From 65357750d212ac3d8faaad0340f8259d74913810 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 1 Jun 2015 14:18:36 -0400 Subject: Added publish property for systemd-spawn containers. (Needs systemd version 220.) --- debian/changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 6a105804..9b75e118 100644 --- a/debian/changelog +++ b/debian/changelog @@ -15,6 +15,8 @@ propellor (2.5.0) UNRELEASED; urgency=medium * Mount /proc inside a chroot before provisioning it, to work around #787227 * --spin now works when given a short hostname that only resolves to an ipv6 address. + * Added publish property for systemd-spawn containers. + (Needs systemd version 220.) -- Joey Hess Thu, 07 May 2015 12:08:34 -0400 -- cgit v1.2.3 From a50edc3d9f1fc630ba5f72aba6cfec9aca71c204 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 1 Jun 2015 16:05:31 -0400 Subject: better types for systemd port publishing --- config-joey.hs | 4 +-- debian/changelog | 5 ++-- src/Propellor/Property/Systemd.hs | 59 ++++++++++++++++++++++----------------- 3 files changed, 39 insertions(+), 29 deletions(-) (limited to 'debian') diff --git a/config-joey.hs b/config-joey.hs index 56f1eb93..ff06333d 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -104,8 +104,8 @@ clam = standardSystem "clam.kitenet.net" Unstable "amd64" & Docker.garbageCollected `period` Daily ! Docker.docked webserver' & File.dirExists "/var/www/html" - & File.notPresent "/var/www/html/index.html" - & "/var/www/index.html" `File.hasContent` ["hello, world"] + & File.notPresent "/var/www/index.html" + & "/var/www/html/index.html" `File.hasContent` ["hello, world"] & alias "helloworld.kitenet.net" & Docker.docked oldusenetShellBox diff --git a/debian/changelog b/debian/changelog index 9b75e118..a4c40ea5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,15 +8,16 @@ propellor (2.5.0) UNRELEASED; urgency=medium * createProcess from Propellor.Property.Cmd, so they are available for use in constricting your own Properties when using propellor as a library. - * Improve enter-machine scripts for nspawn containers to unset most + * Improve enter-machine scripts for systemd-nspawn containers to unset most environment variables. * Fix Postfix.satellite bug; the default relayhost was set to the domain, not to smtp.domain as documented. * Mount /proc inside a chroot before provisioning it, to work around #787227 * --spin now works when given a short hostname that only resolves to an ipv6 address. - * Added publish property for systemd-spawn containers. + * Added publish and publish' properties for systemd-spawn containers. (Needs systemd version 220.) + * Added bind and bindRo properties for systemd-spawn containers. -- Joey Hess Thu, 07 May 2015 12:08:34 -0400 diff --git a/src/Propellor/Property/Systemd.hs b/src/Propellor/Property/Systemd.hs index 973314ac..34e51ba9 100644 --- a/src/Propellor/Property/Systemd.hs +++ b/src/Propellor/Property/Systemd.hs @@ -1,3 +1,5 @@ +{-# LANGUAGE TypeSynonymInstances #-} + module Propellor.Property.Systemd ( -- * Services module Propellor.Property.Systemd.Core, @@ -22,9 +24,12 @@ module Propellor.Property.Systemd ( -- * Container configuration containerCfg, resolvConfed, - publish, + Publishable(..), + privateNetwork, + ForwardedPort(..), Proto(..), - publish', + PortSpec(..), + publish, bind, bindRo, ) where @@ -288,32 +293,36 @@ resolvConfed = containerCfg "bind=/etc/resolv.conf" privateNetwork :: RevertableProperty privateNetwork = containerCfg "private-network" --- | Publish a container's (tcp) port to same port on the host. --- --- This automatically enables privateNetwork, so all non-published ports --- will not be accessible outside the container. --- --- Note that this feature was first added in systemd version 220. -publish :: Port -> RevertableProperty -publish p = publish' TCP p p - `requires` privateNetwork +class Publishable a where + toPublish :: a -> String + +instance Publishable Port where + toPublish p = show p + +data ForwardedPort = ForwardedPort + { hostPort :: Port + , containerPort :: Port + } + +instance Publishable ForwardedPort where + toPublish fp = show (hostPort fp) ++ ":" ++ show (containerPort fp) data Proto = TCP | UDP -publish' - :: Proto - -> Port -- ^ Host port - -> Port -- ^ Container port - -> RevertableProperty -publish' proto hostport containerport = containerCfg $ "--port=" ++ - intercalate ":" - [ sproto proto - , show hostport - , show containerport - ] - where - sproto TCP = "tcp" - sproto UDP = "udp" +data PortSpec = PortSpec Proto ForwardedPort + +instance Publishable PortSpec where + toPublish (PortSpec TCP fp) = "tcp:" ++ toPublish fp + toPublish (PortSpec UDP fp) = "udp:" ++ toPublish fp + +-- | Publish a port from the container on the host. +-- +-- Note that this will only work if the container's network is set up +-- by other properties. +-- +-- This feature was first added in systemd version 220. +publish :: Publishable p => p -> RevertableProperty +publish p = containerCfg $ "--port=" ++ toPublish p -- | Bind mount a file or directory from the host into the container. -- -- cgit v1.2.3 From 85c3d110882f0f9d70316235221ba8b20754661f Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 1 Jun 2015 16:12:21 -0400 Subject: reorganize Port type for systemd can use it --- config-joey.hs | 2 +- debian/changelog | 3 +++ src/Propellor/Property/Firewall.hs | 23 ++++++++++------------- src/Propellor/Property/Systemd.hs | 9 +++------ src/Propellor/Types/OS.hs | 4 ++++ 5 files changed, 21 insertions(+), 20 deletions(-) (limited to 'debian') diff --git a/config-joey.hs b/config-joey.hs index ff06333d..83eb5430 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -409,7 +409,7 @@ iabak = host "iabak.archiveteam.org" -- Simple web server, publishing the outside host's /var/www webserver :: Systemd.Container webserver = standardStableContainer "webserver" - & Systemd.publish 80 + & Systemd.publish (Port 80) & Systemd.bind "/var/www" & Apt.serviceInstalledRunning "apache2" diff --git a/debian/changelog b/debian/changelog index a4c40ea5..599143d8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -18,6 +18,9 @@ propellor (2.5.0) UNRELEASED; urgency=medium * Added publish and publish' properties for systemd-spawn containers. (Needs systemd version 220.) * Added bind and bindRo properties for systemd-spawn containers. + * Firewall: Port was changed to a newtype, and the Port and PortRange + constructors of Rules were changed to DPort and DportRange, respectively. + (API change) -- Joey Hess Thu, 07 May 2015 12:08:34 -0400 diff --git a/src/Propellor/Property/Firewall.hs b/src/Propellor/Property/Firewall.hs index ab57b122..d643b185 100644 --- a/src/Propellor/Property/Firewall.hs +++ b/src/Propellor/Property/Firewall.hs @@ -9,7 +9,6 @@ module Propellor.Property.Firewall ( Target(..), Proto(..), Rules(..), - Port, ConnectionState(..) ) where @@ -45,8 +44,8 @@ toIpTable r = map Param $ toIpTableArg :: Rules -> [String] toIpTableArg Everything = [] toIpTableArg (Proto proto) = ["-p", map toLower $ show proto] -toIpTableArg (Port port) = ["--dport", show port] -toIpTableArg (PortRange (f,t)) = ["--dport", show f ++ ":" ++ show t] +toIpTableArg (DPort port) = ["--dport", show port] +toIpTableArg (DPortRange (f,t)) = ["--dport", show f ++ ":" ++ show t] toIpTableArg (IFace iface) = ["-i", iface] toIpTableArg (Ctstate states) = ["-m", "conntrack","--ctstate", concat $ intersperse "," (map show states)] toIpTableArg (r :- r') = toIpTableArg r <> toIpTableArg r' @@ -55,33 +54,31 @@ data Rule = Rule { ruleChain :: Chain , ruleTarget :: Target , ruleRules :: Rules - } deriving (Eq, Show, Read) + } deriving (Eq, Show) data Chain = INPUT | OUTPUT | FORWARD - deriving (Eq,Show,Read) + deriving (Eq, Show) data Target = ACCEPT | REJECT | DROP | LOG - deriving (Eq,Show,Read) + deriving (Eq, Show) data Proto = TCP | UDP | ICMP - deriving (Eq,Show,Read) - -type Port = Int + deriving (Eq, Show) data ConnectionState = ESTABLISHED | RELATED | NEW | INVALID - deriving (Eq,Show,Read) + deriving (Eq, Show) data Rules = Everything | Proto Proto -- ^There is actually some order dependency between proto and port so this should be a specific -- data type with proto + ports - | Port Port - | PortRange (Port,Port) + | DPort Port + | DPortRange (Port,Port) | IFace Network.Interface | Ctstate [ ConnectionState ] | Rules :- Rules -- ^Combine two rules - deriving (Eq,Show,Read) + deriving (Eq, Show) infixl 0 :- diff --git a/src/Propellor/Property/Systemd.hs b/src/Propellor/Property/Systemd.hs index 34e51ba9..9e5ca432 100644 --- a/src/Propellor/Property/Systemd.hs +++ b/src/Propellor/Property/Systemd.hs @@ -1,5 +1,3 @@ -{-# LANGUAGE TypeSynonymInstances #-} - module Propellor.Property.Systemd ( -- * Services module Propellor.Property.Systemd.Core, @@ -24,11 +22,11 @@ module Propellor.Property.Systemd ( -- * Container configuration containerCfg, resolvConfed, - Publishable(..), privateNetwork, ForwardedPort(..), Proto(..), PortSpec(..), + Publishable, publish, bind, bindRo, @@ -39,7 +37,6 @@ import Propellor.Types.Chroot import qualified Propellor.Property.Chroot as Chroot import qualified Propellor.Property.Apt as Apt import qualified Propellor.Property.File as File -import Propellor.Property.Firewall (Port) import Propellor.Property.Systemd.Core import Utility.FileMode @@ -297,7 +294,7 @@ class Publishable a where toPublish :: a -> String instance Publishable Port where - toPublish p = show p + toPublish (Port n) = show n data ForwardedPort = ForwardedPort { hostPort :: Port @@ -305,7 +302,7 @@ data ForwardedPort = ForwardedPort } instance Publishable ForwardedPort where - toPublish fp = show (hostPort fp) ++ ":" ++ show (containerPort fp) + toPublish fp = toPublish (hostPort fp) ++ ":" ++ toPublish (containerPort fp) data Proto = TCP | UDP diff --git a/src/Propellor/Types/OS.hs b/src/Propellor/Types/OS.hs index 58bd809a..c46d9a28 100644 --- a/src/Propellor/Types/OS.hs +++ b/src/Propellor/Types/OS.hs @@ -10,6 +10,7 @@ module Propellor.Types.OS ( User(..), Group(..), userGroup, + Port(..), ) where import Network.BSD (HostName) @@ -42,3 +43,6 @@ newtype Group = Group String -- | Makes a Group with the same name as the User. userGroup :: User -> Group userGroup (User u) = Group u + +newtype Port = Port Int + deriving (Eq, Show) -- cgit v1.2.3 From 06ebb4593acb0ae70e9413ee63df41eb250adb92 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 1 Jun 2015 17:00:57 -0400 Subject: propellor spin --- debian/changelog | 2 +- src/Propellor/Property/Systemd.hs | 16 ++++++++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 599143d8..c262eadf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -15,7 +15,7 @@ propellor (2.5.0) UNRELEASED; urgency=medium * Mount /proc inside a chroot before provisioning it, to work around #787227 * --spin now works when given a short hostname that only resolves to an ipv6 address. - * Added publish and publish' properties for systemd-spawn containers. + * Added publish property for systemd-spawn containers, for port publishing. (Needs systemd version 220.) * Added bind and bindRo properties for systemd-spawn containers. * Firewall: Port was changed to a newtype, and the Port and PortRange diff --git a/src/Propellor/Property/Systemd.hs b/src/Propellor/Property/Systemd.hs index c2446b2e..ea8c994e 100644 --- a/src/Propellor/Property/Systemd.hs +++ b/src/Propellor/Property/Systemd.hs @@ -38,6 +38,7 @@ import qualified Propellor.Property.Chroot as Chroot import qualified Propellor.Property.Apt as Apt import qualified Propellor.Property.File as File import Propellor.Property.Systemd.Core +import Propellor.Property.Mount import Utility.FileMode import Data.List @@ -165,8 +166,19 @@ nspawned c@(Container name (Chroot.Chroot loc system builderconf _) h) = -- Chroot provisioning is run in systemd-only mode, -- which sets up the chroot