Skip to content
This repository has been archived by the owner on Mar 20, 2023. It is now read-only.

Commit

Permalink
Allow docker access with Batch SSH users
Browse files Browse the repository at this point in the history 
- Allow Docker daemon access with Batch SSH users with configuration
  enablement
- Resolves #206
  • Loading branch information
@alfpark
alfpark committed Jun 11, 2018
1 parent c2cd8f5 commit 7d48249
Show file tree
Hide file tree
Showing 6 changed files with 26 additions and 7 deletions.
1 change: 1 addition & 0 deletions config_templates/pool.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ pool_specification:
generate_docker_tunnel_script: true
generated_file_export_path:
hpn_server_swap: false
allow_docker_access: false
rdp:
username: shipyard
password: null
Expand Down
3 changes: 2 additions & 1 deletion convoy/fleet.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1394,7 +1394,7 @@ def _construct_pool_object(
_rflist.append(_NODEPREP_FILE)
# create start task commandline
start_task.append(
('{npf}{a}{b}{c}{d}{e}{f}{g}{lis}{m}{n}{p}{s}{t}{u}'
('{npf}{a}{b}{c}{d}{e}{f}{g}{lis}{m}{n}{p}{r}{s}{t}{u}'
'{v}{w}{x}').format(
npf=_NODEPREP_FILE[0],
a=' -a' if azurefile_vd else '',
Expand All @@ -1411,6 +1411,7 @@ def _construct_pool_object(
n=' -n' if native else '',
p=' -p {}'.format(bs.storage_entity_prefix) if (
bs.storage_entity_prefix) else '',
r=' -r' if pool_settings.ssh.allow_docker_access else '',
s=' -s {}'.format(torrentflags),
t=' -t' if settings.can_tune_tcp(
pool_settings.vm_size) else '',
Expand Down
10 changes: 8 additions & 2 deletions convoy/settings.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,7 @@
'username', 'expiry_days', 'ssh_public_key', 'ssh_public_key_data',
'ssh_private_key', 'generate_docker_tunnel_script',
'generated_file_export_path', 'hpn_server_swap',
'allow_docker_access',
]
)
RDPSettings = collections.namedtuple(
Expand Down Expand Up @@ -421,7 +422,7 @@ def __init__(
public_ip, virtual_network, network_security, ssh,
accelerated_networking):
# type: (VmResource, str, str, str, str, PublicIpSettings,
# VirtualNetworkSettings, NetworkSecuritySettings, SshSettings,
# VirtualNetworkSettings, NetworkSecuritySettings, SSHSettings,
# bool) -> None
self.location = location
self.resource_group = resource_group
Expand All @@ -442,7 +443,7 @@ def __init__(
accelerated_networking, prometheus):
# type: (StorageClusterSettings, str, FileServerSettings, int, int,
# Dict, str, str, str, str, PublicIpSettings,
# VirtualNetworkSettings, NetworkSecuritySettings, SshSettings,
# VirtualNetworkSettings, NetworkSecuritySettings, SSHSettings,
# bool, PrometheusSettings) -> None
super(StorageClusterSettings, self).__init__(
location, resource_group, hostname_prefix, vm_size, public_ip,
Expand Down Expand Up @@ -1150,6 +1151,7 @@ def pool_settings(config):
ssh_gen_docker_tunnel = None
ssh_gen_file_path = '.'
ssh_hpn = None
ssh_ada = None
else:
ssh_expiry_days = _kv_read(sshconf, 'expiry_days', 30)
if ssh_expiry_days <= 0:
Expand All @@ -1176,6 +1178,7 @@ def pool_settings(config):
ssh_gen_file_path = _kv_read_checked(
sshconf, 'generated_file_export_path', '.')
ssh_hpn = _kv_read(sshconf, 'hpn_server_swap', False)
ssh_ada = _kv_read(sshconf, 'allow_docker_access', False)
# rdp settings
try:
rdpconf = conf['rdp']
Expand Down Expand Up @@ -1256,6 +1259,7 @@ def pool_settings(config):
generate_docker_tunnel_script=ssh_gen_docker_tunnel,
generated_file_export_path=ssh_gen_file_path,
hpn_server_swap=ssh_hpn,
allow_docker_access=ssh_ada,
),
rdp=RDPSettings(
username=rdp_username,
Expand Down Expand Up @@ -4184,6 +4188,7 @@ def remotefs_settings(config, sc_id=None):
generate_docker_tunnel_script=False,
generated_file_export_path=sc_ssh_gen_file_path,
hpn_server_swap=False,
allow_docker_access=False,
),
vm_disk_map=disk_map,
prometheus=prometheus_settings(sc_conf),
Expand Down Expand Up @@ -4431,6 +4436,7 @@ def monitoring_settings(config):
generate_docker_tunnel_script=False,
generated_file_export_path=ssh_gen_file_path,
hpn_server_swap=False,
allow_docker_access=False,
),
)

