garethr / garethr-docker Goto Github PK

Example usage for the docker module is awesome but the README could be improved with a resources and class parameter reference. See the README template from Puppet Labs for an example: https://docs.puppetlabs.com/puppet/latest/reference/modules_documentation.html

I'm trying to figure out the best way to upgrade the docker containers using puppet.

Currently trying:

    docker::image { 'kohana-remove':
      ensure  => 'absent',
      image   => 'docker.ukwm.local:5000/ukwm/container',
      require => Class['ukwm::packages::docker'],
    }
    ->
    docker::image { 'kohana-install':
      ensure  => 'latest',
      image   => 'docker.ukwm.local:5000/ukwm/container',
      require => Class['ukwm::packages::docker'],
    }
    ->
    docker::run { 'kohana':
      image           => 'docker.ukwm.local:5000/ukwm/container',
      ports           => ['81:80', '2221:22'],
      use_name        => true,
      restart_service => true,
      privileged      => false,
    }

Which outputs:

Error: docker rmi docker.ukwm.local:5000/ukwm/container returned 1 instead of one of [0]
Error: /Stage[main]/Stats::Backend::Kohana/Docker::Image[kohana-remove]/Exec[docker rmi docker.ukwm.local:5000/ukwm/container]/returns: change from notrun to 0 failed: docker rmi docker.ukwm.local:5000/ukwm/container returned 1 instead of one of [0]
Warning: /Stage[main]/Ukwm::Backend::Kohana/Docker::Image[kohana-install]/Exec[docker pull docker.ukwm.local:5000/ukwm/stats-kohana]: Skipping because of failed dependencies
Warning: /Stage[main]/Ukwm::Backend::Kohana/Docker::Run[kohana]/File[/etc/init/docker-kohana.conf]: Skipping because of failed dependencies
Warning: /Stage[main]/Ukwm::Backend::Kohana/Docker::Run[kohana]/Service[docker-kohana]: Skipping because of failed dependencies

So maybe an option of force docker rm -f <container>

What would be nicer, is if could notify run that the image has been update. Then it could stop, remove, and restart container.

This would be the command I'd use.

    docker::image { 'kohana-install':
      ensure  => 'latest',
      image   => 'docker.ukwm.local:5000/ukwm/container',
      require => Class['ukwm::packages::docker'],
    }

    docker::run { 'kohana':
      image           => 'docker.ukwm.local:5000/ukwm/container',
      ports           => ['81:80', '2221:22'],
      use_name        => true,
      restart_service => true,
      privileged      => false,
    }

docker run --rm could be added to accomplish some of that.

I would like to be able to add the availability of a docker image as a requirement to service install for instance.

Something like this:
require => [Docker:Image["mongo"]]

Is this possible?

The package is now included in the default repos as 'docker'. There is a request open on EPEL now to remove the old docker-io package, it might be worth changing this before it is actually gone from upstream.

So on installing on a stock Linode ubuntu 14.04 server this module generated the package name linux-image-extra-3.14.5-x86_64-linode42 while I believe the appropriate package is linux-image-extra-3.13.0-24-generic. I'm not sure the best way to address this but a simple work around would be to allow this parameter to be specified (I do not believe that is currently possible).

Currently your package installs docker-io on RedHat boxes.

The logic in install.pp which assumes package name based on $docker::use_upstream_package_source is not exactly correct.
According to http://docs.docker.com/installation/ubuntulinux/ package name is docker.io for Ubuntu Trusty and lxc-docker for other versions.
My use case is that I don't want to use upstream package repository as I provide those packages via my local mirror, the end result is that this module tries to install docker.io on a system which lxc-docker should be used.
I have implemented functionality that selects package_name (with possibility to set explicitly) based on the $::operatingsystemrelease, but there are many tests that are designed according to previously mentioned logic and fixing them could potentially brake backward compatibility for this module.
Also I have noticed that in tests, you use lsbdistid and put 'debian' there, which even for debian should be 'Debian', for ubuntu is 'Ubuntu', this does not matter as you don't use those facts anywhere. Also it seems you do use $::operatingsystemrelease but test cases for maverick are missing this value. I think it would be good to provide some consistency, either do not provide facts that are not used or provide most of the distro-present facts for each distribution.If you can suggest what would be the best way to fix this I can work on that and make a pull request.

