Support passing a Docker config.json for app / pod being launched
ClosedAll Users
Actions

Authored by ichernetsky on May 10 2017, 2:44 PM.

Details

Reviewers

jenkins
meichstedt
aquamatthias
zen-dog
kensipe
unterstein
jdef
jeschkies

Commits

rMARATHON9450c8e37911: More of testing and validating Docker Pull Config API
rMARATHONa30d8c678ead: Address @aquamatthias' comments
rMARATHON359bae165365: Document Docker image config option
rMARATHON1ee454c46811: Add support of Docker Image config field for pods too
rMARATHON4896abb92cc5: Introduce ImagePullConfig proto message
rMARATHONe43d34540e72: Make sure that config option is used only with both Mesos Containerizer and…
rMARATHON78bb703eeeba: Introduce ImagePullConfig proto message
rMARATHON34bf51bd508e: Support passing a Docker config for task / pod being launched
rMARATHONde2e9bbd060a: Address @jdef's comments
rMARATHONa3c4dab98dd4: Address @jdef's comments
rMARATHONf452d7149626: Address @jdef's comments and use the existing secret interface instead of…
rMARATHONd66c2c00541e: Support passing a Docker config for task / pod being launched
rMARATHONc6bbd6576e5a: Document Docker image config option
rMARATHON4ac015623b5d: Uncomment a plugin
rMARATHON41bf6e4c7e70: Fix a test
rMARATHON37f1068e05f8: Compile *.proto files with protoc v2.6.1
rMARATHON01acfd8593f3: Support container.docker.config.{text,secret}
rMARATHONcc9e43d9b5d8: SI test for a pod pulling an image from a private registry
rMARATHONf6b6cdf5ea8d: SI test for a pod pulling an image from a private registry
rMARATHON32756ea6909a: Fix a test
rMARATHON05ad39208c76: Tell people use protoc v2.6.1
rMARATHON825d33d43e88: Compile *.proto files with protoc v2.6.1
rMARATHON8a2472d3cbcb: Update integration tests to test fetching of private Docker images
rMARATHONe6b229eb08ec: Address comments
rMARATHONdb79c855b81f: Copy mesos.proto from Mesos' master branch (commit…
rMARATHON5d7dfd6613ec: Update integration tests to test fetching of private Docker images
rMARATHONe31af6c1d61d: Address comments for docs
rMARATHONb97782ca9309: Support passing a Docker config.json for app / pod being launched
rMARATHON58363801d813: Drop support for "docker.config.text" and use SecretDef for "docker.config.
rMARATHONea89b203b5b8: Tell people use protoc v2.6.1
rMARATHON1a0540fac9ab: Uncomment a plugin
rMARATHON4013d6404a35: Address comments for docs
rMARATHON39bec377ba9c: Drop support for "docker.config.text" and use SecretDef for "docker.config.
rMARATHONb0e91b9ab642: Make sure that config option is used only with both Mesos Containerizer and…
rMARATHONe5e3817775c5: Replace config with pullConfig in native-docker.md
rMARATHON7795b89a8ecb: Use Mesos 1.4.0-SNAPSHOT
rMARATHON297c502ed930: Support passing a Docker config.json for app / pod being launched
rMARATHONe994b756a437: Support passing a Docker config.json for app / pod being launched
rMARATHON2d1c9c32e46d: SI test for a pod pulling an image from a private registry
rMARATHONca27cb5a7127: Address comments for docs
rMARATHONb0ca2be54a47: More of testing and validating Docker Pull Config API
rMARATHONeb0fd4b85d09: Use Mesos 1.4.0-SNAPSHOT
rMARATHON9d0901eb3402: Support passing a Docker config.json for app / pod being launched
rMARATHON58908feb732d: Address @jdef's comments
rMARATHON5c6cc18e6a2c: Add support of Docker Image config field for pods too
rMARATHONf3e890b0d545: Address @jdef's comments
rMARATHONebe73d447582: Support container.docker.config.{text,secret}
rMARATHON0e5d61d96a8f: Use Mesos 1.3.0-rc3
rMARATHON487e006cbe26: Address @aquamatthias' comments
rMARATHON7d49bc18164b: Bring container.docker.credential back to life, but deprecate it
rMARATHONb37a5c26b3b0: Address @jdef's comments and use the existing secret interface instead of…
rMARATHON084b07b1df64: Bring container.docker.credential back to life, but deprecate it
rMARATHON4b0523692730: Copy mesos.proto from Mesos' master branch (commit…

JIRA Issues

JIRA MARATHON-7090 UCR Authentication per task / docker registry

Test Plan

Run tests, launch an app with "container.docker.config" set

Diff Detail

Repository

rMARATHON marathon

Lint

Automatic diff as part of commit; lint not applicable.

Unit

Automatic diff as part of commit; unit tests not applicable.

There are a very large number of changes, so older changes are hidden. Show Older Changes

Replace config with pullConfig in native-docker.md
Address @jdef's comments

✔ Build of 3328 completed jenkins-public-marathon-phabricator-87.

You can create a DC/OS with your patched Marathon by creating a new pull
request with the following changes in buildinfo.json:

"url": "https://downloads.mesosphere.io/marathon/snapshots/marathon-1.5.0-SNAPSHOT-538-g44f7e23.tgz",
"sha1"" "67f4f9849ae3b340c7aa357d8c2d9363904bc987"

Harbormaster completed building B2759: Diff 3328.May 24 2017, 9:38 AM

ichernetsky marked an inline comment as done.May 24 2017, 7:35 PM

Introduce ImagePullConfig proto message

✔ Build of 3340 completed jenkins-public-marathon-phabricator-101.

You can create a DC/OS with your patched Marathon by creating a new pull
request with the following changes in buildinfo.json:

"url": "https://downloads.mesosphere.io/marathon/snapshots/marathon-1.5.0-SNAPSHOT-538-g44f7e23.tgz",
"sha1"" "d00b47ad3634bac6475ff56b2f62354f0cd95100"

Harbormaster completed building B2770: Diff 3340.May 24 2017, 9:02 PM

More of testing and validating Docker Pull Config API

✔ Build of 3341 completed jenkins-public-marathon-phabricator-102.

You can create a DC/OS with your patched Marathon by creating a new pull
request with the following changes in buildinfo.json:

"url": "https://downloads.mesosphere.io/marathon/snapshots/marathon-1.5.0-SNAPSHOT-538-g44f7e23.tgz",
"sha1"" "cd497bd39061b5d0667d76ff998bcc5f1d073502"

Harbormaster completed building B2771: Diff 3341.May 25 2017, 6:07 AM

Rebase

jenkins requested changes to this revision.May 25 2017, 5:29 PM

This revision now requires changes to proceed.May 25 2017, 5:29 PM

✗ Build of 3342 failed jenkins-public-marathon-phabricator-103.
Error message:

Stage Compile and Test failed.

Harbormaster failed to build B2772: Diff 3342!May 25 2017, 5:29 PM

docs/docs/rest-api/public/api/v2/types/appContainer.raml
15	???
119	i'm looking for "Deprecated in favor of `pullConfig`"
project/Dependencies.scala
86	I've heard that there's a 1.3.0-rc1 that contains what we need?
src/main/scala/mesosphere/marathon/api/serialization/ContainerSerializer.scala
341	nit: should not need `new` here
src/main/scala/mesosphere/marathon/api/v2/validation/AppValidation.scala
55	i don't see a validation test case for this. is it there and missed it? if not, please add one
src/main/scala/mesosphere/marathon/api/v2/validation/PodsValidation.scala
134	this `case _` is superfluous since `ImageType` is a sealed trait
158	wow, we really left `abc` in there, eh?
src/main/scala/mesosphere/marathon/raml/ContainerConversion.scala
200	ditto, `new` is not required here
src/main/scala/mesosphere/mesos/TaskGroupBuilder.scala
350 ↗	(On Diff #3342)	nit: eliminate this added newline and this file drops from the diff
src/test/scala/mesosphere/marathon/api/v2/AppsResourceTest.scala
168	happy to see some tests here. i'd like a more thorough exercise of the validation rules to appear in AppValidationTest
src/test/scala/mesosphere/marathon/api/v2/PodsResourceTest.scala
240	happy to see some tests here. i'd like a more thorough exercise of the validation rules to appear in PodsValidationTest

Some minor changes but otherwise lgtm. Thx!

tests/system/common.py
875–876	It seems like next 10 lines can be replaced by `create_docker_pull_config_json()` call?
tests/system/marathon_common_tests.py
986–987	Those asserts here and in `test_create_pod_with_private_image()` are not necessary since you skip the test if they're not there anyway?

