From 9f1bea2657e1830313ebe4d82e0037bc660a7f73 Mon Sep 17 00:00:00 2001 From: Nishant Totla Date: Mon, 22 May 2017 14:06:36 -0700 Subject: [PATCH 1/2] Enable client side digest pinning for stack deploy Signed-off-by: Nishant Totla --- cli/command/stack/deploy.go | 9 +++++++++ cli/command/stack/deploy_bundlefile.go | 2 +- cli/command/stack/deploy_composefile.go | 21 ++++++++++++++++++--- cli/compose/convert/service.go | 6 ++++++ 4 files changed, 34 insertions(+), 4 deletions(-) diff --git a/cli/command/stack/deploy.go b/cli/command/stack/deploy.go index d18a43484d..a5edd2bd67 100644 --- a/cli/command/stack/deploy.go +++ b/cli/command/stack/deploy.go @@ -7,6 +7,7 @@ import ( "github.com/docker/cli/cli/command" "github.com/docker/cli/cli/compose/convert" "github.com/docker/docker/api/types/swarm" + "github.com/docker/docker/api/types/versions" "github.com/pkg/errors" "github.com/spf13/cobra" "golang.org/x/net/context" @@ -21,6 +22,7 @@ type deployOptions struct { composefile string namespace string sendRegistryAuth bool + noResolveImage bool prune bool } @@ -44,12 +46,19 @@ func newDeployCommand(dockerCli command.Cli) *cobra.Command { addRegistryAuthFlag(&opts.sendRegistryAuth, flags) flags.BoolVar(&opts.prune, "prune", false, "Prune services that are no longer referenced") flags.SetAnnotation("prune", "version", []string{"1.27"}) + flags.BoolVar(&opts.noResolveImage, "no-resolve-image", false, "Do not query the registry to resolve image digest and supported platforms") + flags.SetAnnotation("no-resolve-image", "version", []string{"1.30"}) return cmd } func runDeploy(dockerCli command.Cli, opts deployOptions) error { ctx := context.Background() + // image resolution should not happen for clients older than v1.30 + if versions.LessThan(dockerCli.Client().ClientVersion(), "1.30") { + opts.noResolveImage = true + } + switch { case opts.bundlefile == "" && opts.composefile == "": return errors.Errorf("Please specify either a bundle file (with --bundle-file) or a Compose file (with --compose-file).") diff --git a/cli/command/stack/deploy_bundlefile.go b/cli/command/stack/deploy_bundlefile.go index 2f2a9aa042..9c3ba25954 100644 --- a/cli/command/stack/deploy_bundlefile.go +++ b/cli/command/stack/deploy_bundlefile.go @@ -87,5 +87,5 @@ func deployBundle(ctx context.Context, dockerCli command.Cli, opts deployOptions if err := createNetworks(ctx, dockerCli, namespace, networks); err != nil { return err } - return deployServices(ctx, dockerCli, services, namespace, opts.sendRegistryAuth) + return deployServices(ctx, dockerCli, services, namespace, opts.sendRegistryAuth, opts.noResolveImage) } diff --git a/cli/command/stack/deploy_composefile.go b/cli/command/stack/deploy_composefile.go index 145da67daa..297594dfee 100644 --- a/cli/command/stack/deploy_composefile.go +++ b/cli/command/stack/deploy_composefile.go @@ -92,7 +92,7 @@ func deployCompose(ctx context.Context, dockerCli command.Cli, opts deployOption if err != nil { return err } - return deployServices(ctx, dockerCli, services, namespace, opts.sendRegistryAuth) + return deployServices(ctx, dockerCli, services, namespace, opts.sendRegistryAuth, opts.noResolveImage) } func getServicesDeclaredNetworks(serviceConfigs []composetypes.ServiceConfig) map[string]struct{} { @@ -283,6 +283,7 @@ func deployServices( services map[string]swarm.ServiceSpec, namespace convert.Namespace, sendAuth bool, + noResolveImage bool, ) error { apiClient := dockerCli.Client() out := dockerCli.Out() @@ -301,9 +302,9 @@ func deployServices( name := namespace.Scope(internalName) encodedAuth := "" + image := serviceSpec.TaskTemplate.ContainerSpec.Image if sendAuth { // Retrieve encoded auth token from the image reference - image := serviceSpec.TaskTemplate.ContainerSpec.Image encodedAuth, err = command.RetrieveAuthTokenFromImage(ctx, dockerCli, image) if err != nil { return err @@ -313,12 +314,20 @@ func deployServices( if service, exists := existingServiceMap[name]; exists { fmt.Fprintf(out, "Updating service %s (id: %s)\n", name, service.ID) + updateOpts := types.ServiceUpdateOptions{EncodedRegistryAuth: encodedAuth} + + if image != service.Spec.Labels["com.docker.stack.image"] { + if !noResolveImage { + updateOpts.QueryRegistry = true + } + } + response, err := apiClient.ServiceUpdate( ctx, service.ID, service.Version, serviceSpec, - types.ServiceUpdateOptions{EncodedRegistryAuth: encodedAuth}, + updateOpts, ) if err != nil { return errors.Wrapf(err, "failed to update service %s", name) @@ -331,6 +340,12 @@ func deployServices( fmt.Fprintf(out, "Creating service %s\n", name) createOpts := types.ServiceCreateOptions{EncodedRegistryAuth: encodedAuth} + + // query registry if flag disabling it was not set + if !noResolveImage { + createOpts.QueryRegistry = true + } + if _, err := apiClient.ServiceCreate(ctx, serviceSpec, createOpts); err != nil { return errors.Wrapf(err, "failed to create service %s", name) } diff --git a/cli/compose/convert/service.go b/cli/compose/convert/service.go index 0fef936a22..cf919488f9 100644 --- a/cli/compose/convert/service.go +++ b/cli/compose/convert/service.go @@ -45,6 +45,12 @@ func Services( if err != nil { return nil, errors.Wrapf(err, "service %s", service.Name) } + // add an image label to serviceSpec + if serviceSpec.Labels == nil { + serviceSpec.Labels = make(map[string]string) + } + serviceSpec.Labels["com.docker.stack.image"] = service.Image + result[service.Name] = serviceSpec } From f790e839fc7d669acafa6365ca7a83cbedfe9e2d Mon Sep 17 00:00:00 2001 From: Nishant Totla Date: Fri, 2 Jun 2017 16:21:41 -0700 Subject: [PATCH 2/2] Change --no-resolve-image flag to --resolve-image string flag Signed-off-by: Nishant Totla --- cli/command/stack/deploy.go | 29 ++++++++++++++++++++----- cli/command/stack/deploy_bundlefile.go | 2 +- cli/command/stack/deploy_composefile.go | 12 +++++----- cli/compose/convert/service.go | 15 +++++++------ 4 files changed, 37 insertions(+), 21 deletions(-) diff --git a/cli/command/stack/deploy.go b/cli/command/stack/deploy.go index a5edd2bd67..8e14b70d2f 100644 --- a/cli/command/stack/deploy.go +++ b/cli/command/stack/deploy.go @@ -15,14 +15,17 @@ import ( const ( defaultNetworkDriver = "overlay" + resolveImageAlways = "always" + resolveImageChanged = "changed" + resolveImageNever = "never" ) type deployOptions struct { bundlefile string composefile string namespace string + resolveImage string sendRegistryAuth bool - noResolveImage bool prune bool } @@ -46,17 +49,17 @@ func newDeployCommand(dockerCli command.Cli) *cobra.Command { addRegistryAuthFlag(&opts.sendRegistryAuth, flags) flags.BoolVar(&opts.prune, "prune", false, "Prune services that are no longer referenced") flags.SetAnnotation("prune", "version", []string{"1.27"}) - flags.BoolVar(&opts.noResolveImage, "no-resolve-image", false, "Do not query the registry to resolve image digest and supported platforms") - flags.SetAnnotation("no-resolve-image", "version", []string{"1.30"}) + flags.StringVar(&opts.resolveImage, "resolve-image", resolveImageAlways, + `Query the registry to resolve image digest and supported platforms ("`+resolveImageAlways+`"|"`+resolveImageChanged+`"|"`+resolveImageNever+`")`) + flags.SetAnnotation("resolve-image", "version", []string{"1.30"}) return cmd } func runDeploy(dockerCli command.Cli, opts deployOptions) error { ctx := context.Background() - // image resolution should not happen for clients older than v1.30 - if versions.LessThan(dockerCli.Client().ClientVersion(), "1.30") { - opts.noResolveImage = true + if err := validateResolveImageFlag(dockerCli, &opts); err != nil { + return err } switch { @@ -71,6 +74,20 @@ func runDeploy(dockerCli command.Cli, opts deployOptions) error { } } +// validateResolveImageFlag validates the opts.resolveImage command line option +// and also turns image resolution off if the version is older than 1.30 +func validateResolveImageFlag(dockerCli command.Cli, opts *deployOptions) error { + if opts.resolveImage != resolveImageAlways && opts.resolveImage != resolveImageChanged && opts.resolveImage != resolveImageNever { + return errors.Errorf("Invalid option %s