Dockerize bindle

[FrankYang0529]

ref: fermyon/installer#100

It looks like Using Bindle example can't work on the current master branch, so I use v0.8.0 for testing. #343 (comment)

Start Bindle

1. Clone this branch.
2. Run git reset HEAD~1 to keep Dockerfile.
3. Run git checkout v0.8.0 to check out to v0.8.0.
4. Run docker build -t bindle ..
5. Run BINDLE_TEMP=$(mktemp -d).
6. Run docker run --name bindle -d --restart=unless-stopped -e RUST_LOG=debug -v $BINDLE_TEMP:/bindle-data -p 8080:8080 bindle.

Start consul & nomad

1. Run consul agent --dev
2. Run nomad agent --dev

Start Hippo

1. Clone the latest Hippo.
2. Run following commands.

export Database__Driver=sqlite
export ConnectionStrings__Database="Data Source=hippo.db;Cache=Shared"
export ConnectionStrings__Bindle="Address=http://127.0.0.1:8080/v1"
export Nomad__Driver="raw_exec"
export Jwt__Key="ceci n'est pas une jeton"
export Jwt__Issuer="localhost"
export Jwt__Audience="localhost"
dotnet build
dotnet run

3. Create a Hippo account with username admin and password p@ssword.

Run Spin

1. Clone the latest Spin.
2. Run make build.
3. Run following commands.

export BINDLE_URL="http://localhost:8080/v1/"
export HIPPO_USERNAME="admin"
export HIPPO_PASSWORD="p@ssword"
export HIPPO_URL="http://localhost:5309"

4. Run spin new http-rust myapp.
5. In myapp folder, run spin build.
6. Run spin deploy.

[ghost]

All CLA requirements met.

[FrankYang0529]

Hi @vdice, I add Dockerfile for dockerize bindle. May you review it when you have time? Thank you.

[vdice]

This looks great @FrankYang0529.

As added context for other reviewers (@thomastaylor312 has been most active as of late), @FrankYang0529 has a PR up to both scale out an installation of Fermyon on AWS as well as add persistence for various components (transcending VM/host state, etc).

@FrankYang0529 had already gone down the path of an EBS-backed volume for the postgres DB that Hippo uses, which runs as a container and which utilizes a Nomad-supported CSI approach to tying it all together. Then we realized, a quick win to get persistence for Bindle would be to containerize this service as well -- and then use the same aforementioned plumbing (EBS/CSI). Seeing as Bindle doesn't yet have another option for persistence outside of a host's filesystem, this seemed the most prudent approach for our needs at this time.

We imagine this containerization approach might prove generally useful to others as well.

I tested this PR and looks good. The real win is seeing a stopped/restarted container re-use the bindle data from the mounted volume, as we'd expect.

For this PR, I had the following thoughts:

Ideally added in this PR:

• a doc/readme somewhere with the first section from the testing notes above, showing how to build and run the bindle server in its containerized form

Potential follow-up(s):

• CI/CD: perhaps some steps to build the image on PRs and some steps to publish the image somewhere eg to this repo's GitHub Container Registry?. Could publish an image tagged with latest on merges to main and immutable release versions on any git tag/GitHub release of this project

However, before going down this CI/CD path, I'd want to make sure we get sign-off from at least one other maintainer around the additions in this PR and the potential vision for build/publish in the near future.

[vdice]

It looks like Using Bindle example can't work on the current master branch, so I use v0.8.0 for testing.

I think we may want to ensure that the docs example can run successfully with this image at HEAD as well. Or at least by the next tagged release -- so we'll want to create issue(s) around the current failing behavior so that they can be fixed.

[FrankYang0529]

I think we may want to ensure that the docs example can run successfully with this image at HEAD as well. Or at least by the next tagged release -- so we'll want to create issue(s) around the current failing behavior so that they can be fixed.

#344

[FrankYang0529]

Test for Using Bindle example with master branch:

Build and setup bindle-server

# build
make build
docker build -t bindle .

# Setup
BINDLE_TEMP=$(mktemp -d)
echo $BINDLE_TEMP
export BINDLE_KEYRING=$BINDLE_TEMP/keyring.toml
./target/debug/bindle keys create "VishnuJin<me@example.com>" -f $BINDLE_TEMP/secret_keys.toml

# Start bindle-server
docker run --name bindle -d --restart=unless-stopped -e RUST_LOG=debug -v $BINDLE_TEMP:/bindle-data -p 8080:8080 bindle
docker logs bindle -f

Sign and push invoice

# setup
export BINDLE_TEMP=<path from bindle-server terminal>
export BINDLE_KEYRING=$BINDLE_TEMP/keyring.toml

# create invoice.toml file
cat <<EOF > invoice.toml
bindleVersion = "1.0.0"
[bindle]
name = "mybindle"
version = "0.1.0"
authors = ["vdice"]
description = "My first bindle"
[annotations]
myname = "myvalue"
EOF

# sign invoice
./target/debug/bindle sign-invoice invoice.toml -o signed-invoice.toml -l "VishnuJin<me@example.com>" -f $BINDLE_TEMP/secret_keys.toml

# push invoice 
./target/debug/bindle push-invoice signed-invoice.toml

# see invoice
./target/debug/bindle keys fetch
./target/debug/bindle info mybindle/0.1.0

[FrankYang0529]

Hi @vdice, it looks like we can't use the latest bindle with Spin. Bindle rejects un-signed invoices after this change #300. I will focus on fermyon/spin#689 to fix this issue first.

[thomastaylor312]

Hi @vdice, it looks like we can't use the latest bindle with Spin. Bindle rejects un-signed invoices after this change #300. I will focus on fermyon/spin#689 to fix this issue first

@FrankYang0529 Yeah that is why the 0.9.0 release is still in an RC. We were giving everyone time to update to the required signing.

[thomastaylor312]

I agree with @vdice here that we should probably have a followup PR with some additional documentation about building the docker image (or at least a make docker target) and a CI/CD pipeline for building and pushing this image somewhere

[thomastaylor312]

One small nit: We might want to create and run as a bindle user instead of root as that is generally good for hygiene. But that is not blocking

[FrankYang0529]

Updated it. Thank you.

[thomastaylor312]

@vdice leaving final approval up to you. If you'd like to see a make target and some docs in this PR, I am good with that

[vdice]

Thanks for adding this @FrankYang0529! Prior to merging, my two requests are:

• A docs mention on the ability to run bindle-server in a container: it could be as simple as a brief mention in the README somewhere around the 'Using Bindle' section. Since the flow that already exists applies whether or not the bindle server process is running in a container, perhaps with a few updates (eg bindle keys fetch) we should be able to add a note along the lines of 'Note that the server can also run as a container...' Or we could add a whole new section/flow for the containerized approach; either way.
• As @thomastaylor312 suggested, make target(s) for running the server in a container would be nice. I see that the other serve* targets have options for embedded and/or tls. I'm not sure the most ideal way to do this... use existing targets but have a USE_DOCKER env var option? Or have docker variants for all the serve* targets? WDYT?

[FrankYang0529]

Hi @vdice, I updated docs/README.md. May you help me review it again? Thank you.

[vdice]

Looks great! Thank you @FrankYang0529