tests/system/common.py
472–482	I don't know what "private_mesos_app" means... can we rename this to something meaningful? or add docs that explains why it should be used?
865	this is in shakedown... all of this can be replaced with `shakedown. distribute_docker_credentials_to_private_agents()` https://github.com/dcos/shakedown/blob/master/shakedown/dcos/docker.py#L65
tests/system/marathon_common_tests.py
986–987	I don't see `docker_env_set()` in the skipif.. however it is likely that we are skipping if we are missing expected ENV.. that makes these assert 'DOCKER_XYZ` not useful.
tests/system/marathon_pods_tests.py
95	do we need these assertions?
110	why do we define the app json for secrets behind a function and for the longer pod json we do not? I'm a fan of pulling this out so the test focuses on the setup and assertion.. but it isn't that big of a deal.

tests/system/common.py
472–482	App id should have a random part (see using of `uuid` in other tests). Prevents collisions and makes debugging easier.
865	This is not the same - there is no need to distribute the file, since it's passed as part of the app definition. However we should extract creation part into a separate function and maybe move it to shakedown later.

tests/system/common.py
472–482	your comment doesn't address the comment or concern... the issue isn't app_id... it is the meaning of private_mesos_container and documentation
tests/system/marathon_common_tests.py
986–987	yes

tests/system/common.py
472–482	It was meant as an addition to your comment ;)

tests/system/common.py
865	Aleksey is correct.
875–876	Yep, forgot to do it.

Address comments

Use Mesos 1.3.0-rc3

✔ Build of 3356 completed jenkins-public-marathon-phabricator-114.

You can create a DC/OS with your patched Marathon by creating a new pull
request with the following changes in buildinfo.json:

"url": "https://downloads.mesosphere.io/marathon/snapshots/marathon-1.5.0-SNAPSHOT-542-gba55703.tgz",
"sha1"" "d1fa8e7e2d01c05830129043c4cdaf3e833dc322"

Harbormaster completed building B2783: Diff 3356.May 31 2017, 2:50 AM

✔ Build of 3357 completed jenkins-public-marathon-phabricator-115.

You can create a DC/OS with your patched Marathon by creating a new pull
request with the following changes in buildinfo.json:

"url": "https://downloads.mesosphere.io/marathon/snapshots/marathon-1.5.0-SNAPSHOT-542-gba55703.tgz",
"sha1"" "abe173ddd939a9eccadf32115f50264b9e042b9e"

Harbormaster completed building B2784: Diff 3357.May 31 2017, 3:02 AM

wow, a bunch of feedback already given and addressed.
On top I would add only one nit.
Except open feedback LGTM 🚀

Accept in advance

docs/docs/pods.md
184	s/config/pullConfig/

jeschkies resigned from this revision.May 31 2017, 4:07 PM

config -> pullConfig in pods.md

✔ Build of 3377 completed jenkins-public-marathon-phabricator-134.

You can create a DC/OS with your patched Marathon by creating a new pull
request with the following changes in buildinfo.json:

"url": "https://downloads.mesosphere.io/marathon/snapshots/marathon-1.5.0-SNAPSHOT-542-gba55703.tgz",
"sha1"" "56551544aaf0dc78a352f40840078fea5255805d"

Harbormaster completed building B2799: Diff 3377.May 31 2017, 5:33 PM

kensipe accepted this revision.May 31 2017, 5:58 PM

I've left ??? to indicate unanswered questions from prior reviews

docs/docs/rest-api/public/api/v2/types/appContainer.raml
15	???
119	???
docs/docs/rest-api/public/api/v2/types/docker.raml
12	nit: `required: true` is redundant (because it's the default). i don't think we say that many other places?
src/main/scala/mesosphere/marathon/api/v2/validation/PodsValidation.scala
127	Pretty sure that image.id validation is already handled by the generated RAML code: val id = json.\("id").validate[String](play.api.libs.json.JsPath.read[String](maxLength[String](1024) keepAnd minLength[String](1))) so .. no need to duplicate that validation here. the length check above (in the dockerImageValidator) code is redundant, and there's already a JIRA filed for removing redundant validation. we shouldn't add any more

This revision now requires changes to proceed.May 31 2017, 9:53 PM

ichernetsky marked 3 inline comments as done.May 31 2017, 10:14 PM

Address @jdef's comments

jenkins requested changes to this revision.May 31 2017, 10:25 PM

This revision now requires changes to proceed.May 31 2017, 10:25 PM

✗ Build of 3380 failed jenkins-public-marathon-phabricator-140.
Error message:

Stage Compile and Test failed.

Harbormaster failed to build B2802: Diff 3380!May 31 2017, 10:25 PM

It'd be pretty sweet if the RAML DockerCredentials type had a deprecation notice somewhere:

DockerCredentials:
  type: object
  description: Credential to authenticate with the docker registry
  properties:
    principal:
      type: string
      description: Principal to authenticate with the docker registry
    secret?:
      type: string
      description: Secret to authenticate with the docker registry

approving, subject to the addition of the requested deprecation notice

Deprecated DockerCredentials type

Closed by commit rMARATHONb97782ca9309: Support passing a Docker config.json for app / pod being launched (authored by ichernetsky). · Explain WhyJun 1 2017, 12:36 AM

This revision was automatically updated to reflect the committed changes.

✗ Build of 3382 failed jenkins-public-marathon-phabricator-141.
Error message:

Stage Compile and Test failed.

Harbormaster failed to build B2803: Diff 3382!Jun 1 2017, 12:50 AM

timcharper removed a reviewer: timcharper.Jun 2 2017, 1:19 AM

Revision Contents

		Path
M		docs/docs/blue-green-deploy.md (4 lines)
M		docs/docs/native-docker.md (55 lines)
M		docs/docs/pods.md (79 lines)
M		docs/docs/rest-api/public/api/v2/schema/AppDefinition.json (15 lines)
M		docs/docs/rest-api/public/api/v2/types/appContainer.raml (9 lines)
A	M	docs/docs/rest-api/public/api/v2/types/docker.raml (16 lines)
M		docs/docs/rest-api/public/api/v2/types/podContainer.raml (6 lines)
M		project/Dependencies.scala (2 lines)
M		project/RamlGeneratorPlugin.scala (1 line)
M		project/plugins.sbt (1 line)
M		src/main/java/mesosphere/marathon/Protos.java (4543 lines)
M		src/main/proto/README.md (3 lines)
M		src/main/proto/marathon.proto (19 lines)
M		src/main/proto/mesos/mesos.proto (196 lines)
M		src/main/scala/mesosphere/marathon/api/serialization/ContainerSerializer.scala (43 lines)
A	M	src/main/scala/mesosphere/marathon/api/serialization/SecretSerializer.scala (15 lines)
M		src/main/scala/mesosphere/marathon/api/v2/validation/AppValidation.scala (17 lines)
M		src/main/scala/mesosphere/marathon/api/v2/validation/PodsValidation.scala (23 lines)
M		src/main/scala/mesosphere/marathon/raml/ContainerConversion.scala (34 lines)
M		src/main/scala/mesosphere/marathon/state/Container.scala (3 lines)
M		src/test/scala/mesosphere/marathon/api/v2/AppsResourceTest.scala (69 lines)
M		src/test/scala/mesosphere/marathon/api/v2/PodsResourceTest.scala (149 lines)
M		src/test/scala/mesosphere/marathon/api/v2/validation/AppValidationTest.scala (52 lines)
M		src/test/scala/mesosphere/marathon/raml/ContainerConversionTest.scala (18 lines)
M		src/test/scala/mesosphere/mesos/TaskBuilderTest.scala (7 lines)
M		tests/system/common.py (127 lines)
M		tests/system/marathon_common_tests.py (34 lines)
M		tests/system/marathon_pods_tests.py (29 lines)
M		tests/system/test_marathon_on_marathon_ee.py (2 lines)