Expand Down
3 changes: 3 additions & 0 deletions docs/13-batch-shipyard-configuration-pool.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@ pool_specification:
generate_docker_tunnel_script: true
generated_file_export_path:
hpn_server_swap: false
allow_docker_access: false
rdp:
username: shipyard
password: null
Expand Down Expand Up @@ -445,6 +446,8 @@ is ignored for Windows-based pools.
[HPN patches](https://www.psc.edu/index.php/using-joomla/extensions/templates/atomic/636-hpn-ssh)
to be swapped with the standard distribution OpenSSH server. This is not
supported on all Linux distributions and may be force disabled.
* (optional) `allow_docker_access` allows this SSH user access to the
Docker daemon. The default is `false`.
* (optional) `rdp` is the property for creating a user to accomodate RDP login
sessions to compute nodes. If this property is absent, then an RDP user is not
created with pool creation. This property is ignored for Linux-based pools.
Expand Down
2 changes: 2 additions & 0 deletions schemas/pool.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -247,6 +247,8 @@ mapping:
type: str
hpn_server_swap:
type: bool
allow_docker_access:
type: bool
rdp:
type: map
mapping:
Expand Down
14 changes: 10 additions & 4 deletions scripts/shipyard_nodeprep.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ blobxferversion=latest
block=
cascadecontainer=0
custom_image=0
docker_group=
encrypted=
hpnssh=0
gluster_on_compute=0
Expand All @@ -94,7 +95,7 @@ sc_args=
shipyardversion=

# process command line options
while getopts "h?abcde:fg:l:m:np:s:tuv:wx:" opt; do
while getopts "h?abcde:fg:l:m:np:rs:tuv:wx:" opt; do
case "$opt" in
h|\?)
echo "shipyard_nodeprep.sh parameters"
Expand All @@ -110,6 +111,7 @@ while getopts "h?abcde:fg:l:m:np:s:tuv:wx:" opt; do
echo "-m [type:scid] mount storage cluster"
echo "-n native mode"
echo "-p [prefix] storage container prefix"
echo "-r enable azure batch docker group"
echo "-s [enabled:non-p2p concurrent download:seed bias:compression] p2p sharing"
echo "-t optimize network TCP settings"
echo "-u custom image"
Expand Down Expand Up @@ -152,6 +154,9 @@ while getopts "h?abcde:fg:l:m:np:s:tuv:wx:" opt; do
p)
prefix="--prefix $OPTARG"
;;
r)
docker_group="\"group\": \"_azbatchsudogrp\","
;;
s)
p2p=${OPTARG,,}
IFS=':' read -ra p2pflags <<< "$p2p"
Expand Down Expand Up @@ -597,7 +602,7 @@ EOF
python -c "import json;a=json.load(open('/etc/docker/daemon.json.dpkg-old'));b=json.load(open('/etc/docker/daemon.json'));a.update(b);f=open('/etc/docker/daemon.json','w');json.dump(a,f);f.close();"
rm -f /etc/docker/daemon.json.dpkg-old
elif [[ $DISTRIB_ID == centos* ]]; then
echo "{ \"data-root\": \"$USER_MOUNTPOINT/docker\", \"hosts\": [ \"unix:///var/run/docker.sock\", \"tcp://127.0.0.1:2375\" ] }" > /etc/docker/daemon.json.merge
echo "{ $docker_group \"data-root\": \"$USER_MOUNTPOINT/docker\", \"hosts\": [ \"unix:///var/run/docker.sock\", \"tcp://127.0.0.1:2375\" ] }" > /etc/docker/daemon.json.merge
python -c "import json;a=json.load(open('/etc/docker/daemon.json.merge'));b=json.load(open('/etc/docker/daemon.json'));a.update(b);f=open('/etc/docker/daemon.json','w');json.dump(a,f);f.close();"
rm -f /etc/docker/daemon.json.merge
fi
Expand Down Expand Up @@ -937,9 +942,9 @@ install_docker_host_engine() {
rm -rf /var/lib/docker
mkdir -p /etc/docker
if [ "$PACKAGER" == "apt" ]; then
echo "{ \"data-root\": \"$USER_MOUNTPOINT/docker\", \"hosts\": [ \"fd://\", \"unix:///var/run/docker.sock\", \"tcp://127.0.0.1:2375\" ] }" > /etc/docker/daemon.json
echo "{ $docker_group \"data-root\": \"$USER_MOUNTPOINT/docker\", \"hosts\": [ \"fd://\", \"unix:///var/run/docker.sock\", \"tcp://127.0.0.1:2375\" ] }" > /etc/docker/daemon.json
else
echo "{ \"data-root\": \"$USER_MOUNTPOINT/docker\", \"hosts\": [ \"unix:///var/run/docker.sock\", \"tcp://127.0.0.1:2375\" ] }" > /etc/docker/daemon.json
echo "{ $docker_group \"data-root\": \"$USER_MOUNTPOINT/docker\", \"hosts\": [ \"unix:///var/run/docker.sock\", \"tcp://127.0.0.1:2375\" ] }" > /etc/docker/daemon.json
fi
# ensure no options are specified after dockerd
sed -i 's|^ExecStart=/usr/bin/dockerd.*|ExecStart=/usr/bin/dockerd|' "${SYSTEMD_PATH}"/docker.service
Expand Down Expand Up @@ -1323,6 +1328,7 @@ echo "Azure Blob: $azureblob"
echo "Azure File: $azurefile"
echo "GlusterFS on compute: $gluster_on_compute"
echo "HPN-SSH: $hpnssh"
echo "Enable Azure Batch group for Docker access: $docker_group"
echo "Cascade via container: $cascadecontainer"
echo "P2P: $p2penabled"
echo "Block on images: $block"
Expand Down

0 comments on commit 7d48249

Please sign in to comment.