Update: I have created pull request #74 for that, I think this code is fairly backward compatible.

When specifying a tcp_bind, in order for this to actually be usable the DOCKER_HOST environment variable needs to be populated with the tcp_bind value:

Proposed solution:

if $tcp_bind {
  file { '/etc/profile.d/docker-host.sh': 
    ensure  => file,
    content => "export DOCKER_HOST=${tcp_bind}"
  }
}

The documentation tells everyone to influence Docker's launch behaviour by editing /etc/default/docker. Your module replaces etc/init/docker.confwith a custom version which ignores /etc/default/docker.

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Duplicate declaration: Class[Apt] is already declared; cannot redeclare at /etc/puppet/manifests/nodes/node-common.pp:28 on node server.local

Your module apt to install itself I am getting conflicts where I'm installing with Apt as well.

When doing a system restart, Upstart tries to start my docker containers too early. In /var/log/upstart/docker-test.log, I am seeing:

2013/10/07 15:38:50 dial unix /var/run/docker.sock: no such file or directory

I am running Ubuntu Precise with a 3.8.0-31-generic kernel

Docker uses HTTPS in its package source (https://get.docker.io/ubuntu). My minimal Ubuntu installation was lacking the package apt-transport-https. So the package apt-transport-https should be installed before adding the HTTPS source.

Adding support for Amazon Linux shouldn't be to hard to add as it's 98% the same has RHEL/CentOS/Fedora. I have a fork in the works but hopefully someone can beat me to the task.

In my mind, the garethr/docker module needs an additional defined type, docker::build, to handle the initial build of a docker container, from which the image used by weave::run can be launched with its additional ethwe bridge connected interface, created by weave.

https://github.com/hesco/hesco-weave#to-do-tasks-for-other-projects

From the README page :

Unless specified this installs the latest version of docker from the docker inc repository.

But looking at the code the default is undef (https://github.com/garethr/garethr-docker/blob/master/manifests/params.pp#L6). There is even a check that will ensure the value is not undefined.

For information, the check is even done twice:
https://github.com/garethr/garethr-docker/blob/master/manifests/init.pp#L108
https://github.com/garethr/garethr-docker/blob/master/manifests/install.pp#L8

IMHO, the default should be changed to latest in source code (both check would be unnecessary)

Cheers

Using the garethr-docker puppet module, I get:

"Error: /Stage[main]/Docker::Service/Service[docker]: Could not evaluate: Could not find init script for 'docker'"

reading the code shows, for debian:

file { '/etc/init.d/docker':
ensure => 'absent',
notify => Service['docker'],
}

Have I encountered a bug here? Or am I missing something in its usage?

The current install.pp limits install on RHEL based systems to those >= 6.5. There are instances where the package may be available for older versions of an OS so I'd like to propose removing the version check that the module does. Additionally given that the option exists to set 'use_upstream_package_source' to false, it would be nice to override the package_name. For example, in my current environment I have RHEL 6u4 and the docker-io package is available, however the module bails because of the OS version. If it passed the version check the package name would be wrong (module has package_name set to 'docker' for RHEL < 7.0).

It seems to me that if the package is available then the puppet module shouldn't care what OS version i'm running. I'll gladly provide a PR if this seems like a good idea.

https://github.com/garethr/garethr-docker/blob/master/manifests/install.pp#L75

UPDATE: The package name is actually fine for RHEL6.4, simply removing the OS version check is enough to install docker using this module.

