kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-12-07 09:56:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Refactor container deploy pipeline:

Browse Source 
- Replace inline shell scripts with Python-driven orchestration
- Introduce inner dockerd started via detached docker run
- Add docker exec–based inventory creation and dedicated deploy execution
- Add automatic vault password generation for CI
- Update GitHub Actions workflow to use new container deploy wrapper
- Add complete unit test suite for container deploy behavior
- Fix CLI argument forwarding and ensure single docker run call

Conversation reference:
https://chatgpt.com/share/6931c45d-4e40-800f-852f-6c9b1f7dc281
This commit is contained in:
Kevin Veen-Birkenbach
2025-12-04 18:27:15 +01:00
parent 8c64f91a6d
commit f2ace362bc
3 changed files with 446 additions and 144 deletions
Download Patch File Download Diff File Expand all files Collapse all files

167
.github/workflows/test-deploy.yml vendored
View File

@@ -1,3 +1,4 @@
# .github/workflows/test-deploy.yml
name: Build & Test Infinito.Nexus CLI in Docker Container
on:
@@ -15,7 +16,6 @@ jobs:
timeout-minutes: 240
env:
# The following roles will be ignored in the tests
EXCLUDED_ROLES: >
drv-lid-switch,
svc-net-wireguard-core,
@@ -26,9 +26,13 @@ jobs:
web-app-bridgy-fed,
web-app-oauth2-proxy,
web-app-postmarks,
web-app-elk,
web-app-syncope,
web-app-socialhome,
web-svc-xmpp,
INFINITO_IMAGE: infinito:latest
steps:
- name: Main Checkout repository
uses: actions/checkout@v4
@@ -36,154 +40,29 @@ jobs:
- name: Show Docker version
run: docker version
- name: Build Docker image
run: |
docker build --network=host --pull -t infinito:latest .
# 1) First deploy: normal + debug (inner dockerd with vfs)
# First deploy: normal + debug
- name: First deploy (normal + debug)
run: |
docker run --network=host --rm --privileged --cgroupns=host \
-e EXCLUDED_ROLES="$EXCLUDED_ROLES" \
infinito:latest \
/bin/sh -lc '
set -e
python -m cli.deploy.container --build --exclude "$EXCLUDED_ROLES" -- \
-T server \
--debug \
--skip-cleanup \
--skip-tests
echo ">>> Starting inner dockerd..."
dockerd --debug --host=unix:///var/run/docker.sock --storage-driver=vfs \
>/var/log/dockerd.log 2>&1 &
echo ">>> Waiting for inner Docker daemon..."
for i in $(seq 1 60); do
if docker info >/dev/null 2>&1; then
echo ">>> Inner Docker daemon is up."
break
fi
sleep 1
done
if ! docker info >/dev/null 2>&1; then
echo "ERROR: Inner Docker daemon did not start in time." >&2
echo "----------- dockerd.log (inside infinito) -----------" >&2
if [ -f /var/log/dockerd.log ]; then
sed -n "1,200p" /var/log/dockerd.log >&2
else
echo "dockerd.log not found" >&2
fi
echo "-----------------------------------------------------" >&2
exit 1
fi
echo ">>> Inner Docker daemon is up, proceeding with deploy."
cd /opt/infinito-src
echo ">>> Create CI inventory (normal + debug)..."
infinito create inventory inventories/github-ci \
--host localhost \
--exclude "$EXCLUDED_ROLES" \
--ssl-disabled
INVENTORY_PATH="inventories/github-ci/servers.yml"
VAULT_FILE="inventories/github-ci/.password"