Diff	ID	Base	Description	Created	Lint	Unit
Base			Base
Diff 1	3138	900d4cf		May 10 2017, 2:44 PM	★	★
Diff 2	3144	900d4cf	- Use Mesos 1.4.0-SNAPSHOT	May 10 2017, 11:09 PM	★	★
Diff 3	3146	900d4cf	- Bring container.docker.credential back to life, but deprecate it	May 11 2017, 1:27 AM	★	★
Diff 4	3147	900d4cf	- Address @jdef's comments	May 11 2017, 1:30 AM	★	★
Diff 5	3148	900d4cf	- Document Docker image config option	May 11 2017, 3:06 AM	★	★
Diff 6	3170	900d4cf	- Support container.docker.config.{text,secret}	May 12 2017, 10:23 AM	★	★
Diff 7	3183	900d4cf	- Address @aquamatthias' comments	May 12 2017, 9:16 PM	★	★
Diff 8	3219	900d4cf	- Make sure that config option is used only with both Mesos Containerizer and…	May 16 2017, 1:56 AM	★	★
Diff 9	3258	c0bb800	- Use Mesos 1.4.0-SNAPSHOT	May 17 2017, 6:53 PM	★	★
Diff 10	3304	44f7e23	- Address @jdef's comments and use the existing secret interface instead of…	May 23 2017, 6:19 AM	★	★
Diff 11	3328	44f7e23	- Replace config with pullConfig in native-docker.md	May 24 2017, 9:21 AM	★	★
Diff 12	3340	44f7e23	- Introduce ImagePullConfig proto message	May 24 2017, 8:41 PM	★	★
Diff 13	3341	44f7e23	- More of testing and validating Docker Pull Config API	May 25 2017, 5:53 AM	★	★
Diff 14	3342	ba55703	Rebase	May 25 2017, 5:17 PM	★	★
Diff 15	3356	ba55703	- Address comments	May 31 2017, 2:28 AM	★	★
Diff 16	3357	ba55703	- Use Mesos 1.3.0-rc3	May 31 2017, 2:48 AM	★	★
Diff 17	3377	ba55703	- config -> pullConfig in pods.md	May 31 2017, 5:18 PM	★	★
Diff 18	3380	ba55703	- Address @jdef's comments	May 31 2017, 10:15 PM	★	★
Diff 19	3382	ba55703	- Deprecated DockerCredentials type	Jun 1 2017, 12:34 AM	★	★
Diff 20	3383	7543094	rMARATHONb97782ca9309761828dac43f3f14a91a7635912d	Jun 1 2017, 12:36 AM	★	★

Commit	Tree	Parents	Author	Summary	Date
1358deab572b	1fcebfbce831	1d2f522ff7c3	Ivan Chernetsky	Deprecated DockerCredentials type	Jun 1 2017, 12:34 AM
1d2f522ff7c3	d25fef8f92a8	0667dcb6002e	Ivan Chernetsky	Address @jdef's comments	May 31 2017, 10:14 PM
0667dcb6002e	0f73c04b405e	0e5d61d96a8f	Ivan Chernetsky	config -> pullConfig in pods.md	May 31 2017, 5:10 PM
0e5d61d96a8f	6018df1bb738	e6b229eb08ec	Ivan Chernetsky	Use Mesos 1.3.0-rc3	May 31 2017, 2:48 AM
e6b229eb08ec	ba46db6e8d21	9450c8e37911	Ivan Chernetsky	Address comments	May 31 2017, 2:27 AM
9450c8e37911	2d615fb3771f	78bb703eeeba	Ivan Chernetsky	More of testing and validating Docker Pull Config API	May 25 2017, 5:52 AM
78bb703eeeba	e49d31510039	58908feb732d	Ivan Chernetsky	Introduce ImagePullConfig proto message	May 24 2017, 8:40 PM
58908feb732d	be8dda6f896f	e5e3817775c5	Ivan Chernetsky	Address @jdef's comments	May 24 2017, 9:20 AM
e5e3817775c5	4fd2053cc0d2	b37a5c26b3b0	Ivan Chernetsky	Replace config with pullConfig in native-docker.md	May 24 2017, 12:15 AM
b37a5c26b3b0	fe64ff6e46b3	f6b6cdf5ea8d	Ivan Chernetsky	Address @jdef's comments and use the existing secret interface instead of… (Show More…)	May 23 2017, 6:12 AM
f6b6cdf5ea8d	f80e6c428b8f	4013d6404a35	Ivan Chernetsky	SI test for a pod pulling an image from a private registry	May 17 2017, 6:50 PM
4013d6404a35	3f891a0744c5	5d7dfd6613ec	Ivan Chernetsky	Address comments for docs	May 17 2017, 6:06 PM
5d7dfd6613ec	ccdf9455220e	1a0540fac9ab	Ivan Chernetsky	Update integration tests to test fetching of private Docker images	May 16 2017, 11:48 PM
1a0540fac9ab	2b2b635bbbd6	58363801d813	Ivan Chernetsky	Uncomment a plugin	May 16 2017, 9:55 PM
58363801d813	dbdf73acc140	b0e91b9ab642	Ivan Chernetsky	Drop support for "docker.config.text" and use SecretDef for "docker.config. (Show More…)	May 16 2017, 9:51 PM
b0e91b9ab642	f715a2f3a366	487e006cbe26	Ivan Chernetsky	Make sure that config option is used only with both Mesos Containerizer and… (Show More…)	May 16 2017, 1:52 AM
487e006cbe26	71d6b8c8ab2e	41bf6e4c7e70	Ivan Chernetsky	Address @aquamatthias' comments	May 12 2017, 9:13 PM
41bf6e4c7e70	21a1eee9d849	ebe73d447582	Ivan Chernetsky	Fix a test	May 12 2017, 9:56 AM
ebe73d447582	2a8289f89064	359bae165365	Ivan Chernetsky	Support container.docker.config.{text,secret}	May 12 2017, 9:37 AM
359bae165365	56e8aeb2016b	a3c4dab98dd4	Ivan Chernetsky	Document Docker image config option	May 11 2017, 3:05 AM
a3c4dab98dd4	2adde6bf21c6	7d49bc18164b	Ivan Chernetsky	Address @jdef's comments	May 11 2017, 1:30 AM
7d49bc18164b	329764167f2b	5c6cc18e6a2c	Ivan Chernetsky	Bring container.docker.credential back to life, but deprecate it	May 11 2017, 1:21 AM
5c6cc18e6a2c	b573d92aa78a	7795b89a8ecb	Ivan Chernetsky	Add support of Docker Image config field for pods too	May 10 2017, 11:06 PM
7795b89a8ecb	7f9b6eaffdc1	297c502ed930	Ivan Chernetsky	Use Mesos 1.4.0-SNAPSHOT	May 10 2017, 6:00 PM
297c502ed930	eed0f91bd284	d66c2c00541e	Ivan Chernetsky	Support passing a Docker config.json for app / pod being launched (Show More…)	May 10 2017, 2:37 PM
d66c2c00541e	258951d983da	05ad39208c76	Ivan Chernetsky	Support passing a Docker config for task / pod being launched	May 9 2017, 5:51 AM
05ad39208c76	f041e11137eb	37f1068e05f8	Ivan Chernetsky	Tell people use protoc v2.6.1	May 5 2017, 12:58 AM
37f1068e05f8	d562b1617c43	4b0523692730	Ivan Chernetsky	Compile *.proto files with protoc v2.6.1	May 5 2017, 12:58 AM
4b0523692730	03557715b4c6	ba5570306ffd	Ivan Chernetsky	Copy mesos.proto from Mesos' master branch (commit… (Show More…)	May 5 2017, 12:38 AM

Diff 3383

View Options

docs/docs/blue-green-deploy.md

This file was changed only by adding or removing whitespace. Show File Contents

View Options

docs/docs/native-docker.md

Show First 20 Lines • Show All 287 Lines • ▼ Show 20 Line(s)
288	288
289	289		# Mesos Containerizer and Universal Container Runtime
290	290
291	291		Starting with version 1.3.0, Marathon can provision Docker container images without relying on the external Docker Engine
292	292		Instead, the Mesos containerizer uses the Universal Container Runtime (added in [Apache Mesos version 1.0](http://mesos.apache.org/blog/mesos-1-0-0-released/), released July 2016) which uses native OS features to configure and start Docker or [AppC](https://github.com/appc/spec) container images and provide isolation.
293	293
294	294		## Configuration
295	295
296			Selected this setup by specifying the follow JSON combination, which previously provoked an error message:
297			container type "MESOS" and a "docker" object.
	296		Selected this setup by specifying the following JSON combination, which
	297		previously provoked an error message: container type `MESOS` and a
	298		`docker` object.
		jdefUnsubmitted Done nit: s/follow/following/
298	299
299	300		```json
300	301		{
301	302		"id": "mesos-docker",
302	303		"container": {
303	304		"docker": {
304	305		"image": "mesosphere/inky"
305	306		},
306	307		"type": "MESOS"
307	308		},
308	309		"args": ["hello"],
309	310		"cpus": 0.2,
310	311		"mem": 16.0,
311	312		"instances": 1
312	313		}
313	314		```
314			The Mesos containerizer does not support the same parameter options as the Docker containerizer yet.
315			The only properties recognized by both containerizers are "image" and "forcePullImage",
316			with the same semantics. All other Docker container properties result in an error with the Mesos containerizer.
317	315
318			However, the latest version of the Mesos containerizer introduces its own new property, "credential", with a "principal" and an optional "secret" field to authenticate when downloading the Docker image.
	316		The Mesos containerizer does not support the same parameter options as
	317		the Docker containerizer yet. The only properties recognized by both
	318		containerizers are `image` and `forcePullImage`, with the same
	319		semantics. All other Docker container properties result in an error
	320		with the Mesos containerizer.
319	321
	322		Starting with Marathon v1.5, Mesos containerizer supports the
		jdefUnsubmitted Done s/supports/supports the/
	323		`container.docker.pullConfig` property, which may be used to specify
		jdefUnsubmitted Done nit: s/might/may/
	324		a Docker `config.json` per Docker image. Its `secret` property
		zen-dogUnsubmitted Done Can only be specified as `secret` to ensure security etc.
	325		should be set to one of top-level `secrets` properties, which refers to
		jdefUnsubmitted Done nit: s/field/fields/
	326		`config.json` in a secret store.
		jdefUnsubmitted Done Please add a blurb here that clearly indicates that this new method of docker image pull secrets is NOT supported by Docker containerizer; different ways of doing things for different containerizers is typically very confusing for marathon users
		jdefUnsubmitted Done wordsmith this a bit: "... secret store storing a content". suggest something like: "... which refers to a secret whose value contains the content of, for example, `~/.docker/config.json`."
	327
		zen-dogUnsubmitted Done I would also add a reference to `docs/docs/secrets.md` (see D729) to make clear that you need to implement you own secrets plugin in order for this to work. Otherwise it's not clear where the secret should come from.
320	328		```json
321	329		{
322			"id": "mesos-docker",
	330		"id": "/mesos-docker",
323	331		"container": {
324	332		"docker": {
325	333		"image": "mesosphere/inky",
326			"credential": {
327			"principal": "alice",
	334		"pullConfig": {
	335		"secret": "pullConfig"
		jdefUnsubmitted Done s/config/pullConfig/
328			"secret": "wonderland"
329	336		}
		jdefUnsubmitted Done ditto, not supported for this release (at least, not in this API)
330	337		},
331	338		"type": "MESOS"
332	339		},
	340		"secrets": {
	341		"pullConfig": {
	342		"source": "/mesos-docker/pullConfig"
	343		}
	344		},
333	345		"args": ["hello"],
334	346		"cpus": 0.2,
335	347		"mem": 16.0,
336	348		"instances": 1
337	349		}
338	350		```
339	351
		zen-dogUnsubmitted Done This is just confusing since this way never worked. I would either remove this completely or just say that: "...Previously existing `credential` object is deprecated..." Since it was never implemented (so we won't break anything) we should probably just remove it? What do you think @meichstedt, @jdef ?
		ichernetskyAuthorUnsubmitted Not Done Removed.
	352		Please note, that this feature is not supported by Docker
	353		containerizer yet.
	354
	355		To learn more about secrets, please refer to
	356		[Secrets]({{ site.baseurl/docs/secrets.html }})
	357
340	358		## Resources
341	359
342	360		- [Mesos Docker Containerizer](http://mesos.apache.org/documentation/latest/docker-containerizer)
343			- [Supporting Container Images in Mesos Containerizer]
344			(https://github.com/apache/mesos/blob/master/docs/container-image.md)
	361		- [Supporting Container Images in Mesos Containerizer](https://github.com/apache/mesos/blob/master/docs/container-image.md)

View Options

docs/docs/pods.md

Show First 20 Lines • Show All 69 Lines • ▼ Show 20 Line(s)
70	70
71	71		### Pod Events and State
72	72
73	73		When you update a pod that has already launched, the new version of the pod will only be available when redeployment is complete. If you query the system to learn which version is deployed before redeployment is complete, you may get the previous version as a response. The same is true for the status of a pod: if you update a pod, the change in status will not be reflected in a query until redeployment is complete.
74	74
75	75		History is permanently tied to `pod_id`. If you delete a pod and then reuse the ID, even if the details of the pod are different, the new pod will have the previous history (such as version information).
76	76
77	77		### Pod Definitions
	78
78	79		Pods are configured via a JSON pod definition, which is similar to an [application definition]({{ site.baseurl }}/docs/application-basics.html). You must declare the resources required by each container in the pod because Mesos, not Marathon, determines how and when to perform isolation for all resources requested by a pod. See the [Examples](#examples) section for complete pod definitions.
79	80
80	81		#### Executor Resources
81	82
82	83		The executor runs on each node to manage the pods. By default, the executor reserves 32 MB and .1 CPUs per pod for overhead. Take this overhead into account when declaring resource needs for the containers in your pod. You can modify the executor resources in the `executorResources` field of your pod definition.
83	84
84	85		```json
85	86		{
▲ Show 20 Lines • Show All 68 Lines • ▼ Show 20 Line(s)
154	155		{
155	156		"image":{
156	157		"id":"mesosphere/marathon:latest",
157	158		"kind":"DOCKER",
158	159		"forcePull":false
159	160		}
160	161		}
161	162		```
	163
	164		An optional `image.pullConfig` is supported too. Here is an example of
		jdefUnsubmitted Done Please provide a working example here for pods. People really like working examples
	165		a pod pulling a Docker image from a private registry:
	166
	167		```json
	168		{
	169		"id": "/simple-pod",
	170		"scaling": {
	171		"kind": "fixed",
	172		"instances": 1
	173		},
	174		"containers": [{
	175		"name": "container0",
	176		"exec": {
	177		"command": {
	178		"shell": "sleep 1000"
	179		}
	180		},
	181		"image": {
	182		"kind": "DOCKER",
	183		"id": "company/private-image",
	184		"pullConfig": {
		untersteinUnsubmitted Not Done s/config/pullConfig/
	185		"secret": "configSecret"
	186		}
	187		},
	188		"resources": {
	189		"cpus": 1,
	190		"mem": 50.0
	191		}
	192		}],
	193		"secrets": {
	194		"configSecret": {
	195		"source": "/config"
	196		}
	197		}
	198		}
	199		```
	200
	201		For further details, please refer
	202		to [Configuration of Docker images with Mesos containerizer]({{ site.baseurl }}/docs/native-docker.html).
162	203
163	204		## Create and Manage Pods
164	205
165	206		Use the `/v2/pods/` endpoint to create and manage your pods. [See the full API spec]({{ site.baseurl }}/docs/generated/api.html#v2_pods).
166	207
167	208		### Create
168	209
169	210		```bash
▲ Show 20 Lines • Show All 402 Lines • Show Last 20 Lines

View Options

docs/docs/rest-api/public/api/v2/schema/AppDefinition.json

Show First 20 Lines • Show All 133 Lines • ▼ Show 20 Line(s)
134	134		"container": {
135	135		"additionalProperties": false,
136	136		"properties": {
137	137		"docker": {
138	138		"additionalProperties": false,
139	139		"properties": {
140	140		"credential": {
141	141		"type": "object",
142			"description": "Credential to authenticate with the docker registry.",
	142		"description": "Credential to authenticate with the docker registry. It is deprecated since Marathon v1.5",
		jdefUnsubmitted Done please add some text indicating that `credential` is `DEPRECATED`
143	143		"additionalProperties": false,
144	144		"properties": {
145	145		"principal": {
146	146		"type": "string",
147	147		"description": "Principal to authenticate with the docker registry."
148	148		},
149	149		"secret": {
150	150		"type": "string",
151	151		"description": "Secret to authenticate with the docker registry."
152	152		}
153	153		},
154	154		"required": [ "principal" ]
	155		},
	156		"pullConfig": {
		jdefUnsubmitted Done EE? secrets API is OSS
	157		"type": "object",
	158		"description": "Docker's config.json",
	159		"additionalProperties": false,
	160		"properties": {
	161		"secret" : {
	162		"type": "string",
	163		"description": "A secret whose value is a stringified JSON object in a Secret Store.",
	164		"minLength": 1
	165		}
	166		},
	167		"required": [ "secret" ]
155	168		},
156	169		"forcePullImage": {
157	170		"type": "boolean",
158	171		"description": "The container will be pulled, regardless if it is already available on the local system."
159	172		},
160	173		"image": {
161	174		"type": "string",
162	175		"minLength": 1,
▲ Show 20 Lines • Show All 669 Lines • Show Last 20 Lines

