Conversation
8322070 to
977fcc8
Compare
9ab7953 to
97dec15
Compare
|
Ok, I think this is ready for design review, and code is in a pretty good state. ping @aaronlehmann |
efcd344 to
9b02932
Compare
|
Sorry for the delay. +1 for pb encoding. In the "original" design, that was the intention we just left it out of the Generic Runtime PR as we didn't have anything to use yet. |
Yes, I think protobuf would be better. |
api/types/swarm/task.go
Outdated
There was a problem hiding this comment.
I'd suggest putting this next to ContainerSpec in the struct definition and adding a comment that they are mutually exclusive. We should probably change ContainerSpec to be a pointer (and make sure no code assumes it exists).
There was a problem hiding this comment.
Looks like tag+digest is already supported. What else needs to be done?
There was a problem hiding this comment.
Should we pin this before sending off to swarm?
There was a problem hiding this comment.
Pinning happens on the CLI side starting with API 1.30.
There was a problem hiding this comment.
Ok makes sense to do that there.
There was a problem hiding this comment.
It should be possible to pass a reference with both a tag and a digest to the pull code. This wasn't working properly earlier, but it was fixed recently.
Not sure if there are any plugin-specific issues with doing this, but ideally there shouldn't be.
There was a problem hiding this comment.
So you are saying to drop the TrimNamed bit?
There was a problem hiding this comment.
Is 500 ms enough? I like to be very conservative with timeouts in test so that loaded machines don't cause spurious failures.
daemon/cluster/convert/service.go
Outdated
There was a problem hiding this comment.
I guess we'll change this to gRPC anyway, but the error needs to be checked.
daemon/cluster/services.go
Outdated
There was a problem hiding this comment.
Wondering if we should do this in the CLI instead of the API. No strong preference though.
There was a problem hiding this comment.
I would prefer the CLI, but I didn't want to make a breaking change to the API here.
There was a problem hiding this comment.
I don't think this sleep is necessary. I don't recall any other tests that create services doing this.
There was a problem hiding this comment.
Oh I copied this from the test above it. I can remove.
There was a problem hiding this comment.
I'm hoping we can avoid adding new dependencies on Docker Hub in tests; see #30626
There was a problem hiding this comment.
Yeah, I keep putting this off... I'll work on something for this.
There was a problem hiding this comment.
Ok, added a plugin builder + some registry integration. Check it out in integration-cli/fixtures/plugin.
plugin/events.go
Outdated
There was a problem hiding this comment.
I remember this truncated comment from swarmkit :)
This commit extends SwarmKit secret management with pluggable secret backends support, using the current cluster configuration to understand if secrets are being stored locally, or need to be retrieved from a remote secret store. The solution will use the existing docker plugin framework. The approach is to add a new `driver` parameter to existing secrets, which defines whether the values are loaded from SwarmKit or from one of the secret plugins. The loading of secrets is done using the standard docker plugin infrastructure, which is already accessible in swarmkit and used in other flows (e.g., networking) Remarks: * I've added support to mock the plugin subsystem in controlapi server, I preferred this approach over loading the full plugin subsystem. Work still needed in this CR: - [ ] More unit tests (pending initial iteration) - [ ] Customized error handling Work still needed to complete this feature: - [ ] Inject secrets as part of plugin initialization - [ ] CLI support in docker References: moby/moby#33575 Signed-off-by: liron <liron@twistlock.com>
This commit extends SwarmKit secret management with pluggable secret backends support. The solution uses the existing docker plugin framework for loading plugins and the existing SwarmKit data backend for storing them. The approach is to add a new `driver` parameter to existing secrets, which defines whether the values are taken as is or fetched from one of the secret plugins. The loading of secrets is done using the standard docker plugin infrastructure, which is already accessible in SwarmKit and used in other flows (e.g., networking). The fetched values are are stored as regular SwarmKit secrets. Remarks: * I've added support for mocking the plugin subsystem when settings up the controlapi server. I preferred this approach over loading the full plugin subsystem in UT. Work still needed in this CR: - [ ] More unit tests (pending initial iteration) - [ ] Customized error handling (e.g., customize error string for Not Found) Work still needed to complete this feature: - [ ] Inject secrets as part of plugin initialization - [ ] CLI support in docker - [ ] Docs - [ ] Support scheduling plugins in swarm moby/moby#33575 Signed-off-by: liron <liron@twistlock.com>