echo ">>> First deploy (normal + debug)..."
infinito deploy "$INVENTORY_PATH" -T server -p "$VAULT_FILE" --debug --skip-tests
'
# 2) Second deploy: reset + debug (same inner dockerd pattern, also vfs)
# Second deploy: reset + debug
- name: Second deploy (--reset --debug)
run: |
docker run --network=host --rm --privileged --cgroupns=host \
-e EXCLUDED_ROLES="$EXCLUDED_ROLES" \
infinito:latest \
/bin/sh -lc '
set -e
python -m cli.deploy.container --exclude "$EXCLUDED_ROLES" -- \
-T server \
--reset \
--debug \
--skip-cleanup \
--skip-tests
echo ">>> Starting inner dockerd..."
dockerd --debug --host=unix:///var/run/docker.sock --storage-driver=vfs \
>/var/log/dockerd.log 2>&1 &
echo ">>> Waiting for inner Docker daemon..."
for i in $(seq 1 60); do
if docker info >/dev/null 2>&1; then
echo ">>> Inner Docker daemon is up."
break
fi
sleep 1
done
if ! docker info >/dev/null 2>&1; then
echo "ERROR: Inner Docker daemon did not start in time." >&2
echo "----------- dockerd.log (inside infinito) -----------" >&2
if [ -f /var/log/dockerd.log ]; then
sed -n "1,200p" /var/log/dockerd.log >&2
else
echo "dockerd.log not found" >&2
fi
echo "-----------------------------------------------------" >&2
exit 1
fi
cd /opt/infinito-src
echo ">>> Recreate CI inventory (reset run)..."
infinito create inventory inventories/github-ci \
--host localhost \
--exclude "$EXCLUDED_ROLES" \
--ssl-disabled
INVENTORY_PATH="inventories/github-ci/servers.yml"
VAULT_FILE="inventories/github-ci/.password"
echo ">>> Second deploy (--reset --debug)..."
infinito deploy "$INVENTORY_PATH" -T server -p "$VAULT_FILE" --skip-tests --reset --debug
'
# 3) Third deploy: async (no debug, same inner dockerd, also vfs)
# Third deploy: async, no debug
- name: Third deploy (async deploy no debug)
run: |
docker run --network=host --rm --privileged --cgroupns=host \
-e EXCLUDED_ROLES="$EXCLUDED_ROLES" \
infinito:latest \
/bin/sh -lc '
set -e
echo ">>> Starting inner dockerd..."
dockerd --debug --host=unix:///var/run/docker.sock --storage-driver=vfs \
>/var/log/dockerd.log 2>&1 &
echo ">>> Waiting for inner Docker daemon..."
for i in $(seq 1 60); do
if docker info >/dev/null 2>&1; then
echo ">>> Inner Docker daemon is up."
break
fi
sleep 1
done
if ! docker info >/dev/null 2>&1; then
echo "ERROR: Inner Docker daemon did not start in time." >&2
echo "----------- dockerd.log (inside infinito) -----------" >&2
if [ -f /var/log/dockerd.log ]; then
sed -n "1,200p" /var/log/dockerd.log >&2
else
echo "dockerd.log not found" >&2
fi
echo "-----------------------------------------------------" >&2
exit 1
fi
cd /opt/infinito-src
echo ">>> Create/update inventory for async deploy..."
infinito create inventory inventories/github-ci \
--host localhost \
--exclude "$EXCLUDED_ROLES" \
--ssl-disabled
INVENTORY_PATH="inventories/github-ci/servers.yml"
VAULT_FILE="inventories/github-ci/.password"
echo ">>> Third deploy (async, no debug)..."
infinito deploy "$INVENTORY_PATH" -T server -p "$VAULT_FILE" --skip-tests --async
'
python -m cli.deploy.container --exclude "$EXCLUDED_ROLES" -- \
-T server \
--skip-cleanup \
--skip-tests