On Ubuntu 14.04, the installation of Docker using the following fails:

node default { 
  class { 'docker': }
}

It fails like this:

Error: /Stage[main]/Docker::Service/Service[docker]: Could not evaluate: Could not find init script or upstart conf file for 'docker'
Error: /Stage[main]/Docker::Service/Service[docker]: Failed to call refresh: Could not find init script or upstart conf file for 'docker' 
Error: /Stage[main]/Docker::Service/Service[docker]: Could not find init script or upstart conf file for 'docker'

Since the service name is hardcoded to docker and the actual service script is called docker.io, this fails.

Hey Gareth!

Thanks a million for this module, super useful.

One thing we've noticed is defining a different version causes an error. Digging and we discover:

ubuntu@box:~$ sudo apt-get install lxc-docker=0.6.4

Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Version '0.6.4' for 'lxc-docker' was not found

When it seems like Docker name spaces their releases a little different (note the - instead of the =):

ubuntu@box:~$ sudo apt-get install lxc-docker-0.6.4

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  lxc-docker lxc-docker-0.6.6
The following NEW packages will be installed:
  lxc-docker-0.6.4
0 upgraded, 1 newly installed, 2 to remove and 4 not upgraded.
Need to get 1,667 kB of archives.
After this operation, 5,539 kB disk space will be freed.
Do you want to continue [Y/n]? n

Do you have advice on handling this?

i just installed this module today and 0.12 is out and the module install 0.11.
when i set the version to '0.1.2' i got this error.
{code}
Error: Could not find resource 'Package[docker-io]' for relationship from 'Class[Epel]' on node calpercdbdev01.test.com
{code}

According to my observation and http://askubuntu.com/questions/236803/upstart-conf-changes-do-not-reload-after-edit , when upstart config file was changed, merely issueing restart is not sufficient. It needs to be stopped and started again.

Since Docker is part of the distribution on Ubuntu 14.04, there should be a parameter to enable the use of the default package (docker.io) instead of the package from the external repository.

reboot_on_kernel_update => true would be a nice option to have so that we can make sure we're actually running a compatible kernel in ubuntu 12.04

I've just tried using my puppet install script on another computer, but same vagrant script and I'm getting a strange one.

Seems like docker is installing "cgroup-lite".

==> default: Notice: /Stage[main]/Docker::Install/Package[cgroup-lite]/ensure: ensure changed 'purged' to 'present'
==> default: Notice: /Stage[main]/Docker::Install/Apt::Source[docker]/Apt::Key[Add key: A88D21E9 from Apt::Source docker]/Apt_key[Add key: A88D21E9 from Apt::Source docker]/ensure: created
==> default: Notice: /Stage[main]/Stats::Backend::Kohana/Docker::Run[kohana]/File[/etc/init/docker-kohana.conf]/ensure: created
==> default: Info: /Stage[main]/Stats::Backend::Kohana/Docker::Run[kohana]/File[/etc/init/docker-kohana.conf]: Scheduling refresh of Service[docker-kohana]
==> default: Info: /Stage[main]/Stats::Backend::Kohana/Docker::Run[kohana]/File[/etc/init/docker-kohana.conf]: Scheduling refresh of Service[docker-kohana]
==> default: Notice: /Stage[main]/Stats::Backend::Kohana/Docker::Run[kohana]/Service[docker-kohana]/ensure: ensure changed 'stopped' to 'running'
==> default: Info: /Stage[main]/Stats::Backend::Kohana/Docker::Run[kohana]/Service[docker-kohana]: Unscheduling refresh on Service[docker-kohana]
==> default: Error: Could not find command 'docker'
==> default: Error: /Stage[main]/Stats::Backend::Kohana/Docker::Image[kohana]/Exec[docker pull docker.ukwm.local:5000/ukwm/stats-kohana]/returns: change from notrun to 0 failed: Could not find command 'docker'

I'm going to keep looking.

https://github.com/garethr/garethr-docker/blob/master/manifests/run.pp#L59

A title may be containing a "/" such as in a case of using the image name for the docker::run title. This breaks the file creation with an error such as this:

Could not set 'present' on ensure: cannot generate tempfile '/etc/init/docker-shipyard/docker-private-registry.conf20140619-14949-yjg1lh-9'

This shouldn't require too much work. Currently there is no environment file for the default docker service, but I've opened a bug request with the maintainer to add one, once that is done this should be pretty trivial.

