Merge pull request #75 from phylake/no_read_only

Optional read_only: false

CHANGELOG.md

@@ -1,8 +1,9 @@
-**v2.1**
+**v2.1.0**
 
-- supporting worker stacks and workers in inet stacks
+- `topology: worker` now supported
+- configurable `read_only: false` to disable `docker run --read-only`
 
-**v2.0**
+**v2.0.0**
 
 - improved secrets handling in transit
 - enabled pluggable secrets provider

commands/host/docker.go

@@ -187,19 +187,13 @@ func startContainers(environmentStr, regionStr string) {
 			// daemonize
 			"-d",
 
-			// publish to an ephemeral port
-			"-P",
-
 			// log driver with defaults since facility override doesn't work
 			"--log-driver=syslog",
 
 			// try to keep the container alive
 			// CIS Docker Benchmark 1.11.0 5.14
 			"--restart=on-failure:5",
 
-			// CIS Docker Benchmark 1.11.0 5.12
-			"--read-only",
-
 			// set ulimit for container
 			// TODO calculate this
 			"--ulimit", "nofile=200000",
@@ -224,6 +218,16 @@ func startContainers(environmentStr, regionStr string) {
 			"-e", "PORTERD_TCP_PORT=" + constants.PorterDaemonBindPort,
 		}
 
+		if container.Topology == conf.Topology_Inet {
+			// publish to an ephemeral port
+			runArgs = append(runArgs, "-P")
+		}
+
+		if container.ReadOnly == nil || *container.ReadOnly == true {
+			// CIS Docker Benchmark 1.11.0 5.12
+			runArgs = append(runArgs, "--read-only")
+		}
+
 		// TODO revisit --cap-drop=ALL with override https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
 		if container.Uid == nil {
 			runArgs = append(runArgs, "-u", constants.ContainerUserUid)

conf/conf.go

@@ -66,6 +66,7 @@ type (
 		Topology        string       `yaml:"topology"`
 		InetPort        int          `yaml:"inet_port"`
 		Uid             *int         `yaml:"uid"`
+		ReadOnly        *bool        `yaml:"read_only"`
 		Dockerfile      string       `yaml:"dockerfile"`
 		DockerfileBuild string       `yaml:"dockerfile_build"`
 		HealthCheck     *HealthCheck `yaml:"health_check"`
@@ -226,6 +227,10 @@ func (recv *Config) SetDefaults() {
 				if region.Containers[0].Topology == "" {
 					region.Containers[0].Topology = Topology_Inet
 				}
+
+				if region.Containers[0].Name == "" {
+					region.Containers[0].Name = "primary"
+				}
 			}
 		}
 	}

conf/validate.go

@@ -224,7 +224,8 @@ func ValidateRegion(region *Region, validateRoleArn bool) error {
 
 func (recv *Region) ValidateContainers() error {
 
-	if len(recv.Containers) == 0 {
+	containerCount := len(recv.Containers)
+	if containerCount == 0 {
 
 		return errors.New("No containers are defined. Was SetDefaults() run?")
 	}
@@ -264,7 +265,7 @@ func (recv *Region) ValidateContainers() error {
 			}
 		}
 
-		if !containerNameRegex.MatchString(container.Name) {
+		if containerCount > 1 && !containerNameRegex.MatchString(container.Name) {
 			return errors.New("Invalid container name")
 		}
 

docs/detailed_design/config-reference.md

@@ -39,6 +39,7 @@ For each field the following notation is used
       - [dockerfile](#container-dockerfile) (==1?)
       - [dockerfile_build](#container-dockerfile-build) (==1?)
       - [uid](#uid) (==1?)
+      - [read_only](#read_only) (==1?)
       - [health_check](#health_check) (==1?)
       - [src_env_file](#src_env_file) (==1?)
       - [dst_env_file](#dst_env_file) (==1?)
@@ -301,7 +302,7 @@ Cloudformation stacks are eligible for deletion.
 