246
cli/deploy/container.py Normal file
View File

@@ -0,0 +1,246 @@
# cli/deploy/container.py
import argparse
import os
import subprocess
import sys
import time
import uuid
from typing import List
def ensure_image(image: str) -> None:
"""
Ensure the Docker image exists locally. If not, build it with docker build.
"""
print(f">>> Checking if Docker image '{image}' exists...")
result = subprocess.run(
["docker", "image", "inspect", image],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL,
)
if result.returncode == 0:
print(f">>> Docker image '{image}' already exists.")
return
print(f">>> Docker image '{image}' not found. Building it...")
subprocess.run(
["docker", "build", "--network=host", "--pull", "-t", image, "."],
check=True,
)
print(f">>> Docker image '{image}' successfully built.")
def docker_exec(container: str, args: List[str], workdir: str | None = None, check: bool = True) -> subprocess.CompletedProcess:
"""
Helper to run `docker exec` with optional working directory.
"""
cmd = ["docker", "exec"]
if workdir:
cmd += ["-w", workdir]
cmd.append(container)
cmd += args
return subprocess.run(cmd, check=check)
def wait_for_inner_docker(container: str, timeout: int = 60) -> None:
"""
Poll `docker exec <container> docker info` until inner dockerd is ready.
"""
print(">>> Waiting for inner Docker daemon inside CI container...")
for i in range(timeout):
result = subprocess.run(
["docker", "exec", container, "docker", "info"],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL,
)
if result.returncode == 0:
print(">>> Inner Docker daemon is UP.")
return
time.sleep(1)
raise RuntimeError("Inner Docker daemon did not become ready in time")
def run_in_container(
image: str,
exclude: str,
forwarded_args: List[str],
build: bool,
) -> None:
"""
Orchestrate everything from the *host*:
- start CI container with inner dockerd
- wait for inner docker
- create inventory (cli.create.inventory)
- ensure vault password file
- run cli.deploy.dedicated
All heavy lifting inside the container happens via direct `docker exec` calls.
"""
if build:
ensure_image(image)
container_name = f"infinito-ci-{uuid.uuid4().hex[:8]}"
workdir = "/opt/infinito-src"
try:
# 1) Start CI container with dockerd as PID 1
print(f">>> Starting CI container '{container_name}' with inner dockerd...")
subprocess.run(
[
"docker",
"run",
"-d",
"--name",
container_name,
"--network=host",
"--privileged",
"--cgroupns=host",
image,
"dockerd",
"--debug",
"--host=unix:///var/run/docker.sock",
"--storage-driver=vfs",
],
check=True,
)
# 2) Wait until inner docker responds
wait_for_inner_docker(container_name)
# 3) Create CI inventory via Python module
print(">>> Creating CI inventory inside container (cli.create.inventory)...")
docker_exec(
container_name,
[
"python3",
"-m",
"cli.create.inventory",
"inventories/github-ci",
"--host",
"localhost",
"--exclude",
exclude,
"--ssl-disabled",
],
workdir=workdir,
check=True,
)
# 4) Ensure vault password file exists
print(">>> Ensuring CI vault password file exists...")
docker_exec(
container_name,
[
"sh",
"-c",
"mkdir -p inventories/github-ci && "
"[ -f inventories/github-ci/.password ] || "
"printf '%s\n' 'ci-vault-password' > inventories/github-ci/.password",
],
workdir=workdir,
check=True,
)
# 5) Run dedicated deploy
print(">>> Running cli.deploy.dedicated inside CI container...")
cmd = [
"python3",
"-m",
"cli.deploy.dedicated",
"inventories/github-ci/servers.yml",
"-p",
"inventories/github-ci/.password",
*forwarded_args,
]
result = docker_exec(container_name, cmd, workdir=workdir, check=False)
if result.returncode != 0:
raise subprocess.CalledProcessError(
result.returncode, cmd
)
print(">>> Deployment finished successfully inside CI container.")
finally:
print(f">>> Cleaning up CI container '{container_name}'...")
subprocess.run(
["docker", "rm", "-f", container_name],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL,
)
def main() -> int:
parser = argparse.ArgumentParser(
prog="infinito-deploy-container",
description=(
"Run cli.deploy.dedicated inside an infinito Docker image with an inner "
"Docker daemon (dockerd + vfs) and auto-generated CI inventory."
),
)
parser.add_argument(
"--image",
default=os.environ.get("INFINITO_IMAGE", "infinito:latest"),
help="Docker image to use (default: %(default)s, overridable via INFINITO_IMAGE).",
)
parser.add_argument(
"--exclude",
default=os.environ.get("EXCLUDED_ROLES", ""),
help=(
"Comma-separated list of roles to exclude when creating the CI inventory "
"(default taken from EXCLUDED_ROLES env var)."
),
)
parser.add_argument(
"--build",
action="store_true",
help="If set, ensure the Docker image exists by building it when missing.",
)
parser.add_argument(
"forwarded",
nargs=argparse.REMAINDER,
help=(
"Arguments to forward to cli.deploy.dedicated. "
"Use '--' to separate wrapper options from dedicated options."
),
)
args = parser.parse_args()
forwarded_args = list(args.forwarded)
if forwarded_args and forwarded_args[0] == "--":
forwarded_args = forwarded_args[1:]
if not forwarded_args:
print(
"Error: no arguments forwarded to dedicated deploy script.\n"
"Hint: use '--' to separate wrapper options from dedicated options, e.g.\n"
" python -m cli.deploy.container --build -- -T server --debug --skip-tests",
file=sys.stderr,
)
return 1
try:
run_in_container(
image=args.image,
exclude=args.exclude,
forwarded_args=forwarded_args,
build=args.build,
)
except subprocess.CalledProcessError as exc:
print(f"[ERROR] Container run failed with exit code {exc.returncode}", file=sys.stderr)
return exc.returncode
except RuntimeError as exc:
print(f"[ERROR] {exc}", file=sys.stderr)
return 1
return 0
if __name__ == "__main__":
raise SystemExit(main())

