docker_registry.go
81 lines1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
package platform
import (
"fmt"
"log"
"strings"
)
// ConfigureRegistry writes /etc/docker/daemon.json on the server
// to allow pulling from an insecure (HTTP) private registry.
// Only restarts Docker if the config actually changed.
func (s *Server) ConfigureRegistry(addr string) {
log.Printf(" Configuring insecure registry %s on %s...", addr, s.Name)
daemonJSON := fmt.Sprintf(`{"insecure-registries":["%s"]}`, addr)
if existing, _ := s.SSH("cat", "/etc/docker/daemon.json"); strings.TrimSpace(existing) == daemonJSON {
log.Printf(" Insecure registry already configured on %s", s.Name)
return
}
s.Write("/etc/docker/daemon.json", []byte(daemonJSON), false)
script := `systemctl restart docker; for i in $(seq 1 30); do docker info >/dev/null 2>&1 && break; sleep 1; done`
if _, err := s.SSH("bash", "-c", script); err != nil {
log.Printf(" Warning: failed to configure insecure registry on %s: %v", s.Name, err)
}
}
// WaitForRegistry waits for a Docker registry to be reachable from this server.
func (s *Server) WaitForRegistry(host string) {
script := fmt.Sprintf(`
for i in $(seq 1 30); do
curl -sf http://%s/v2/ >/dev/null 2>&1 && exit 0
sleep 2
done
echo "Registry not ready after 60s"
exit 1
`, host)
if _, err := s.SSH("bash", "-c", script); err != nil {
log.Printf(" Warning: registry may not be ready: %v", err)
}
}
// SyncSecrets copies /etc/secrets/* from one server to each target server.
// Public keys and SSH keys are set to 644 so non-root container users can read them.
func SyncSecrets(from *Server, to []*Server) {
listing, err := from.SSH("ls", "/etc/secrets/")
if err != nil {
log.Printf(" Warning: could not list secrets on manager: %v", err)
return
}
files := strings.Fields(strings.TrimSpace(listing))
if len(files) == 0 {
return
}
for _, worker := range to {
log.Printf(" Syncing secrets to %s...", worker.Name)
worker.SSH("mkdir", "-p", "/etc/secrets")
for _, filename := range files {
// Use base64 to safely transfer binary/multi-line files (e.g. SSH keys)
b64, err := from.SSH("base64", "-w0", "/etc/secrets/"+filename)
if err != nil {
log.Printf(" Warning: could not read %s from manager: %v", filename, err)
continue
}
b64 = strings.TrimSpace(b64)
if b64 == "" {
continue
}
// SSH keys and public keys need 644 for non-root container access
mode := "600"
if strings.HasSuffix(filename, ".pub") || strings.HasSuffix(filename, "_public_key.pem") || filename == "ssh_key" {
mode = "644"
}
script := fmt.Sprintf("echo %s | base64 -d > /etc/secrets/%s && chmod %s /etc/secrets/%s",
shellEscape(b64), shellEscape(filename), mode, shellEscape(filename))
worker.SSH("bash", "-c", script)
}
}
}