View Options

docs/docs/rest-api/public/api/v2/types/appContainer.raml

1	1		#%RAML 1.0 Library
2	2		uses:
3	3		label: label.raml
4	4		numbers: numberTypes.raml
5	5		volumes: volumes.raml
6	6		strings: stringTypes.raml
7	7		pragma: pragma.raml
	8		docker: docker.raml
8	9
9	10		types:
10	11		EngineType:
11	12		type: string
12	13		enum: [MESOS, DOCKER]
13	14		description: \|
14	15		Container engine type. Supported engine types at the moment are DOCKER and MESOS.
15	16		DockerCredentials:
		jdefUnsubmitted Done this should be deprecated not removed
		jdefUnsubmitted Done please indicate that this type is deprecated and should no longer be used
		jdefUnsubmitted Not Done ???
		jdefUnsubmitted Not Done ???
16	17		type: object
	18		(pragma.deprecated): Deprecated since v1.5
17	19		description: Credential to authenticate with the docker registry
18	20		properties:
19	21		principal:
20	22		type: string
21	23		description: Principal to authenticate with the docker registry
22	24		secret?:
23	25		type: string
24	26		description: Secret to authenticate with the docker registry
▲ Show 20 Lines • Show All 79 Lines • ▼ Show 20 Line(s)
104	106		List of the container networks associated with this mapping. If
105	107		absent, then this mapping is associated with all defined container
106	108		networks (for this application). A single item list is mandatory when
107	109		`hostPort` is specified and multiple container networks are defined.
108	110		(pragma.omitEmpty):
109	111		DockerContainer:
110	112		type: object
111	113		properties:
112	114		credential?:
		jdefUnsubmitted Not Done add `(pragma.deprecated)` instead of removing
113	115		type: DockerCredentials
114	116		description: \|
115	117		The credentials to fetch this container.
116	118		Please note: this property is supported only with the Mesos containerizer, not the docker containerizer.
	119		(pragma.deprecated): Deprecated in favor of pullConfig
		jdefUnsubmitted Done s/config/pullConfig/
		jdefUnsubmitted Done i'm looking for "Deprecated in favor of `pullConfig`"
		jdefUnsubmitted Not Done ???
	120		pullConfig?:
	121		type: docker.DockerPullConfig
	122		description: \|
		jdefUnsubmitted Done please add a note here indicating that this field is NOT to be used with the docker containerizer
	123		Docker's config.json given as a secret name into a secret store
	124		which corresponding value is a content of `~/.docker/config.json`.
	125		It is supported only with Mesos containerizer.
		jdefUnsubmitted Done ditto, API is not EE
117	126		forcePullImage?:
118	127		type: boolean
119	128		description: \|
120	129		The container will be pulled, regardless if it is already available on
121	130		the local system.
122	131		default: false
123	132		image:
124	133		type: string
▲ Show 20 Lines • Show All 62 Lines • Show Last 20 Lines

View Options

docs/docs/rest-api/public/api/v2/types/docker.raml

This file was added.

1		#%RAML 1.0 Library
2		uses:
3		secrets: secrets.raml
4
5		types:
6		DockerPullConfig:
7		type: object
	jdefUnsubmitted Done dislike bike-shedding on names ... but, I'm not crazy about "config" or "DockerConfig". The goal of this item isn't to "configure docker", rather it's to relay information/tokens/credentials/whatever to enable a client to pull an image from a remote server. "config" is too general and easy to abuse (like "util", "common", etc). "pullToken" / "DockerPullToken" is closer. "Token" might be a bit too specific, but I like it better than the too-general "config". We don't want to imply that users should be editing their docker config files, removing any non-authn fields because who knows how the `docker run` client impl will actually validate the contents of a docker configuration file at runtime - it might want fields non-essential for pulling images simply because docker isn't taking our use case in mind. So .. in the end I don't like this "token" based name better than config because it's misleading as to the actual (likely) contents of the blob. "pullConfig" / "ImagePullConfig" is the name best alternative name that I can think of. Though I'm still not crazy about it, I do think it's an improvement over "config" / "DockerConfig" in that it provides clarity w/ regard to intent (pulling images) and to content (yes, it's actually supposed to reference a config blob). Also "ImagePullConfig" would let us reuse this object type for other kinds of image registries that require credentials/tokens/whatever (some future appc image registry that UCR can securely pull images from). Are there better names out there?
8		properties:
9		secret:
10		type: string
11		minLength: 1
12		description: \|
	jdefUnsubmitted Not Done nit: `required: true` is redundant (because it's the default). i don't think we say that many other places?
13		Docker's config.json. It should be specifed only as a secret
14		name into a secret store, and the corresponding value should be
	jdefUnsubmitted Done Product has decided to nix support for DockerConfigText (clear-text docker config in the Marathon API) for now. Please remove.
	jdefUnsubmitted Done s/can/should/
15		a stringified valid JSON object which can be found in
16		`~/.docker/config.json`.
	aquamatthiasUnsubmitted Not Done `text` is arbitrary. Perhaps `jsonString` ?
	ichernetskyAuthorUnsubmitted Not Done This is intentional. The idea is to have this property for the time being which value is passed further as is, and in the meantime in addition to it implement `json` one. How does it sound to you?

View Options

docs/docs/rest-api/public/api/v2/types/podContainer.raml

1	1		#%RAML 1.0 Library
2	2		uses:
3	3		artifacts: artifact.raml
4	4		env: environmentVariable.raml
5	5		health: healthCheck.raml
6	6		labels: label.raml
7	7		mesosCommand: mesosCommand.raml
8	8		network: network.raml
9	9		pragma: pragma.raml
10	10		resources: resources.raml
11	11		strings: stringTypes.raml
12	12		volumes: volumes.raml
13	13		containerCommons: containerCommons.raml
	14		docker: docker.raml
14	15
15	16		types:
16	17		ImageType:
17	18		type: string
18	19		enum: [DOCKER, APPC]
19	20		Image:
20	21		type: object
21	22		properties:
22	23		kind: ImageType
23	24		id:
24	25		type: strings.Path
25	26		description: address/identifier of the file system image
26	27		example: mesosphere/marathon:1.3.0
	28		pullConfig?:
		jdefUnsubmitted Done don't need to worry about a note for docker containerizer vs. mesos containerizer here since pods only support UCR
	29		type: docker.DockerPullConfig
	30		description: \|
	31		Name of a secret whose value contains a stringified
		jdefUnsubmitted Done wordsmith this a bit: "Name of a secret whose value contains a stringified Docker config.json" ?
	32		Docker config.json
		timcharperUnsubmitted Not Done Is this the best way to word it? Secret store for Marathon is pluggable
		ichernetskyAuthorUnsubmitted Not Done Would "tool to manage secrets" be better?
27	33		forcePull?:
28	34		type: boolean
29	35		description: true if the image should always be pulled
30	36		labels?:
31	37		type: labels.KVLabels
32	38		(pragma.omitEmpty):
33	39		description: \|
34	40		Used during image discovery and dependency resolution.
▲ Show 20 Lines • Show All 81 Lines • Show Last 20 Lines

View Options

project/Dependencies.scala

Show First 20 Lines • Show All 77 Lines • ▼ Show 20 Line(s)
78	78
79	79		object Dependency {
80	80		object V {
81	81		// runtime deps versions
82	82		val Aws = "1.11.128"
83	83		val Alpakka = "0.8"
84	84		val Chaos = "0.8.8"
85	85		val Guava = "19.0"
86			val Mesos = "1.2.0"
	86		val Mesos = "1.3.0-rc3"
		jeschkiesUnsubmitted Not Done Is this correct? Are we jumping to Mesos 1.4?
		ichernetskyAuthorUnsubmitted Not Done Nope, it is just the protobufs in the latest 1.3.0-SNAPSHOT are compiled with protoc 3.3.0, which causes a lot of errors and warnings, whereas the latest build from master branch has everything we need for this feature, and the protobufs are compiled with protoc 2.6.1
		jdefUnsubmitted Not Done is the plan to merge this changeset with the 1.4.0 dependency like this? I hope not. But if it is, then let's make sure we have a JIRA tracker to fix this value before we release (please link to the JIRA here and in the top-level summary)
		jdefUnsubmitted Not Done this should really be fixed before merging this changeset
		ichernetskyAuthorUnsubmitted Not Done Unfortunately, there is some experimentation with `protobuf` versions in `1.3` branch, but since `protobuf 2.6.1` is still used in `master`, and it works just fine, `1.4.0-SNAPSHOT` is used here. It will be adjusted before closing the current ticket, so that there is no need to create a new one.
		jdefUnsubmitted Not Done I've heard that there's a 1.3.0-rc1 that contains what we need?
87	87		// Version of Mesos to use in Dockerfile.
88	88		val MesosDebian = "1.2.0-2.0.6"
89	89		val OpenJDK = "openjdk:8u121-jdk"
90	90		val Akka = "2.4.18"
91	91		val AkkaHttp = "10.0.6"
92	92		val AkkaSSE = "2.0.0"
93	93		val ApacheCommonsCompress = "1.13"
94	94		val ApacheCommonsIO = "2.4"
▲ Show 20 Lines • Show All 102 Lines • Show Last 20 Lines