 ### containers
 
-container is a container definition and complex object.
+Define containers that should be built and run.
 
 If undefined a single default container definition is provided:
 
@@ -314,15 +315,27 @@ containers:
     path: /health
 ```
 
+If multiple containers are defined they must have unique names.
+
 ### topology
 
 topology describes the basic topology of the service and allow porter to do
 certain validation around the CloudFormation template to ensure things like
 a load balancer are defined.
 
-The only topology currently supported is `inet`
+`inet` and `worker` toplogies are supported. If an environment defines all
+`worker` containers then no ELB will be created.
+
+Multiple `inet` and `worker` containers can be deployed at the same time.
+
+**Limitations**
+
+The containers can communicate because they exist on the same docker network but
+no information is provided so containers can easily discover each other.
 
-Future work will support `worker` and `cron`
+No L7 routing occurs so all `inet` containers have to be identical.
+
+Future work will support service discovery and the `cron` topology.
 
 ### inet_port
 
@@ -349,11 +362,18 @@ Defaults to `Dockerfile.build` if undefined.
 
 ### uid
 
-This specifies the uid the container is run with (i.e. `docker run -u`).
+CIS Docker Benchmark 1.11.0 4.1 recommends running containers with a non-root
+user. Porter creates a porter-docker user on the host and runs docker with the
+porter-docker user's uid (`docker run -u <uid of the user porter-docker>`).
+
+If your container must run as root set `uid: 0`
+
+### read_only
 
-The default if left unset is to use the provisioned porter-docker user.
+CIS Docker Benchmark 1.11.0 5.12 recommends running containers with
+`--read-only`.
 
-If your container expects to run as root set this value to 0.
+Set `read_only: false` to disable this.
 
 ### health_check
 

provision/map_resource.go

@@ -543,10 +543,10 @@ func setCount(recv *stackCreator, template *cfn.Template, resource map[string]in
 	return true
 }
 
-// The WaitCondition DependsOn the ASG because its timeout starts as soon as its
-// created an the ASG is the last thing to be created so we want the timeout
-// countdown to start as soon as all the other resources in the stack have been
-// created
+// The WaitCondition DependsOn the ASG because its timeout starts as soon as
+// it's created and the ASG is the last thing to be created so we want the
+// timeout countdown to start as soon as all the other resources in the stack
+// have been created
 func setDependsOnAutoScalingGroup(recv *stackCreator, template *cfn.Template, resource map[string]interface{}) (success bool) {
 	if _, exists := resource["DependsOn"]; !exists {
 

testintegration/.porter/config

@@ -91,7 +91,21 @@ environments:
         - secrets.env-file
       dst_env_file:
         s3_bucket: porter-sandbox-us-west-2
+    - <<: *CONTAINER_BASE_INET
+      name: inet2
+      src_env_file:
+        exec_name: cat
+        exec_args:
+        - secrets.env-file
+      dst_env_file:
+        s3_bucket: porter-sandbox-us-west-2
+    - <<: *CONTAINER_BASE_WORKER
+      read_only: false
+    - <<: *CONTAINER_BASE_WORKER
+      name: worker2
+      read_only: true
     - <<: *CONTAINER_BASE_WORKER
+      name: worker3
 
     elb: $ELB_1_NAME
 
@@ -115,6 +129,8 @@ environments:
 
     containers:
     - <<: *CONTAINER_BASE_WORKER
+    - <<: *CONTAINER_BASE_WORKER
+      name: worker2
 
 - name: CIS
 
@@ -142,5 +158,8 @@ environments:
         s3_region: us-west-2
       dst_env_file:
         s3_bucket: porter-sandbox-us-west-2
+    - <<: *CONTAINER_BASE_WORKER
+    - <<: *CONTAINER_BASE_WORKER
+      name: worker2
 
     elb: $ELB_2_NAME