Is it compatible to Debian?

It should be possible to stop and remove containers somehow Basically the opposite of docker::run. Otherwise it is not possible to get rid of containers you don't need anymore.

Perhaps something like this:

// Will stop all containers with that image (and tag)
docker::stop { 'helloworld':
image => 'base:tag'
}

// Will remove all containers with that image (and tag)
docker::remove { 'helloworld':
image => 'base:tag'
}

Hi,

Firstly, apologies if the following is obvious or if what I'm doing is just plain wrong. I'm quite to new to some of this stuff.

I am trying to, in one step: instantiate a vagrant box which, through puppet provisioning, builds several docker images from Dockerfiles and starts them.

I am experimenting with functionality for building images from Dockerfiles: jvaughan/garethr-docker@2e34bb2

However, it seems that docker::image is missing the requirement for docker::install, so was failing because of the lack of a docker executable to run.

I've tried adding

require docker::image

within the image class. This does satisfy the install dependency and means that the image gets built.

However, it seems to be triggering additional refreshes of the docker service, and this is causing my container to become ghosted in docker. The same ghosting occurs if I manually run

service docker restart

Do you have any suggestions of the best way to proceed?

BTW, if the 'build from dockerfile' functionality is considered useful, I will do a pull request once I have written some tests.

Hello,

I did not found the meaning of use_name on docker::run. What is it good for?
Maybe this should be documented, as well as the default options for this deftype on the readme file.

Hey Gareth:

It seems that while docker is managing the creation of rules in the FORWARD chain, that it leaves the policies on every chain set to ACCEPT and the docker host particularly vulnerable, with all ports wide open. I want to use the puppetlabs/firewall module to lock things down and to manage the ports I need to open to the world for my haproxy, db servers and other services. But I want to do that without messing up what is happening with the docker rule set.

This evening I had a short exchange on the #docker channel on this subject. I'm imagining a new defined type docker::firewall which would be invoked by docker::run, and perhaps as well by a new docker::firewall::legacy_containers (might not be the right name there) which would handle managing the firewall for already running containers or containers which were run directly with the docker client, and in a way not otherwise managed by puppet.

23:50:12 hesco | I'm nearly ready to bring the iptables rule set run on my docker hosts under puppet management with the puppetlabs-firewall module. But the first thing the firewall module will do is flush whatever is already there. My question is this? What will it take to make docker rebuild its own rule set on top of what I'm doing with puppet? And how long would that take? Can't really afford to break things at this hour, when I'm hoping to go to bed soon. Can anyone advise me on how docker manages its iptables rule set and what might be expected if I run this test?

00:03:20 akerl | hesco: In my experience, if you're doing other things with iptables, it quickly becomes saner to have $other_thing manage all the rules and tell Docker to leave iptables alone

00:07:35 hesco | akerl: ok, I'll buy that. So it sounds like I need some sort of new defined type which will harvest the published ports out of docker ps and convert those into rules for the FORWARD chain, perhaps.

00:08:06 akerl | That would be snazzy

00:10:48 hesco | sounds like a patch for the garethr/docker module.

So, is this something which seems germane to your module, as I imagine? Would you consider such a patch? Or should I develop it under a distinct namespace?

-- Hugh

The /etc/rc.d/init.d/docker- script that gets created with the docker-run.erb template on CentOS/RHEL6 doesn't do a "docker rm" - so if you change any value, during the refresh you get a puppet agent error. The container is stopped, and can't be restarted because the name is already allocated. A "docker rm" added to the stop function in the init script would allow that to work properly.