View Options

project/RamlGeneratorPlugin.scala

1	1	package mesosphere.raml
2	2
3		import java.io.{FileOutputStream, ObjectOutputStream}
4	3	import java.nio.charset.StandardCharsets
5	4	import java.security.MessageDigest
6	5	import java.util.Base64
7	6
8	7	import sbt._
9	8	import sbt.Keys._
10	9	import org.raml.v2.api.RamlModelBuilder
11	10	import org.yaml.snakeyaml.Yaml
▲ Show 20 Lines • Show All 129 Lines • Show Last 20 Lines

View Options

project/plugins.sbt

Show All 16 Lines
17	17	addSbtPlugin("com.typesafe.sbt" % "sbt-git" % "0.8.5")
18	18	addSbtPlugin("com.typesafe.sbt" % "sbt-native-packager" % "1.1.5")
19	19	addSbtPlugin("com.sksamuel.scapegoat" %% "sbt-scapegoat" % "1.0.4")
20	20	addSbtPlugin("de.johoop" % "cpd4sbt" % "1.2.0")
21	21	addSbtPlugin("pl.project13.scala" % "sbt-jmh" % "0.2.15")
22	22	addSbtPlugin("com.typesafe.sbt" % "sbt-aspectj" % "0.10.6")
23	23	addSbtPlugin("io.get-coursier" % "sbt-coursier" % "1.0.0-M15")
24	24
25
26	25	libraryDependencies ++= Seq(
27	26	"org.raml" % "raml-parser-2" % "1.0.0",
28	27	"com.eed3si9n" %% "treehugger" % "0.4.1",
29	28	"org.slf4j" % "slf4j-nop" % "1.7.22",
30	29	"org.vafer" % "jdeb" % "1.3" artifacts Artifact("jdeb", "jar", "jar"),
31	30	"com.typesafe.play" %% "play-json" % "2.4.11"
32	31	)
33	32
34	33	sbtPlugin := true
35	34

View Options

src/main/java/mesosphere/marathon/Protos.java

This file has a very large number of changes (4,543 lines). Show File Contents

View Options

src/main/proto/README.md

1	1	# Google Protocol Buffers
2	2
3	3	Marathon is using Google [Protocol Buffers](https://developers.google.com/protocol-buffers) to marshal and unmarshal data from the persistent store.
4	4
5	5	## Dependencies
6	6
7		- Google [Protocol Buffers](https://developers.google.com/protocol-buffers) v2.5 should be installed on the system.
	7	- Google [Protocol Buffers](https://developers.google.com/protocol-buffers) v2.6.1 should be installed on the system.
8	8	- The `src/main/proto/mesos/mesos.proto` should correspond to the [Mesos](http://mesos.apache.org) library
9	9	version.
10	10
11	11	## Rebuilt the protos
12	12
13	13	To rebuild the protos, open a terminal where the current working directory is the project directory.
14	14
15	15	```
16	16	$> cd src/main/proto
17	17	$> protoc --java_out=../java/ marathon.proto
18	18	```
19

View Options

src/main/proto/marathon.proto

Show First 20 Lines • Show All 226 Lines • ▼ Show 20 Line(s)
227	227		}
228	228
229	229		// Copied from mesos.proto and adjusted to meet the needs for persistent volumes
230	230		// Extends DockerInfo.PortMapping to include `service_port`.
231	231		message ExtendedContainerInfo {
232	232
233	233		// Docker on a Docker engine
234	234		message DockerInfo {
	235		message ImagePullConfig {
	236		enum Type {
	237		SECRET = 1;
	238		}
235	239
	240		required Type type = 1;
	241
	242		// The UTF-8 character encoded byte data, which is expected as
	243		// a docker config file in JSON format. This field is used for
	244		// supporting docker private registry credential per container.
	245		// Users can specify different docker config files for pulling
	246		// their private images from different registries.
	247		optional mesos.Secret secret = 2;
	248		}
	249
236	250		required string image = 1;
237	251
238	252		// deprecated in favor of ServiceDefinition.networks since 1.5
239	253		optional mesos.ContainerInfo.DockerInfo.Network OBSOLETE_network = 2 [default = HOST];
240	254
241	255		// deprecated in favor of ExtendedContainerInfo.PortMapping,since 1.5
242	256		message ObsoleteDockerPortMapping {
243	257		optional uint32 host_port = 1;
Show All 27 Lines
271	285		// [REGISTRY_HOST[:REGISTRY_PORT]/]REPOSITORY[:TAG\|@TYPE:DIGEST]
272	286		//
273	287		// See: https://docs.docker.com/reference/commandline/pull/
274	288		required string image = 1;
275	289
276	290		// Credential to authenticate with docker registry.
277	291		// NOTE: This is not encrypted, therefore framework and operators
278	292		// should enable SSL when passing this information.
279			optional mesos.Credential credential = 2;
	293		optional mesos.Credential deprecated_credential = 2; // Deprecated since 1.5
		jdefUnsubmitted Done it's probably not obvious or written anywhere in our documentation, but the way we've traditionally deprecated proto fields in marathon was by actually changing the name of the field. in this case it would be called `deprecated_credential`. and the comment would include a note like "Deprecated since 1.5" When we finally stop reading/writing the field (except for migrations) then the `deprecated_` prefix changes to `OBSOLETE_` (or something like that)
		jdefUnsubmitted Done please include a comment "deprecated since 1.5"
280	294
281	295		// With this flag set to true, the universal Mesos containerizer will
282	296		// pull the docker image from the registry even if the image
283	297		// is already downloaded on the agent.
284	298		optional bool force_pull_image = 3;
	299
	300		// Docker config.json which is used when pulling Docker images.
	301		optional DockerInfo.ImagePullConfig pull_config = 4;
285	302		}
286	303
287	304		// AppC on the universal Mesos engine
288	305		message MesosAppCInfo {
		jdefUnsubmitted Done two points: (1) ditto w/ respect to bike-shedding on the same. `pull_config` is probably more clear, but I'm open to suggestions (2) please create a wrapper for this instead of assuming that image pull config will always be a secret, something like: message ImagePullConfig { optional mesos.Secret secret = 1; } ... optional ImagePullConfig pull_config = 4;
289	306		// The name of the image.
290	307		required string image = 1;
291	308
292	309		// An image ID is a string of the format "hash-value", where
293	310		// "hash" is the hash algorithm used and "value" is the hex
294	311		// encoded string of the digest. Currently the only permitted
295	312		// hash algorithm is sha512.
296	313		optional string id = 2;
▲ Show 20 Lines • Show All 177 Lines • Show Last 20 Lines