177
tests/unit/cli/deploy/test_container.py Normal file
View File

@@ -0,0 +1,177 @@
# tests/unit/cli/deploy/test_container.py
import subprocess
import sys
import unittest
from typing import List
from unittest import mock
from cli.deploy import container as deploy_container
class TestEnsureImage(unittest.TestCase):
@mock.patch("subprocess.run")
def test_ensure_image_skips_build_when_image_exists(self, mock_run):
# docker image inspect → returncode 0 means "image exists"
mock_run.return_value = subprocess.CompletedProcess(
["docker", "image", "inspect", "infinito:latest"],
0,
stdout=b"",
stderr=b"",
)
deploy_container.ensure_image("infinito:latest")
# Only one call: docker image inspect
self.assertEqual(mock_run.call_count, 1)
cmd = mock_run.call_args_list[0].args[0]
self.assertEqual(cmd[:3], ["docker", "image", "inspect"])
# No docker build command
self.assertFalse(
any(
call.args[0][:2] == ["docker", "build"]
for call in mock_run.call_args_list
),
"docker build should not run when the image already exists",
)
@mock.patch("subprocess.run")
def test_ensure_image_builds_when_missing(self, mock_run):
calls: List[List[str]] = []
def _side_effect(cmd, *args, **kwargs):
calls.append(cmd)
# First inspect fails → triggers build
if cmd[:3] == ["docker", "image", "inspect"]:
return subprocess.CompletedProcess(cmd, 1, b"", b"missing")
# Build succeeds
if cmd[:2] == ["docker", "build"]:
return subprocess.CompletedProcess(cmd, 0, b"", b"")
return subprocess.CompletedProcess(cmd, 0, b"", b"")
mock_run.side_effect = _side_effect
deploy_container.ensure_image("infinito:latest")
self.assertTrue(
any(c[:3] == ["docker", "image", "inspect"] for c in calls),
"Expected docker image inspect to be called",
)
self.assertTrue(
any(c[:2] == ["docker", "build"] for c in calls),
"Expected docker build to run when image is missing",
)
class TestRunInContainer(unittest.TestCase):
@mock.patch("subprocess.run")
def test_run_in_container_calls_single_docker_run(self, mock_run):
"""
Current container.py starts exactly one Docker container via
'docker run' to launch the inner dockerd daemon. All further work
(inventory creation + dedicated deploy) happens via docker exec.
"""
calls: List[List[str]] = []
def _side_effect(cmd, *args, **kwargs):
calls.append(cmd)
return subprocess.CompletedProcess(cmd, 0, b"", b"")
mock_run.side_effect = _side_effect
image = "infinito:latest"
exclude = "foo,bar"
forwarded = ["-T", "server", "--debug", "--skip-tests"]
deploy_container.run_in_container(
image=image,
exclude=exclude,
forwarded_args=forwarded,
build=False,
)
# We expect at least one subprocess.run call
self.assertGreaterEqual(len(calls), 1)
# Only count *docker run* invocations, not docker exec / image / build
docker_run_calls = [
c
for c in calls
if isinstance(c, list)
and len(c) >= 2
and c[0] == "docker"
and c[1] == "run"
]
self.assertEqual(
len(docker_run_calls),
1,
"Expected exactly one 'docker run' call",
)
cmd = docker_run_calls[0]
# Basic structure of the docker run call
self.assertEqual(cmd[0], "docker")
self.assertEqual(cmd[1], "run")
# New behavior: container runs dockerd in detached mode
self.assertIn("-d", cmd)
self.assertIn("--name", cmd)
self.assertIn("--network=host", cmd)
self.assertIn("--privileged", cmd)
self.assertIn("--cgroupns=host", cmd)
self.assertIn(image, cmd)
self.assertIn("dockerd", cmd)
# We *no longer* expect '--rm', '/bin/sh', or '-lc' here,
# because all higher-level logic is executed by docker exec.
class TestMain(unittest.TestCase):
@mock.patch("cli.deploy.container.run_in_container")
def test_main_requires_forwarded_args(self, mock_run_in_container):
"""
If no arguments follow '--', main() must return exit code 1 and not call run_in_container().
"""
argv = ["cli.deploy.container"] # realistic argv from `python -m ...`
with mock.patch.object(sys, "argv", argv):
rc = deploy_container.main()
self.assertEqual(rc, 1)
mock_run_in_container.assert_not_called()
@mock.patch("cli.deploy.container.run_in_container")
def test_main_passes_arguments_to_run_in_container(self, mock_run_in_container):
"""
Ensure CLI args are parsed and forwarded correctly.
"""
argv = [
"cli.deploy.container",
"--image", "myimage:latest",
"--exclude", "foo,bar",
"--build",
"--",
"-T", "server",
"--debug",
]
with mock.patch.object(sys, "argv", argv):
rc = deploy_container.main()
self.assertEqual(rc, 0)
mock_run_in_container.assert_called_once()
# access kwargs passed to run_in_container
kwargs = mock_run_in_container.call_args.kwargs
self.assertEqual(kwargs["image"], "myimage:latest")
self.assertEqual(kwargs["exclude"], "foo,bar") # <-- fixed key
self.assertTrue(kwargs["build"])
self.assertEqual(
kwargs["forwarded_args"],
["-T", "server", "--debug"],
)
if __name__ == "__main__":
unittest.main()