for flag --resolve-image", opts.resolveImage) + } + // client side image resolution should not be done when the supported + // server version is older than 1.30 + if versions.LessThan(dockerCli.Client().ClientVersion(), "1.30") { + opts.resolveImage = resolveImageNever + } + return nil +} + // checkDaemonIsSwarmManager does an Info API call to verify that the daemon is // a swarm manager. This is necessary because we must create networks before we // create services, but the API call for creating a network does not return a diff --git a/cli/command/stack/deploy_bundlefile.go b/cli/command/stack/deploy_bundlefile.go index 9c3ba25954..1074210e97 100644 --- a/cli/command/stack/deploy_bundlefile.go +++ b/cli/command/stack/deploy_bundlefile.go @@ -87,5 +87,5 @@ func deployBundle(ctx context.Context, dockerCli command.Cli, opts deployOptions if err := createNetworks(ctx, dockerCli, namespace, networks); err != nil { return err } - return deployServices(ctx, dockerCli, services, namespace, opts.sendRegistryAuth, opts.noResolveImage) + return deployServices(ctx, dockerCli, services, namespace, opts.sendRegistryAuth, opts.resolveImage) } diff --git a/cli/command/stack/deploy_composefile.go b/cli/command/stack/deploy_composefile.go index 297594dfee..1a2266af80 100644 --- a/cli/command/stack/deploy_composefile.go +++ b/cli/command/stack/deploy_composefile.go @@ -92,7 +92,7 @@ func deployCompose(ctx context.Context, dockerCli command.Cli, opts deployOption if err != nil { return err } - return deployServices(ctx, dockerCli, services, namespace, opts.sendRegistryAuth, opts.noResolveImage) + return deployServices(ctx, dockerCli, services, namespace, opts.sendRegistryAuth, opts.resolveImage) } func getServicesDeclaredNetworks(serviceConfigs []composetypes.ServiceConfig) map[string]struct{} { @@ -283,7 +283,7 @@ func deployServices( services map[string]swarm.ServiceSpec, namespace convert.Namespace, sendAuth bool, - noResolveImage bool, + resolveImage string, ) error { apiClient := dockerCli.Client() out := dockerCli.Out() @@ -316,10 +316,8 @@ func deployServices( updateOpts := types.ServiceUpdateOptions{EncodedRegistryAuth: encodedAuth} - if image != service.Spec.Labels["com.docker.stack.image"] { - if !noResolveImage { - updateOpts.QueryRegistry = true - } + if resolveImage == resolveImageAlways || (resolveImage == resolveImageChanged && image != service.Spec.Labels[convert.LabelImage]) { + updateOpts.QueryRegistry = true } response, err := apiClient.ServiceUpdate( @@ -342,7 +340,7 @@ func deployServices( createOpts := types.ServiceCreateOptions{EncodedRegistryAuth: encodedAuth} // query registry if flag disabling it was not set - if !noResolveImage { + if resolveImage == resolveImageAlways || resolveImage == resolveImageChanged { createOpts.QueryRegistry = true } diff --git a/cli/compose/convert/service.go b/cli/compose/convert/service.go index cf919488f9..6d78be9c8b 100644 --- a/cli/compose/convert/service.go +++ b/cli/compose/convert/service.go @@ -17,7 +17,11 @@ import ( "github.com/pkg/errors" ) -const defaultNetwork = "default" +const ( + defaultNetwork = "default" + // LabelImage is the label used to store image name provided in the compose file + LabelImage = "com.docker.stack.image" +) // Services from compose-file types to engine API types func Services( @@ -45,12 +49,6 @@ func Services( if err != nil { return nil, errors.Wrapf(err, "service %s", service.Name) } - // add an image label to serviceSpec - if serviceSpec.Labels == nil { - serviceSpec.Labels = make(map[string]string) - } - serviceSpec.Labels["com.docker.stack.image"] = service.Image - result[service.Name] = serviceSpec } @@ -163,6 +161,9 @@ func convertService( UpdateConfig: convertUpdateConfig(service.Deploy.UpdateConfig), } + // add an image label to serviceSpec + serviceSpec.Labels[LabelImage] = service.Image + // ServiceSpec.Networks is deprecated and should not have been used by // this package. It is possible to update TaskTemplate.Networks, but it // is not possible to update ServiceSpec.Networks. Unfortunately, we