/dcw

Docker Compose Wrapper (a poor man's PAAS management tool)

Primary LanguageShell

Docker Compose Wrapper

Docker Compose Wrapper is a poor-man PAAS management tool. This script provides a wrapper to the docker-compose command and permits to expose commands that can be executed on the Docker host.

The common use-case for this tool is to be used as an SSH command executed trough the ~/.ssh/authorized_keys file, see below.

SECURITY CONSIDERATIONS

If you are using Docker Compose Wrapper you are trusting your users. This wrapper doesn't provide any security layer: the aim is just to expose some commands to users in order to permit them to easily deploy and manage well-defined containers or actions.

Configuration

The wrapper can be easily configured trough some variables defined in the script:

  • dc_confd: the directory conatining all the docker-compose YAML files
  • command_label_root: the root label namespace for commands
  • dc_denied_commands: all the docker-compose commands matching this regex will be denied
  • slack_webook: the SLACK incoming webook for the notification bot, if not configured the SLACK notifications are disabled
  • slack_channel: the SLACK notification channel
  • slack_botemoji: the SLACK bot emoji
  • slack_botname: the SLACK bot name
  • slack_message_prefix: the SLACK message prefix
  • hipchat_webhook: The HipChat incoming webhook for the notification bot, if not configured the HipChat notifications are disabled
  • hipchat_message_prefix: the HipChat message prefix

Pool definition

In order to define a pool you have to create a docker-compose YAML file into the dc_confd directory. The file name will define the pool name (Eg. nginx.yaml will define the nginx pool). If you want to expose some commands to exec you have to define a label under the command_label_root namespace:

The following example defines a pool containing a single container (named nginx1) exposing the shell command, executing the shell command trough the wrapper will execute docker exec -it nginx1 /bin/bash

version: '2'
services:
    nginx1:
        image: nginx
        labels:
            management.command.shell: "docker exec -it nginx1 /bin/bash"
        container_name: nginx1
        stdin_open: true
        tty: true

SSH Usage

The common usage scenario is to use this wrapper as an SSH command wrapper adding the command parameter to the authorized_keys:

command="/opt/bin/dcw",no-port-forwarding,no-agent-forwarding,no-X11-forwarding ssh-rsa AAAAB3NzaC1 [..] == pietro@hank

Usage

Usage:

./dcw <pool|command> <args>

Examples:

./dcw pool ldap ps

    Run the docker-compose ps over the ldap service pool

./dcw pool ldap start ldap1

    Start the service ldap1 from the ldap pool

./dcw command ldap1 shell

    Execute the command defined into the label 'management.command.shell' of the ldap1 container

./dcw command ldap1 help

    List all the available commands into the container ldap1

Actions

Action can be pool or command

Pool

The pool action requires the pool name, pool action is a simple docker-compose wrapper using the pool-related YAML configuration file, so you can execute all the available docket-compose commands. Trough the dc_confd variable you have to configure the directory containing all the docker-compose YAML files.

Example:

The following command prints the YAML docker-compose configuration file for the ldap pool (executes docker-compose -f ${dc_confd}/.yaml):

./dcw pool ldap config

The following command starts all the containers of the ldap pool:

./dcw pool ldap up -d
Command

The command action executes a command defined on a container label. The label name must be into the action_label_root namespace:

Container ldap1 label management.command.shell

$ docker inspect -f '{{ index .Config.Labels "management.command.shell" }}' ldap1
docker exec -it ldap1 /bin/bash 

Executing the shell command on the ldap1 container:

./dcw command ldap1 shell
INFO: executing command from label *management.command.shell* into container *ldap1*
root@72b78ab8b5d1:/#