
when: dock is defined
copy:
src=certs/
dest=/etc/ssl/docker
mode=0440
owner=root
group=root

- name: create core file dir
become: true
when: docker_config == "runnable" and core_file_dir != "/var/log"
Expand Down Expand Up @@ -110,10 +99,6 @@
group=root
mode=0755

- name: restart docker
when: (copied_config.changed and restart is defined) or dock is defined
command: sudo service docker restart

- name: create docker group
become: true
group:
Expand Down
1 change: 1 addition & 0 deletions ansible/roles/git_repo/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
msg: "application Installed: {{ app_name }}, branch : {{ git_branch }} "

- name: create repository dir
become: true
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

worst. we were trying to remove all the places we do this.... but if you have to that is fine

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I forget why I had to this... but I feel there was a reason for it.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yea, because the /opts dir was made with sudo. its ok

file:
path=/opt/runnable/{{ app_name }}
state=directory
Expand Down
8 changes: 1 addition & 7 deletions ansible/roles/image-builder/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,4 @@

- name: build the image-builder
tags: deploy
command: sudo docker build --no-cache --tag="registry.runnable.com/{{ image_builder_docker_namespace }}:{{ git_branch }}" /opt/runnable/image-builder

- name: push image-builder
tags: deploy
run_once: true
command: sudo docker push "registry.runnable.com/{{ image_builder_docker_namespace }}:{{ git_branch }}"
when: dock is not defined
command: sudo docker build --no-cache --tag="{{ image_builder_docker_namespace }}:{{ git_branch }}" /opt/runnable/image-builder
4 changes: 2 additions & 2 deletions ansible/roles/loggly/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@
state=present

- name: runnable bin directory
tags: [ loggly, clean ]
tags: [ loggly, clean ]
become: true
file:
path=/opt/runnable/bin
Expand All @@ -141,7 +141,7 @@
mode=0700

- name: purge log files
tags: [ loggly, clean ]
tags: [ loggly, clean ]
become: true
cron:
name="purge log files"
Expand Down
Loading