From c8f2193783e20048e944e43c26c96bf96b3b4d13 Mon Sep 17 00:00:00 2001 From: Andriy Knysh Date: Tue, 14 Nov 2017 12:11:01 -0500 Subject: [PATCH] Swap out s3fs with goofys (#88) * Remove `kops` from `configBase` * Update `README` * Install goofys * Use goofys to mount/unmount S3 cluster state bucket * Fix `mount` * Fix `AWS_ASSUMED_ROLE_VERSION` * Add Linux packages * Fix `mount` * Try `mount` in background * Fix `mount` --- Dockerfile | 25 ++++++------------ README.md | 26 +++++++++---------- rootfs/templates/kops/default.yaml | 2 +- .../usr/local/include/toolbox/config/Makefile | 20 ++------------ 4 files changed, 24 insertions(+), 49 deletions(-) diff --git a/Dockerfile b/Dockerfile index 11ed677c9..ce963beb0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,7 +5,8 @@ RUN apk update \ python make bash vim jq figlet \ openssl openssh-client sshpass iputils drill \ gcc libffi-dev python-dev musl-dev openssl-dev py-virtualenv \ - git coreutils less groff bash-completion && \ + git coreutils less groff bash-completion \ + fuse libc6-compat && \ mkdir -p /etc/bash_completion.d/ /etc/profile.d/ RUN echo "net.ipv6.conf.all.disable_ipv6=0" > /etc/sysctl.d/00-ipv6.conf @@ -91,21 +92,6 @@ RUN curl --fail -sSL -O https://s3.amazonaws.com/aws-cli/awscli-bundle.zip \ && ln -s /usr/local/aws/bin/aws_bash_completer /etc/bash_completion.d/aws.sh \ && ln -s /usr/local/aws/bin/aws_completer /usr/local/bin/ -# Install S3FS -# Overrride URI for AWS Metadata API so we can run outside of AWS using a hardcoded path on the filesystem :) -ENV S3FS_VERSION 1.80 -RUN apk --update add fuse libxml2 mailcap && \ - apk --virtual .build-deps add alpine-sdk automake autoconf libxml2-dev fuse-dev curl-dev && \ - git clone https://github.com/s3fs-fuse/s3fs-fuse.git && \ - cd s3fs-fuse && \ - git checkout tags/v${S3FS_VERSION} && \ - ./autogen.sh && \ - ./configure --prefix=/usr && \ - sed -i -E 's!http://169.254.169.254.*?/!file:///mnt/local/aws/cli/cache/!g' src/curl.cpp && \ - make && \ - make install && \ - apk del .build-deps - # Install Google Cloud SDK ENV GCLOUD_SDK_VERSION=179.0.0 RUN curl --fail -sSL -O https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-${GCLOUD_SDK_VERSION}-linux-x86_64.tar.gz && \ @@ -139,9 +125,14 @@ RUN curl --fail -sSL -o /usr/local/bin/gomplate https://github.com/hairyhenderso # Install AWS Assumed Role ENV AWS_ASSUMED_ROLE_VERSION 0.1.0 -RUN curl --fail -sSL -o /etc/profile.d/aws-assume-role.sh https://raw.githubusercontent.com/cloudposse/aws-assumed-role/0.1.0/profile \ +RUN curl --fail -sSL -o /etc/profile.d/aws-assume-role.sh https://raw.githubusercontent.com/cloudposse/aws-assumed-role/${AWS_ASSUMED_ROLE_VERSION}/profile \ && chmod +x /etc/profile.d/aws-assume-role.sh +# Install goofys +ENV GOOFYS_VERSION 0.0.18 +RUN curl --fail -sSL -o /usr/local/bin/goofys https://github.com/kahing/goofys/releases/download/v${GOOFYS_VERSION}/goofys \ + && chmod +x /usr/local/bin/goofys + ENV BANNER "geodesic" # Where to store state diff --git a/README.md b/README.md index 6e1783d4f..96b9a00d3 100644 --- a/README.md +++ b/README.md @@ -10,15 +10,15 @@ It provides a fully customizable framework for defining and building world-class Geodesic is composed of two parts: 1. It is an interactive command-line shell. The shell includes the *ultimate* mashup of cloud orchestration tools. Those tools are then integrated to work in concert with each other using a consistent framework. Installation of the shell is as easy as running a docker container. -2. It is a distribution of essential services. The distribution includes a collection of Helm charts for CI/CD, VPN, SSH Bastion, Automatic DNS, Automatic TLS, Automatic Monitoring, Account Management, Log Collection, Load Balancing/Routing, Image Serving, and much more. What makes these charts even more valuable is that they were designed from the ground up work well with each other and integrate with external services for authentication (SSO/OAuth2, MFA). +2. It is a distribution of essential services. The distribution includes a collection of Helm charts for