and ensures systemd and dbus are -- installed, but does not handle the other provisions. - chrootprovisioned = Chroot.provisioned' - (Chroot.propigateChrootInfo chroot) chroot True + chrootprovisioned = + (toProp provisioner `onChange` umountProc) + + (toProp (revert provisioner)) + provisioner = Chroot.provisioned' (Chroot.propigateChrootInfo chroot) chroot True + + -- The chroot's /proc is left mounted by the chroot provisioning, + -- but that will prevent systemd-nspawn from starting systemd in + -- it, so unmount. + umountProc = check (elem procloc <$> mountPointsBelow loc) $ + property (procloc ++ " unmounted") $ do + makeChange $ umountLazy procloc + procloc = loc "proc" -- Use nsenter to enter container and and run propellor to -- finish provisioning. -- cgit v1.2.3 From e11c68cf1e515746e3bd0256a949e182ae735f99 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 1 Jun 2015 23:57:33 -0400 Subject: Docker: volume and publish accept Bound FilePath and Bound Port, respectively. They also continue to accept Strings, for backwards compatability. --- debian/changelog | 3 +++ src/Propellor/Property/Docker.hs | 36 +++++++++++++++++++++++++++++------- 2 files changed, 32 insertions(+), 7 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index c262eadf..f4459a2c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -21,6 +21,9 @@ propellor (2.5.0) UNRELEASED; urgency=medium * Firewall: Port was changed to a newtype, and the Port and PortRange constructors of Rules were changed to DPort and DportRange, respectively. (API change) + * Docker: volume and publish accept Bound FilePath and Bound Port, + respectively. They also continue to accept Strings, for backwards + compatability. -- Joey Hess Thu, 07 May 2015 12:08:34 -0400 diff --git a/src/Propellor/Property/Docker.hs b/src/Propellor/Property/Docker.hs index fd7e37b2..1dcc3522 100644 --- a/src/Propellor/Property/Docker.hs +++ b/src/Propellor/Property/Docker.hs @@ -23,9 +23,11 @@ module Propellor.Property.Docker ( -- * Container configuration dns, hostname, + Publishable, publish, expose, user, + Mountable, volume, volumes_from, workdir, @@ -43,6 +45,7 @@ module Propellor.Property.Docker ( import Propellor hiding (init) import Propellor.Types.Docker +import Propellor.Types.Container import Propellor.Types.CmdLine import qualified Propellor.Property.File as File import qualified Propellor.Property.Apt as Apt @@ -254,10 +257,19 @@ hostname = runProp "hostname" name :: String -> Property HasInfo name = runProp "name" +class Publishable p where + toPublish :: p -> String + +instance Publishable (Bound Port) where + toPublish p = show (hostSide p) ++ ":" ++ show (containerSide p) + +-- | string format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort +instance Publishable String where + toPublish = id + -- | Publish a container's port to the host --- (format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort) -publish :: String -> Property HasInfo -publish = runProp "publish" +publish :: Publishable p => p -> Property HasInfo +publish = runProp "publish" . toPublish -- | Expose a container's port without publishing it. expose :: String -> Property HasInfo @@ -267,11 +279,21 @@ expose = runProp "expose" user :: String -> Property HasInfo user = runProp "user" --- | Mount a volume --- Create a bind mount with: [host-dir]:[container-dir]:[rw|ro] +class Mountable p where + toMount :: p -> String + +instance Mountable (Bound FilePath) where + toMount p = hostSide p ++ ":" ++ containerSide p + +-- | string format: [host-dir]:[container-dir]:[rw|ro] +-- -- With just a directory, creates a volume in the container. -volume :: String -> Property HasInfo -volume = runProp "volume" +instance Mountable String where + toMount = id + +-- | Mount a volume +volume :: Mountable v => v -> Property HasInfo +volume = runProp "volume" . toMount -- | Mount a volume from the specified container into the current -- container. -- cgit v1.2.3