So, something along the lines of:

--- a/docker/templates/etc/init.d/docker-run.erb
+++ b/docker/templates/etc/init.d/docker-run.erb
@@ -94,6 +94,9 @@ stop() {
             echo -n $"Stopping $prog: "
             docker stop $(cat $cidfile)
             retval=$?
+            docker rm $(cat $cidfile)
+            retval2=$?
+            retval=$((retval + retval2))
             [ $retval -eq 0 ] && rm -f $lockfile $cidfile
             return $retval
         else

(that's the patch we're working with in our module, anyway)

Hi there,

First - Thanks for writing this awesome module!

I was eager to try your new docker-1.2.0 module as I wanted to use the new linux-image-generic-lts-saucy kernel on my Ubuntu 12.04 VMs. I'd previously been using the docker-1.1.3 module without issue on my Ubuntu 12.04 VMs.

Unfortunately I could not to get this working, even when starting from a clean VM. From my VM:

uname vagrant@vi-packages9:~$ uname -a
Linux vi-packages9 3.11.0-26-generic #45~precise1-Ubuntu SMP Tue Jul 15 04:02:35 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

vagrant@vi-packages9:~$ sudo docker ps
2014/08/21 16:47:57 Cannot connect to the Docker daemon. Is 'docker -d' running on this host?

From /var/log/upstart/docker.log:

2014/08/21 16:54:14 docker daemon: 1.1.2 d84a070; execdriver: native; graphdriver:
[670c4a8f] +job serveapi(unix:///var/run/docker.sock)
[670c4a8f] +job initserver()
[670c4a8f.initserver()] Creating server
[670c4a8f] +job init_networkdriver()
2014/08/21 16:54:14 Listening for HTTP on unix (/var/run/docker.sock)
[670c4a8f] -job init_networkdriver() = OK (0)
2014/08/21 16:54:14 WARNING: Your kernel does not support cgroup swap limit.
Error loading docker apparmor profile: exit status 1 (Feature buffer full.)

I found the solution at https://www.digitalocean.com/community/questions/start-docker-error-message :

sudo apt-get install apparmor

I think your puppet module should install this apparmor package, at least on Ubuntu 12.04.

Thanks!
Dan

In template /etc/default/docker.erb, no_proxy can be written with:

<% if @no_proxy -%>
export no_proxy='<%= Array(@no_proxy).join(',') %>'
<% end -%>

This should keep compatibility with current version (in 1.2.2, no_proxy is a String instance).

This patch allows one to use a list for configuration which permits the use of YAML references.

After booting into a puppetized machine that used docker I had to use this fix to get docker running properly

moby/moby#2683 (comment)

specifically: when I ran docker run -i -t ubuntu /bin/bash I got [error] client.go:2315 Error resize: Error: bad file descriptor

Running without -t gave nothing
Running any docker build commands just gave an unexplained exit status code 1 message

If upstart is in use (debian), then when asked to restart a docker::run thing, it will notify the service:

That is good.

However, if options were changes (lets say you change a published port from 80=>88), Upstart will not take those changes into effect after a restart:
http://upstart.ubuntu.com/faq.html#reload
only after a stop.

In my experience, the best practice is to have configuration parameters in a /etc/default/bla file that can be sourced on restart. That way the /etc/init/bla.conf doesn't ever have to change, and parameters are loaded on each restart.

With this docker module, this is not really super, we end up baking all the configuration of a docker::run into the upstart config.

Alternatively, the only way I've been able to sanely do this in puppet is a puppet exec to stop the service and start it back up when the upstart script changes.

Would you accept a PR for that? Or would you consider it outside the scope? (in some sense this is "not a bug" in upstart land)

TLDR:

Expected: Changing the docker::run config will restart a docker with new config
Actual: The docker is restarted, but not with the new config

Proposed fix: A puppet exec to work around the fact that upstart only re-reads its config upon stop/start.