This commit extends SwarmKit secret management with pluggable secret backends support. The solution uses the existing docker plugin framework for loading plugins and the existing SwarmKit data backend for storing them. The approach is to add a new `driver` parameter to existing secrets, which defines whether the values are taken as is or fetched from one of the secret plugins. The loading of secrets is done using the standard docker plugin infrastructure, which is already accessible in SwarmKit and used in other flows (e.g., networking). The fetched values are are stored as regular SwarmKit secrets. Remarks: * I've added support for mocking the plugin subsystem when settings up the controlapi server. I preferred this approach over loading the full plugin subsystem in UT. Work still needed in this CR: - [ ] More unit tests (pending initial iteration) - [ ] Customized error handling (e.g., customize error string for Not Found) Work still needed to complete this feature: - [ ] Inject secrets as part of plugin initialization - [ ] CLI support in docker - [ ] Docs - [ ] Support scheduling plugins in swarm moby/moby#33575 Signed-off-by: liron <liron@twistlock.com>
This commit extends SwarmKit secret management with pluggable secret backends support. The solution uses the existing docker plugin framework for loading plugins and the existing SwarmKit data backend for storing them. The approach is to add a new `driver` parameter to existing secrets, which defines whether the values are taken as is or fetched from one of the secret plugins. The loading of secrets is done using the standard docker plugin infrastructure, which is already accessible in SwarmKit and used in other flows (e.g., networking). The fetched values are are stored as regular SwarmKit secrets. Remarks: * I've added support for mocking the plugin subsystem when settings up the controlapi server. I preferred this approach over loading the full plugin subsystem in UT. Work still needed in this CR: - [ ] More unit tests (pending initial iteration) - [ ] Customized error handling (e.g., customize error string for Not Found) Work still needed to complete this feature: - [ ] Inject secrets as part of plugin initialization - [ ] CLI support in docker - [ ] Docs - [ ] Support scheduling plugins in swarm moby/moby#33575 Signed-off-by: liron <liron@twistlock.com>
|
This is updated and addresses all comments. |
|
LGTM |
|
@cpuguy83 needs a minor rebase |
client/service_create.go
Outdated
There was a problem hiding this comment.
Minor: the client probably shouldn't allow both ContainerSpec and PluginSpec to be specified.
client/service_update.go
Outdated
There was a problem hiding this comment.
Minor: PluginSpec and ContainerSpec should be mutually exclusive.
There was a problem hiding this comment.
Can you clarify what you want to see changed? Just a client-side check for not mixing spec types?
There was a problem hiding this comment.
Yeah, right now imgPlatforms will be overridden by PluginSpec if both specs exist. I think it would be better to return an error if both exist.
There was a problem hiding this comment.
Seems like this goroutine could be avoided by using a context with a timeout, but perhaps part of the point of the unit test is to make sure that Wait doesn't get stuck, so maybe this external timeout makes sense.
There was a problem hiding this comment.
Well, we need Wait to be called before enable. Since Wait is blocking and we need to check the error a context isn't really enough here.
daemon/cluster/convert/service.go
Outdated
|
Only had minor comments on the last pass. LGTM after the rebase. |
Enables other subsystems to watch actions for a plugin(s). This will be used specifically for implementing plugins on swarm where a swarm controller needs to watch the state of a plugin. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
|
Rebased, fixed imports, added client side validation for service spec to create/update. |
|
All tests passed after windowsRS1 rerun. Merging. |
|
💥 thanks @cpuguy83 for putting this together! |
|
Just step 1, still need:
|
|
@cpuguy83 do we have |
| } | ||
| if len(imgPlatforms) > 0 { | ||
| service.TaskTemplate.Placement.Platforms = imgPlatforms | ||
| } |
There was a problem hiding this comment.
This (and the other changes to this file) seem like the wrong place to handle these concerns. Every other function in this package is only concerned with translating a golang struct into an HTTP request, performing the request, and translating the response into a goland struct.
With this change we've introduced a bunch of application logic and validation that does not belong here.
I think this needs to be extracted to some other package.
There was a problem hiding this comment.
This is all pre-existing, just re-organized.
There was a problem hiding this comment.
Ah, my mistake, looks like it was first introduced and modified in a few PRs starting around #33239
| } | ||
|
|
||
| if err := validateServiceSpec(service); err != nil { | ||
| return types.ServiceCreateResponse{}, err |
Support deploying plugins via swarm services
Modifies the services API to support deploying plugins (previously only
supported containers).
This makes use of some of the existing work around generic service
runtimes.
With this change you can
curl -X POST myDocker:2375/services/createwith aPluginSpecdefined in theTaskTemplate.The plugin defined by in the
PluginSpecwill be deployed similar to a"global mode" service.
Work still needed:
The format of the plugin request that is sent to swarm is currently just a json encoded object specified in
api/types/swarm... wondering if it would be better to change this to protobuf.Ping @ehazlett @tiborvass
What this does not tackle: