Turns out shell-quote's parse function also replaces environment variables, which we don't want in this case. So we escape dollar signs
before calling shell-quote's parse function.
Also shell-quote takes some characters like `>` and globs and returns an object - so we return those objects to string form.
This should still be simpler/better than writing our own shlex.split, I hope...
Change-Type: patch
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
* Use the correct defaults for the delta config variables that have them
* Only mount /lib/firmware and /lib/modules if they exist on the host
* hardcode-migrations.js: Nicer line separation
* APIBinder: switch to using a header for authentication, and keep credentials saved in the API clients
* Fix hrtime measurements in milliseconds
* Do not uses classes for routers
* compose: properly initialize networkMode to the first entry in networks if there is one
* Fix some details regarding defaults in validation and service
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
Plus a few bugfixes.
* Add support for cgroup_parent
* Add support for specifying a single value in tmpfs
* Fix support for extra_hosts
* Add support for group_add
* Add support for pid mode (only host and empty value are supported for now)
* Add support for pids_limit
* Add support for security_opt
* Add support for storage_opt
* Add support for userns_mode
* Add support for ipc (except for another container's)
* Add support for mac_address
* Add support for oom_kill_disable
* Add support for 'user' compose option
* Add support for working_dir and fix support for user when image specifies it
* Add support for bind-mounting the balena socket using a label
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
* Get imageId when normalising a dep. app from the DB
* Fix the appId in migrations when updating the supervisor
* Use the update lock to update a service's metadata
* Restart clears volatile target state
* Fix function definition for updateMetadata
* Improve backwards compatibility of /v1/apps/:appId endpoint
* Fix multicontainer deltas to work with resumable-request 2.0
* Fix dependent target normalisation logic
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
* Switch default dependent device type to generic
* Reduce noise in logs
* Limit to 3 simultaneous delta downloads
* Better check for deltaSource
* When checking volume dependencies, do not compare regular (non-named) volumes
* Store imageId for dependent apps, and don't report dependent images with invalid imageIds
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
* Ensure commit is only reported when update has finished
* Change default delay between actions to 100ms
* Fix envArrayToObject for cases where the env var has an equal sign
* Use shell-quote to properly parse string command and entrypoint
* Fix preloading with a legacy apps.json
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
* Fix deleting unneeded image tags
* Fix inspectByName to work with tags besides digests when the image isn't really tagged
* Tag deltas that should have tags, and fix cleanup of dangling images
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
This also changes the deviceState object to use promises instead of timeouts to schedule
applying the target state.
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
Plus several small bug fixes:
* Allow target states with apps with no release
* Fix lock override and a TypeError in compareServicesForUpdate
* Lowercase service names when doing migrations and legacy preload
* Fix deltas from scratch
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
* Fix validation of 0, fix ulimits, don't compare mem_limit or mem_reservation until OS supports them
* Remove all instances of _.forEach
* ApplicationManager: have separate compareNetworksForUpdate and compareVolumesForUpdate
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
Also several bugfixes:
* Fix VPN control, logging in deviceConfig, and action executors in proxyvisor
* Fix bug in calculation of dependencies due to fields still using snake_case
* Fix snake_case in a migration, and remove unused lib/migration.coffee
* In healthcheck, count deviceState as healthy when a fetch is in progress (as in the non-multicontainer supervisor)
* Set always as default restart policy
* Fix healthcheck, stop_grace_period and mem_limit
* Lint and reduce some cyclomatic complexities
* Namespace volumes and networks by appId, switch default network name to 'default', fix dependencies in networks and volumes, fix duplicated kill steps, fix fat arrow on provisioning
* Check that supervisor network is okay every time we're applying target state
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
Also add support for several networks per container (but with no configuration yet).
Also some bugfixes and implement healthcheck and not disabling VPN on startup.
Change-Type: major
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
Also includes various improvements and bugfixes to services and the migration from legacy /data to volumes.
The switch ti migrations involves a dirty hack for webpack to properly resolve the paths to the migrations js files - it uses an expression
that webpack can't resolve, so we hardcode it to a value and use the ContextReplacementPlugin to make that value resolve to the migrations folder.
The downsides to this approach are:
- a change in knex code would break this
- the migration code is added twice to the supervisor image: once in the migrations folder (because knex needs to loop through the directory to find the files),
and once inside app.js (because I can't make webpack treat them as external)
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
Two cases could've caused deadlocks:
1) Two services use a volume, and one service depends on the other. The volume config changes, but we can't update the volume because we need to kill
both services, and yet we can't kill the dependent service because its dependency isn't ready either.
2) A service with handover strategy uses a volume. The volume config changes. We can't update the volume because the running service is using it, and we can't
start the handover because it depends on the volume being ready. So we need to kill the service to update the volume config.
(Same for networks as with volumes)
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
Change the way we get the network gateway to set up the supervisor API address.
Added support for cap_add, cap_drop and devices.
Some fixes like missing fat arrows and removing leftover code.
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
This module provisions the device and takes care of getting the target state from the API, calling deviceState to apply it.
It also reports the current state of the device back to the API.
An important change is that the initial values of the device configuration (e.g. config.txt) are reported to the API, creating new config
variables if no values exist for a particular key. This will allow better management of config.txt by giving visibility to the initial configuration.
Changelog-Entry: Remove support for keeping the provisioning apiKey on Resin OS 1.X. Report initial values from config.txt and other device configuration variables to the Resin API.
Change-Type: major
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
This will be quickly replaced by a newer version with a different API, but for now we needed to maintain backwards compatibility (see #508).
This proxyvisor handles dependent apps and devices with a multicontainer parent app.
It also switches to the new update mechanism by inferring and applying updates step by step.
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
This commit adds models to manage services, images, volumes and networks.
The main model for this is ServiceManager, which manages the collection of services on the device. It has functions to query what services are running, and to perform actions like starting, killing or performing handovers.
The Service model allows defining the transformations between a container and its service representation, and includes the functions to compare a running service with a target to determine if an update needs to happen.
This model includes the relevant compose file entries for a service that are supported. Bind mounts are disallowed except for the ones that relate to supervisor features, and persistent data is now stored in named volumes.
The Images model allows fetching and removing images, and includes functionality to determine images that have to be cleaned up - now only dangling and old supervisor images are cleaned up automatically, and ApplicationManager
will remove images that correspond to old services that are no longer needed.
The Networks and Volumes models allow managing named networks and volumes that are part of composed applications.
Changelog-Entry: Remove all bind mounts that were specific to 1.X devices. Move the resin-kill-me file for the handover strategy to /tmp/resin. Add environment variables for the location of resin-kill-me and the lockfile. Use running containers to determine what services are running instead of storing them in the internal database. Use named volumes for persistent data.
Change-Type: major
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
This commit implements what we used to have in docker-utils.coffee now making use of coffeescript classes.
We remove the cleanup function as this is now handled directly by the ApplicationManager.
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
This update lock library allows an application to take a lockfile in several locations (subdirectories inside a base folder). The user of this library must be able
to exclusively create a lockfile in each of the corresponding locations, and if any of the files exist, the locking fails.
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
This module takes care of inferring and applying the steps to run multicontainer applications. It will have a Proxyvisor to handle dependent apps and
devices. It understands the relationship between services, networks and volumes to infer the steps in the correct order, also taking update strategies into account.
Changelog-Entry: Allow running docker-compose-like multicontainer applications
Change-Type: major
Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
