Minimal implementation of the proxy #655
Conversation
|
"Beta features" or "Experimental features" ? |
|
"Experimental Features". And I'd put that right after 'Features'. |
|
You checked in the wait-for-weave binary -- is that safe with respect to licensing? |
|
Documetation notes from discussion in person:
|
We shouldn't have that checked it. Only the source. |
|
@squaremo good call, will check. |
|
or, rather, we should fetch & build it. |
|
This kinda fixes #47 and #230. Though we should probably not declare victory on these until the proxy is more fully integrated. @paulbellamy please raise an issue for the latter. TLS is covered by #506. |
paulbellamy
force-pushed
the
proxy-minimal
branch
2 times, most recently
from
4cb52f1 to
89b7f4c
Compare
|
|
||
| start_suite "Run docker-py test suite against the proxy" | ||
|
|
||
| assert_raises "docker_on $HOST1 ps | grep weaveproxy" 1 |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
|
I think this also addresses #117, with the same caveats. |
|
Does this also solve #400? |
|
and #401? |
|
|
||
| start_suite "Proxy waits for weave to be ready before running container commands" | ||
| weave_on $HOST1 launch-proxy | ||
| assert_raises "docker_proxy_on $HOST1 run -e 'WEAVE_CIDR=10.2.1.1/24' --name=c1 gliderlabs/alpine ifconfig ethwe" 0 |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
|
re: licensing, it's Apache2, so since we are "distributing" it, we probably need attribution, and a license included? but I am not a lawyer... |
| remote $host $SSH $host $@ | ||
| } | ||
|
|
||
| docker_on() { | ||
| host=$1 | ||
| shift 1 | ||
| greyly echo "Docker on $host: $@" | ||
| greyly echo "Docker on $host: $@" >&2 |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
|
re: licensing, will remove binocarlos/wait-for-weave, and reinvent the wheel. |
| InitDefaultLogging(true) | ||
| } | ||
|
|
||
| p, err := proxy.NewProxy(target) |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
|
A few more things to figure out and document...
|
|
Perhaps there could be a flag on the proxy that controls whether it should act on all containers or only containers with a |
|
Regarding DNS... the proxy could have a |
|
+1 This is a great feature, of note as ,mentioned in #629, WEAVE_CIDR should support multiple CIDR's (for containers connected to other northbound and southbound containers). |
|
It already does. Per the docs in this PR. |
|
@rade, apologies, fired off too fast. Excitement got to me :) |
|
|
||
| down, _, up, rem, err := hijack(w, client) | ||
| if err != nil { | ||
| Error.Fatal("Unable to hijack response stream for chunked response", http.StatusInternalServerError) |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
|
The proxy tests take longer to run than the entire existing test suite! 4 mins vs 3min30s. Over half of that is in running the docker integration test suite. Not sure what, if anything, to do about this. |
This adds a docker remote API proxy to the weaveexec image. The proxy has hooks for (post-) container start and (pre-) container create; the former attaches a weave interface to a container given a WEAVE_CIDR environment entry, and the latter adjusts the entrypoint of a container to wait for the ethwe interface. Notes: None of the hooks need to inspect/change large bodies. In order to avoid a crash when handling images larger than memory we need to ensure that the entire request body is never loaded into memory (i.e. No ioutils.ReadAll). When proxying a raw-stream response, we can't use http.WriteHeader. It sets the Transfer-Encoding to chunked, which will throw off the clients. Instead we have to hijack the socket, and write out http status code manually. For chunked transfer-encodings, clients (docker-py) depend on each http chunk containing exactly one JSON object. Therefore, we cannot re-chunk the body, and have to pass it across verbatim. Proxy needs to pass multi-cidrs separately when calling weave. Otherwise they get smashed together on the command line, and the call fails. When creating the image, if no entrypoint is specified on the container, it should use the entrypoint of the image. Code for this is based on powerstrip-weave. We handle WEAVE_CIDR='' by acting like it is not set. The reason being, that because WEAVE_CIDR is inherited from images (along with env vars), setting it to blank is equivalent to unsetting it.
Use curl /weave to wait for the proxy to boot before returning.
paulbellamy
force-pushed
the
proxy-minimal
branch
from
3cb4f95 to
bcb2ffa
Compare
binocarlos/wait-for-weave is Apache2 licensed, so attribution/etc applies. Thus, we re-invent the wheel here.
In the proxy, I swapped the 'flag' library for 'code.google.com/p/getopt', which uses double-dash flags. proxy lets 'weave attach' do dns registration on container start proxy needs to set DNSSearch if not specified
- some inlining - compile regexps once - consistent error messages - always mention container id in startContainerInterceptor errors
busybox is smaller. gliderlabs/alpine is even smaller, but is used by weaveexec, so we can't remove it.
paulbellamy
force-pushed
the
proxy-minimal
branch
from
bcb2ffa to
b71a428
Compare
|
Yeah, I agree the docker-py tests are quite slow. They have several sleeps in them. I had tried, the go-dockerclient tests, but they just use a mock server. Overall, I'm not sure what to do about it at this point. |
|
Notes after f2f with @rade, the docker-py tests are quite slow, and possibly a bit flakey, but have been useful in catching proxy bugs. If they prove troublesome, could check if there is a cli suite as part of the main docker repo. Or put some work into fixing up/speeding up the docker-py tests... |
paulbellamy
force-pushed
the
proxy-minimal
branch
from
f35db0d to
ee07d64
Compare
|
100! |
Supersedes #652
This adds a docker remote API proxy to the weaveexec image. The proxy is NOT
auto-launched when running a container with weave cli. Nor is it used at all by the weave CLI script.
It is merely provided/documented as a beta feature, so that we can gauge feedback.
The proxy currently has hooks for: