ED Daemon

WIP - Basic load/stop/info functionality in place, more soon!

Ed is a simple docker runtime manager for pushing container images to remote systems - the intention is to provide a simple mechanism to deploy containers which does not rely on maintaing centralised registries.

This is the daemon which runs on the remote system.

The daamon manages the lifecycle of deployed containers using the docker API and docker cli. Access to the daemon is via a REST interface which is secured using mTLS.

Usage

The daemon will execute a docker cli run command such as:

docker run -d -it -p 80:8000 -v /var/data/app:/usr/share/nginx/html --name website nginx

The -d -it flags are required and the --name parameter is set by ed, the remainder of the parameters are set in the ed-daemon configuration file /etc/edd/config.json.

{
    "deployments": [
        {
            "name": "website",
            "args": ["-p", "80:8000", "-v", "/var/data/app:/usr/share/nginx/html"]
        }
    ]
}

The container can then be controlled using:

• /v1/deployments/website/load
• /v1/deployments/website/stop
• /v1/deployments/website/start
• /v1/deployments/website/restart

The load operation accepts a .tar or .tar.gz upload, and will load the new image, stop any existing website container and then re-tag and start the new container.

The stop and start operations allow control over a running or stopped container. The restart operation will stop and then restart a container - note that changes to the configuraiton are not reloaded and require the daemon to be restarted.

The mTLS security requires a server certificate and key, and a CA certificate which is used to sign the client certificates, the default locations are:

• /etc/edd/server.crt
• /etc/edd/server.key
• /etc/edd/ca.crt

Example

In this example an alpine/lighttpd container image is generated containing the files for a static website, the created image is pushed to the remote endpoint.

Dockerfile:

FROM alpine:latest

RUN apk add lighttpd curl && rm -rf /var/cache/apk/*

COPY ./website /var/www/localhost/htdocs

HEALTHCHECK --interval=1m --timeout=1s \
  CMD curl -f http://localhost/ || exit 1

EXPOSE 80

ENTRYPOINT ["/usr/sbin/lighttpd", "-D", "-f", "/etc/lighttpd/lighttpd.conf"]

docker build . -t website:latest
docker save website:latest | gzip | curl --cacert ca.crt \
     --key client.key \
     --cert client.crt \
     -X POST -H "Content-Type:application/x-tar" -T - 'https://192.168.0.100:8866/v1/website/load'

ca.crt is the server certificate authority - this may be different from the client signing certificate authority.

Installation (tbd)

Installation is easiest using the rust cargo manager, rust must be installed to a user which has permission to use docker - this can be done using the instructions at https://www.rust-lang.org/tools/install.

The ed-daemon is then installed using:

cargo install ed-daemon --root /usr/bin

This will install the executable to /usr/bin/ed-daemon, the following folders / files are also created:

• /etc/edd/config.toml
• /etc/edd/config.defaults.toml
• /etc/systemd/system/edd.servie

The service is not enabled or started, once the required keys and certificates are added (/etc/edd/server.crt, /etc/edd/server.key, /etc/edd/ca.crt) and the configuration is set the service can be enabled with:

systemctl enable ed-daemon
systemctl start ed-daemon

Configuration File

The full configuration file (/etc/edd/config.toml, or set with the --config parameter for the ed-daemon executable) has the following defaults:

{
    "docker_socket": "/var/run/docker.sock",
    "container_prefix": "ed_",
    "tls_key": "/etc/edd/server.key",
    "tls_certs": "/etc/edd/server.crt",
    "mututal_tls_ca_certs": "/etc/edd/ca.crt",
    "deployments": [ ... ]
}

Only the deployments section is required.