Hi. Calling class { 'docker': } and docker::image works fine. With docker::run however:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: str2bool(): Requires either string to work with at /etc/puppet/environments/production/modules/docker/manifests/run.pp:63 on node foo

Puppet client is Ubuntu 14.04 fresh install, with docker 1.20. insalled via class { 'docker': }.
Puppet server is 3.6.2 on ubuntu 12.04. Puppet-stdlib had to be updated to the latest version.

Possible fix:
In manifests/run.pp
$restart_service = true,
..
$notify = str2bool($restart_service) ? {

if I change that as follows (because the variable is already a boolean):
$notify = $restart_service ? {
and near line 106:
#if str2bool($restart_service) {
if $restart_service {

then it works fine.

I'm running Ubuntu 14.04 with latest lxc-docker:

Client version: 1.2.0
Client API version: 1.14
Go version (client): go1.3.1
Git commit (client): fa7b24f
OS/Arch (client): linux/amd64
Server version: 1.2.0
Server API version: 1.14
Go version (server): go1.3.1
Git commit (server): fa7b24f

When I try running the following:

docker::image{ 'rfkrocktk/puppetmaster':
     image_tag => '1.0.5',
}

The actual command which is run is sudo docker pull -t="1.0.5" rfkrocktk/puppetmaster. This causes Docker to download every version of my Docker image (5 of them at 600MB each).

When I edit it to read the following:

docker::image { 'rfkrocktk/puppetmaster:1.0.5': }

It works properly, however it runs the Docker pull command each time because the $image_find command doesn't work properly with the given name above.

TL;DR: Docker got rid of the -t parameter to docker pull and now just expects the following format:

vagrant@vagrant-trusty64:~$ sudo docker help pull

Usage: docker pull NAME[:TAG]

Pull an image or a repository from the registry

I'll see if I can contribute a fix, but this is broken.

I'm hitting the issues mentioned in the following post and it seems that the only work around at the moment is to add a service_provider parameter to the docker class to enable it to be settable. I'm happy to make the changes and do pull request if you think that is a good idea.

http://ask.puppetlabs.com/question/13635/how-to-use-puppet-modules-that-require-upstart-with-docker/

Docker containers don't really support the puppet upstart service provider and the only work around I know of at the moment is to set provider=base. Seems like a good idea to expose the provider as a parameter anyway.

Hi,

Thanks for the docker puppet module; it's really great.

I run Ubuntu 12.04 and lately I've wanted to switch from the default storage-driver "aufs" to the "devicemapper" storage driver.

I've looked through the module code pretty thoroughly, but I wasn't able to find a way to specify this as a parameter. Ideally I could just say

class { 'docker':
      storage_driver="devicemapper"
}

Is this something that currently exists? If not would you be willing to accept a pull request (with full test coverage of course)?

Cheers,
Mike

Having the correct kernel doesn't mean that the system is using it. It would be nice to have the option to restart a server after the module upgrades a kernel and assert that a recent version is being used.

Similar to the equivalent from the Chef cookbook.

Currently there is only a disable_network switch in docker::run. It was introduced with #41. Docker has more options on the --net command line option as documented here.

As I need the host option, it would be very helpful for me if the whole --net would be exposed in docker::run.

This is more of an RFE than a bug, but I think it's how most folks approaching the Docker puppet module would expect it to work.

When administering containers on several systems, a reasonable practice would be to use a Docker private registry to store images, and then specify image tags that include the private registry name. I.e.

  docker::image { 'privaterepohost.example.com/myopsorg/awesomeimage': 
    ensure => 'present',
    image_tag => 'latest'
  }

Images that reference a private repository should be checked against the private repository to see if they need to be refreshed with "docker pull".

Right now, it's difficult to trace a published Forge release back to version control. A git tag that is associated with the metadata.json commit is really useful for this.

https://github.com/garethr/garethr-docker/blob/master/templates/etc/default/docker.erb
line 29 (extra_parameters) uses .each which apparently has been replaced in ruby 1.9 with 'each_line' and 'each_char'

A well written changelog gives users another tool to identify the impact of an upgrade. Consider shipping one that picks out important commits, as a minimum.