CI/CD, VPN, SSH Bastion, Automatic DNS, Automatic TLS, Automatic Monitoring, Account Management, Log Collection, Load Balancing/Routing, Image Serving, and much more. What makes these charts even more valuable is that they were designed from the ground up to work well with each other and integrate with external services for authentication (SSO/OAuth2, MFA). -An organization may chose to leverage all of these components, or just the parts the make their life easier. +An organization may chose to leverage all of these components, or just the parts that make their life easier. ## Features -* **Secure** - TLS/PKI, OAuth2, MFA Everywhere, remote access VPN, [ultra secure bastion/jumphost](https://github.com/cloudposse/bastion) with audit capabilities and slack notifications, [IAM assumed roles](https://github.com/cloudposse/aws-assume-role/), automatic key rotation, encryption at rest, and VPCs; -* **Repeatable** - 100% Infrastructure-as-Code with change automation and support for scriptable admin tasks in any language, including terraform; -* **Extensible** - A framework where everything can be be extended to work the way you want to to; -* **Comprehensive** - our [helm charts library](https://github.com/cloudposse/charts) are designed to tightly integrate your cloud-platform with Github Teams and Slack Notifications and CI/CD systems like TravisCI, CircleCI or Jenkins; +* **Secure** - TLS/PKI, OAuth2, MFA Everywhere, remote access VPN, [ultra secure bastion/jumphost](https://github.com/cloudposse/bastion) with audit capabilities and slack notifications, [IAM assumed roles](https://github.com/cloudposse/aws-assume-role/), automatic key rotation, encryption at rest, and VPCs +* **Repeatable** - 100% Infrastructure-as-Code with change automation and support for scriptable admin tasks in any language, including Terraform +* **Extensible** - A framework where everything can be extended to work the way you want to +* **Comprehensive** - our [helm charts library](https://github.com/cloudposse/charts) are designed to tightly integrate your cloud-platform with Github Teams and Slack Notifications and CI/CD systems like TravisCI, CircleCI or Jenkins * **OpenSource** - Permissive [APACHE 2.0](LICENSE) license means no lock-in and no on-going license fees @@ -26,16 +26,16 @@ An organization may chose to leverage all of these components, or just the parts At its core, Geodesic is a framework for provisioning cloud infrastructure and the applications that sit on top of it. We leverage as many existing tools as possible to facilitate cloud fabrication and administration. We're like the connective tissue that sits between all of the components of a modern cloud. -* [`kops`](https://github.com/kubernetes/kops/) for kubernetes cluster orchestration +* [`kops`](https://github.com/kubernetes/kops/) for Kubernetes cluster orchestration * [`aws-cli`](https://github.com/aws/aws-cli/) for interacting directly with the AWS APIs -* [`helm`](https://github.com/kubernetes/helm/) for installing packages like varnish or apache on the kubernetes cluster +* [`helm`](https://github.com/kubernetes/helm/) for installing packages like Varnish or Apache on the Kubernetes cluster * [`terraform`](https://github.com/hashicorp/terraform/) for provisioning miscellaneous resources on pretty much any cloud * [`packer`](https://github.com/hashicorp/packer/) for creating identical machine images for multiple platforms * [`kubectl`](https://kubernetes.io/docs/user-guide/kubectl-overview/) for controlling kubernetes resources like deployments or load balancers -* [`ansible`](http://docs.ansible.com/ansible/latest/index.html) Ansible is an IT automation tool. It can configure systems, deploy software, and orchestrate more advanced IT tasks. -* [`s3fs`](https://github.com/s3fs-fuse/s3fs-fuse) for mounting encrypted S3 buckets that store cluster configurations and secrets +* [`ansible`](http://docs.ansible.com/ansible/latest/index.html) Ansible is an IT automation tool. It can configure systems, deploy software, and orchestrate more advanced IT tasks * [`gcloud`, `gsutil`](https://cloud.google.com/sdk/) for integration with Google Cloud (e.g. GKE, GCE, Google Storage) -* [`gomplate`](https://github.com/hairyhenderson/gomplate/) for template rendering configuraton files using the GoLang template engine. Supports lots of local and remote datasources. +* [`gomplate`](https://github.com/hairyhenderson/gomplate/) for template rendering configuration files using the GoLang template engine. Supports lots of local and remote datasources +* [`goofys`](https://github.com/kahing/goofys/) a high-performance Amazon S3 file system for mounting encrypted S3 buckets that store cluster configurations and secrets ## Demo @@ -57,7 +57,7 @@ Docker can be easily installed by following the instructions for your OS: 2. Create a new project - This will create a new project in your current working directory, complete with a `Dockerfile`, `Makefile` file. + This will create a new project in your current working directory, complete with `Dockerfile` and `Makefile`. ``` docker run -e CLUSTER \ @@ -90,7 +90,7 @@ Docker can be easily installed by following the instructions for your OS: ## Creating a Kops Cluster -Create your `kops` cluster from a manifest. The manifest template is located in `/templates/kops/default.yaml` and is compiled by running `build-kops-manifest` +Create your `kops` cluster from a manifest. The manifest template is located in `/templates/kops/default.yaml` and is compiled by running `build-kops-manifest`. After building the manifest, create the cluster by running and following the resultant instructions. ``` diff --git a/rootfs/templates/kops/default.yaml b/rootfs/templates/kops/default.yaml index 2c1c2c669..158bb234c 100644 --- a/rootfs/templates/kops/default.yaml +++ b/rootfs/templates/kops/default.yaml @@ -12,7 +12,7 @@ spec: cloudLabels: Cluster: {{getenv "CLUSTER"}} cloudProvider: aws - configBase: {{getenv "KOPS_STATE_STORE" }}/{{getenv "CLUSTER"}}/kops + configBase: {{getenv "KOPS_STATE_STORE" }}/{{getenv "CLUSTER"}} {{if getenv "KOPS_DNS_ZONE" }} dnsZone: {{getenv "KOPS_DNS_ZONE"}} {{else}} diff --git a/rootfs/usr/local/include/toolbox/config/Makefile b/rootfs/usr/local/include/toolbox/config/Makefile index b06827d8a..6e73827f8 100644 --- a/rootfs/usr/local/include/toolbox/config/Makefile +++ b/rootfs/usr/local/include/toolbox/config/Makefile @@ -1,8 +1,6 @@ include helpers include all -S3FS_OPTIONS ?= nosuid,nonempty,nodev,allow_other,default_acl=private,retries=5,use_sse,use_cache=/dev/shm - ## Initialize environment init: init-git @mkdir -p $(dir $(TF_STATE_FILE)) @@ -27,7 +25,6 @@ init-git: git -C ${LOCAL_STATE} add .; \ fi - ## Reset local state reset: require-cluster-mounted @rm -rf $(REMOTE_STATE)/* $(REMOTE_STATE)/.bootstrapped @@ -71,21 +68,9 @@ destroy-bucket: validate --force ## Mount remote cluster state bucket -mount: validate +mount: validate @mkdir -p $(REMOTE_MOUNT_POINT) -ifeq ($(AWS_IAM_ROLE_ARN),) -# Support standard AWS credentials - @echo "$(AWS_ACCESS_KEY_ID):$(AWS_SECRET_ACCESS_KEY)" > /dev/shm/passwd-s3fs - @chmod 600 /dev/shm/passwd-s3fs - @/usr/bin/s3fs $(CLUSTER_STATE_BUCKET) $(REMOTE_MOUNT_POINT) \ - -o passwd_file=/dev/shm/passwd-s3fs,$(S3FS_OPTIONS) -else -# Support Assumed Roles / STS Tokens - @/usr/bin/s3fs $(CLUSTER_STATE_BUCKET) $(REMOTE_MOUNT_POINT) \ - -o iam_role=$(AWS_DEFAULT_PROFILE),$(S3FS_OPTIONS) -endif - @sleep 1 - @grep -q s3fs /etc/mtab || (echo "Failed to mount $(CLUSTER_STATE_BUCKET)"; rmdir $(REMOTE_MOUNT_POINT); exit 1) + @(nohup goofys -f --file-mode=0600 --region ${CLUSTER_STATE_BUCKET_REGION} --sse $(CLUSTER_STATE_BUCKET) ${REMOTE_MOUNT_POINT}) 2>&1 >>/var/log/goofys.log 2>&1 & @echo "Mounted $(CLUSTER_STATE_BUCKET) to $(REMOTE_MOUNT_POINT)" @mkdir -p $(REMOTE_STATE) @mkdir -p $(dir $(KUBECONFIG)) @@ -99,7 +84,6 @@ unmount: @mountpoint -q $(REMOTE_MOUNT_POINT) || (echo "Nothing mounted to mount point"; exit 1) /bin/umount $(REMOTE_MOUNT_POINT) @rmdir $(REMOTE_MOUNT_POINT) - @rm -f /dev/shm/passwd-s3fs @echo "Unmounted $(CLUSTER_STATE_BUCKET)" ## Show what configurations have been modified