View Options

src/main/proto/mesos/mesos.proto

1	1		// Licensed to the Apache Software Foundation (ASF) under one
2	2		// or more contributor license agreements. See the NOTICE file
3	3		// distributed with this work for additional information
4	4		// regarding copyright ownership. The ASF licenses this file
5	5		// to you under the Apache License, Version 2.0 (the
6	6		// "License"); you may not use this file except in compliance
7	7		// with the License. You may obtain a copy of the License at
8	8		//
9	9		// http://www.apache.org/licenses/LICENSE-2.0
10	10		//
11	11		// Unless required by applicable law or agreed to in writing, software
12	12		// distributed under the License is distributed on an "AS IS" BASIS,
13	13		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14	14		// See the License for the specific language governing permissions and
15	15		// limitations under the License.
16	16
	17		syntax = "proto2";
		jdefUnsubmitted Not Done what version of mesos is this file from? I hope it's the same version (1.3) that we intend to launch with on DC/OS 1.10. If that's not the case, why? (and ... can we have a JIRA (if needed) to track the task of actually using the the mesos-1.3.0 protos?)
		jdefUnsubmitted Not Done ??
		ichernetskyAuthorUnsubmitted Not Done It is from 1.3 branch, but it is (was) identical to the one in master at the time.
	18
17	19		package mesos;
18	20
19	21		option java_package = "org.apache.mesos";
20	22		option java_outer_classname = "Protos";
21	23
22	24
23	25		/**
24	26		* Status is used to indicate the state of the scheduler and executor
▲ Show 20 Lines • Show All 64 Lines • ▼ Show 20 Line(s)
89	91		*/
90	92		message ContainerID {
91	93		required string value = 1;
92	94		optional ContainerID parent = 2;
93	95		}
94	96
95	97
96	98		/**
	99		* A unique ID assigned to a resource provider. Currently, a resource
	100		* provider gets a new ID whenever it (re)registers with Mesos.
	101		*/
	102		message ResourceProviderID {
	103		required string value = 1;
	104		}
	105
	106
	107		/**
97	108		* Represents time since the epoch, in nanoseconds.
98	109		*/
99	110		message TimeInfo {
100	111		required int64 nanoseconds = 1;
101
102			// TODO(josephw): Add time zone information, if necessary.
103	112		}
104	113
105	114
106	115		/**
107	116		* Represents duration in nanoseconds.
108	117		*/
109	118		message DurationInfo {
110	119		required int64 nanoseconds = 1;
▲ Show 20 Lines • Show All 137 Lines • ▼ Show 20 Line(s)
248	257		// Roles are the entities to which allocations are made.
249	258		// The framework must have at least one role in order to
250	259		// be offered resources. Note that `role` is deprecated
251	260		// in favor of `roles` and only one of these fields must
252	261		// be used. Since we cannot distinguish between empty
253	262		// `roles` and the default unset `role`, we require that
254	263		// frameworks set the `MULTI_ROLE` capability if
255	264		// setting the `roles` field.
256			//
257			// NOTE: The implmentation for supporting `roles`
258			// is not complete, DO NOT USE the `roles` field.
259	265		optional string role = 6 [default = "*", deprecated=true];
260			repeated string roles = 12; // EXPERIMENTAL.
	266		repeated string roles = 12;
		jdefUnsubmitted Not Done oooh, this is coming in mesos 1.3?
		ichernetskyAuthorUnsubmitted Not Done Yes. https://github.com/apache/mesos/blob/1.3.x/include/mesos/mesos.proto#L266
261	267
262	268		// Used to indicate the current host from which the scheduler is
263	269		// registered in the Mesos Web UI. If set to an empty string Mesos
264	270		// will automagically set it to the current hostname if one is
265	271		// available.
266	272		optional string hostname = 7;
267	273
268	274		// This field should match the credential's principal the framework
▲ Show 20 Lines • Show All 98 Lines • ▼ Show 20 Line(s)
367	373		*
368	374		* NOTE: This API is unstable and the related feature is experimental.
369	375		*/
370	376		message CheckInfo {
371	377		enum Type {
372	378		UNKNOWN = 0;
373	379		COMMAND = 1;
374	380		HTTP = 2;
	381		TCP = 3;
375	382
376			// TODO(alexr): Consider supporting TCP checks and custom user checks.
377			// The latter should probably be paired with a `data` field and
378			// complemented by a `data` response in `CheckStatusInfo`.
	383		// TODO(alexr): Consider supporting custom user checks. They should
	384		// probably be paired with a `data` field and complemented by a
	385		// `data` response in `CheckStatusInfo`.
379	386		}
380	387
381	388		// Describes a command check. If applicable, enters mount and/or network
382	389		// namespaces of the task.
383	390		message Command {
384	391		required CommandInfo command = 1;
385	392		}
386	393
Show All 12 Lines
399	406
400	407		// TODO(alexr): Add support for custom HTTP headers.
401	408
402	409		// TODO(alexr): Consider adding an optional message to describe TLS
403	410		// options and thus enabling https. Such message might contain certificate
404	411		// validation, TLS version.
405	412		}
406	413
	414		// Describes a TCP check, i.e. based on establishing a TCP connection to
	415		// the specified port. Note that <host> is not configurable and is resolved
	416		// automatically to 127.0.0.1.
	417		message Tcp {
	418		required uint32 port = 1;
	419		}
	420
407	421		// The type of the check.
408	422		optional Type type = 1;
409	423
410	424		// Command check.
411	425		optional Command command = 2;
412	426
413	427		// HTTP check.
414	428		optional Http http = 3;
415	429
	430		// TCP check.
	431		optional Tcp tcp = 7;
	432
416	433		// Amount of time to wait to start checking the task after it
417	434		// transitions to `TASK_RUNNING` or `TASK_STARTING` if the latter
418	435		// is used by the executor.
419	436		optional double delay_seconds = 4 [default = 15.0];
420	437
421	438		// Interval between check attempts, i.e., amount of time to wait after
422	439		// the previous check finished or timed out to start the next check.
423	440		optional double interval_seconds = 5 [default = 10.0];
▲ Show 20 Lines • Show All 438 Lines • ▼ Show 20 Line(s)
862	879		optional Value.Scalar scalar = 3;
863	880		optional Value.Ranges ranges = 4;
864	881		optional Value.Set set = 6;
865	882		optional Value.Text text = 5;
866	883		}
867	884
868	885
869	886		/**
870			* Describes a resource on a machine. The `name` field is a string
871			* like "cpus" or "mem" that indicates which kind of resource this is;
872			* the rest of the fields describe the properties of the resource. A
873			* resource can take on one of three types: scalar (double), a list of
874			* finite and discrete ranges (e.g., [1-10, 20-30]), or a set of
875			* items. A resource is described using the standard protocol buffer
876			* "union" trick.
	887		* Describes a resource from a resource provider. The `name` field is
	888		* a string like "cpus" or "mem" that indicates which kind of resource
	889		* this is; the rest of the fields describe the properties of the
	890		* resource. A resource can take on one of three types: scalar
	891		* (double), a list of finite and discrete ranges (e.g., [1-10,
	892		* 20-30]), or a set of items. A resource is described using the
	893		* standard protocol buffer "union" trick.
877	894		*
878	895		* Note that "disk" and "mem" resources are scalar values expressed in
879	896		* megabytes. Fractional "cpus" values are allowed (e.g., "0.5"),
880	897		* which correspond to partial shares of a CPU.
881	898		*/
882	899		message Resource {
	900		optional ResourceProviderID provider_id = 12;
	901
883	902		required string name = 1;
884	903		required Value.Type type = 2;
885	904		optional Value.Scalar scalar = 3;
886	905		optional Value.Ranges ranges = 4;
887	906		optional Value.Set set = 5;
888	907
889	908		// The role that this resource is reserved for. If "*", this indicates
890	909		// that the resource is unreserved. Otherwise, the resource will only
▲ Show 20 Lines • Show All 87 Lines • ▼ Show 20 Line(s)
978	997		// task/executor terminates. Currently, if 'persistence' is set,
979	998		// 'volume' must be set.
980	999		optional Volume volume = 2;
981	1000
982	1001		// Describes where a disk originates from.
983	1002		// TODO(jmlvanre): Add support for BLOCK devices.
984	1003		message Source {
985	1004		enum Type {
	1005		UNKNOWN = 0;
986	1006		PATH = 1;
987	1007		MOUNT = 2;
988	1008		}
989	1009
990	1010		// A folder that can be located on a separate disk device. This
991	1011		// can be shared and carved up as necessary between frameworks.
992	1012		message Path {
993	1013		// Path to the folder (e.g., /mnt/raid/disk0).
994			required string root = 1;
	1014		optional string root = 1;
		timcharperUnsubmitted Not Done can you help me understand why this was changed? These fields are definitely not optional in the context for which they're used :)
		ichernetskyAuthorUnsubmitted Not Done I have no idea. It was changed in upstream (`mesos.proto`)
		jdefUnsubmitted Not Done changed in preparation of the upcoming support for mesos local/external resource providers and initial CSI support: https://github.com/apache/mesos/commit/5660d7633280bf592b12eeed88c4ebadb33f44c5
995	1015		}
996	1016
997	1017		// A mounted file-system set up by the Agent administrator. This
998	1018		// can only be used exclusively: a framework cannot accept a
999	1019		// partial amount of this disk.
1000	1020		message Mount {
1001	1021		// Path to mount point (e.g., /mnt/raid/disk0).
1002			required string root = 1;
	1022		optional string root = 1;
		timcharperUnsubmitted Done ditto :)
1003	1023		}
1004	1024
1005	1025		required Type type = 1;
1006	1026		optional Path path = 2;
1007	1027		optional Mount mount = 3;
1008	1028		}
1009	1029
1010	1030		optional Source source = 3;
Show All 16 Lines
1027	1047
1028	1048		// If this is set, the resources are shared, i.e. multiple tasks
1029	1049		// can be launched using this resource and all of them shall refer
1030	1050		// to the same physical resource on the cluster. Note that only
1031	1051		// persistent volumes can be shared currently.
1032	1052		optional SharedInfo shared = 10;
1033	1053		}
1034	1054
	1055
1035	1056		/**
1036	1057		* When the network bandwidth caps are enabled and the container
1037	1058		* is over its limit, outbound packets may be either delayed or
1038	1059		* dropped completely either because it exceeds the maximum bandwidth
1039	1060		* allocation for a single container (the cap) or because the combined
1040	1061		* network traffic of multiple containers on the host exceeds the
1041	1062		* transmit capacity of the host (the share). We can report the
1042	1063		* following statistics for each of these conditions exported directly
▲ Show 20 Lines • Show All 116 Lines • ▼ Show 20 Line(s)
1159	1180		message SNMPStatistics {
1160	1181		optional IpStatistics ip_stats = 1;
1161	1182		optional IcmpStatistics icmp_stats = 2;
1162	1183		optional TcpStatistics tcp_stats = 3;
1163	1184		optional UdpStatistics udp_stats = 4;
1164	1185		}
1165	1186
1166	1187
	1188		message DiskStatistics {
	1189		optional Resource.DiskInfo.Source source = 1;
	1190		optional Resource.DiskInfo.Persistence persistence = 2;
	1191		optional uint64 limit_bytes = 3;
	1192		optional uint64 used_bytes = 4;
	1193		}
	1194
	1195
1167	1196		/**
1168	1197		* A snapshot of resource usage statistics.
1169	1198		*/
1170	1199		message ResourceStatistics {
1171	1200		required double timestamp = 1; // Snapshot time, in seconds since the Epoch.
1172	1201
1173	1202		optional uint32 processes = 30;
1174	1203		optional uint32 threads = 31;
▲ Show 20 Lines • Show All 58 Lines • ▼ Show 20 Line(s)
1233	1262		optional uint64 mem_low_pressure_counter = 32;
1234	1263		optional uint64 mem_medium_pressure_counter = 33;
1235	1264		optional uint64 mem_critical_pressure_counter = 34;
1236	1265
1237	1266		// Disk Usage Information for executor working directory.
1238	1267		optional uint64 disk_limit_bytes = 26;
1239	1268		optional uint64 disk_used_bytes = 27;
1240	1269
	1270		// Per disk (resource) statistics.
	1271		repeated DiskStatistics disk_statistics = 43;
	1272
1241	1273		// Perf statistics.
1242	1274		optional PerfStatistics perf = 13;
1243	1275
1244	1276		// Network Usage Information:
1245	1277		optional uint64 net_rx_packets = 14;
1246	1278		optional uint64 net_rx_bytes = 15;
1247	1279		optional uint64 net_rx_errors = 16;
1248	1280		optional uint64 net_rx_dropped = 17;
▲ Show 20 Lines • Show All 482 Lines • ▼ Show 20 Line(s)
1731	1763		* `command` or `http` must be set. If the result of the check is not available
1732	1764		* (e.g., the check timed out), these fields must contain empty messages, i.e.,
1733	1765		* `exit_code` or `status_code` will be unset.
1734	1766		*
1735	1767		* NOTE: This API is unstable and the related feature is experimental.
1736	1768		*/
1737	1769		message CheckStatusInfo {
1738	1770		message Command {
1739			// Exit code of a command check.
	1771		// Exit code of a command check. It is the result of calling
	1772		// `WEXITSTATUS()` on `waitpid()` termination information on
	1773		// Posix and calling `GetExitCodeProcess()` on Windows.
1740	1774		optional int32 exit_code = 1;
1741	1775		}
1742	1776
1743	1777		message Http {
1744	1778		// HTTP status code of an HTTP check.
1745	1779		optional uint32 status_code = 1;
1746	1780		}
1747	1781
	1782		message Tcp {
	1783		// Whether a TCP connection succeeded.
	1784		optional bool succeeded = 1;
	1785		}
	1786
1748	1787		// TODO(alexr): Consider adding a `data` field, which can contain, e.g.,
1749	1788		// truncated stdout/stderr output for command checks or HTTP response body
1750	1789		// for HTTP checks. Alternatively, it can be an even shorter `message` field
1751	1790		// containing the last line of stdout or Reason-Phrase of the status line of
1752	1791		// the HTTP response.
1753	1792
1754	1793		// The type of the check this status corresponds to.
1755	1794		optional CheckInfo.Type type = 1;
1756	1795
1757	1796		// Status of a command check.
1758	1797		optional Command command = 2;
1759	1798
1760	1799		// Status of an HTTP check.
1761	1800		optional Http http = 3;
1762	1801
	1802		// Status of a TCP check.
	1803		optional Tcp tcp = 4;
	1804
1763	1805		// TODO(alexr): Consider introducing a "last changed at" timestamp, since
1764	1806		// task status update's timestamp may not correspond to the last check's
1765	1807		// state, e.g., for reconciliation.
1766	1808
1767	1809		// TODO(alexr): Consider introducing a `reason` enum here to explicitly
1768	1810		// distinguish between completed, delayed, and timed out checks.
1769	1811		}
1770	1812
▲ Show 20 Lines • Show All 120 Lines • ▼ Show 20 Line(s)
1891	1933		// includes unused resources sooner or later than the default).
1892	1934		optional double refuse_seconds = 1 [default = 5.0];
1893	1935		}
1894	1936
1895	1937
1896	1938		/**
1897	1939		* Describes a collection of environment variables. This is used with
1898	1940		* CommandInfo in order to set environment variables before running a
1899			* command.
	1941		* command. The contents of each variable may be specified as a string
	1942		* or a Secret; only one of `value` and `secret` must be set.
1900	1943		*/
1901	1944		message Environment {
1902	1945		message Variable {
1903	1946		required string name = 1;
1904			// NOTE: The `value` field was made optional in Mesos 1.2 but it
1905			// is currently enforced to be set. This constraint will be
1906			// removed in a future version.
	1947
	1948		enum Type {
	1949		UNKNOWN = 0;
	1950		VALUE = 1;
	1951		SECRET = 2;
	1952		}
	1953
	1954		// In Mesos 1.2, the `Environment.variables.value` message was made
	1955		// optional. The default type for `Environment.variables.type` is now VALUE,
	1956		// which requires `value` to be set, maintaining backward compatibility.
	1957		//
	1958		// TODO(greggomann): The default can be removed in Mesos 2.1 (MESOS-7134).
	1959		optional Type type = 3 [default = VALUE];
	1960
	1961		// Only one of `value` and `secret` must be set.
1907	1962		optional string value = 2;
	1963		optional Secret secret = 4;
1908	1964		}
1909	1965
1910	1966		repeated Variable variables = 1;
1911	1967		}
1912	1968
1913	1969
1914	1970		/**
1915	1971		* A generic (key, value) pair used in various places for parameters.
Show All 33 Lines
1949	2005		* 'principal' and 'secret' respectively), etc.
1950	2006		*/
1951	2007		message Credentials {
1952	2008		repeated Credential credentials = 1;
1953	2009		}
1954	2010
1955	2011
1956	2012		/**
	2013		* Secret used to pass privileged information. It is designed to provide
	2014		* pass-by-value or pass-by-reference semantics, where the REFERENCE type can be
	2015		* used by custom modules which interact with a secure back-end.
	2016		*/
	2017		message Secret
	2018		{
	2019		enum Type {
	2020		UNKNOWN = 0;
	2021		REFERENCE = 1;
	2022		VALUE = 2;
	2023		}
	2024
	2025		// Can be used by modules to refer to a secret stored in a secure back-end.
	2026		// The `key` field is provided to permit reference to a single value within a
	2027		// secret containing arbitrary key-value pairs.
	2028		//
	2029		// For example, given a back-end secret store with a secret named
	2030		// "my-secret" containing the following key-value pairs:
	2031		//
	2032		// {
	2033		// "username": "my-user",
	2034		// "password": "my-password
	2035		// }
	2036		//
	2037		// the username could be referred to in a `Secret` by specifying
	2038		// "my-secret" for the `name` and "username" for the `key`.
	2039		message Reference
	2040		{
	2041		required string name = 1;
	2042		optional string key = 2;
	2043		}
	2044
	2045		// Used to pass the value of a secret.
	2046		message Value
	2047		{
	2048		required bytes data = 1;
	2049		}
	2050
	2051		optional Type type = 1;
	2052
	2053		// Only one of `reference` and `value` must be set.
	2054		optional Reference reference = 2;
	2055		optional Value value = 3;
	2056		}
	2057
	2058
	2059		/**
1957	2060		* Rate (queries per second, QPS) limit for messages from a framework to master.
1958	2061		* Strictly speaking they are the combined rate from all frameworks of the same
1959	2062		* principal.
1960	2063		*/
1961	2064		message RateLimit {
1962	2065		// Leaving QPS unset gives it unlimited rate (i.e., not throttled),
1963	2066		// which also implies unlimited capacity.
1964	2067		optional double qps = 1;
▲ Show 20 Lines • Show All 63 Lines • ▼ Show 20 Line(s)
2028	2131		// [REGISTRY_HOST[:REGISTRY_PORT]/]REPOSITORY[:TAG\|@TYPE:DIGEST]
2029	2132		//
2030	2133		// See: https://docs.docker.com/reference/commandline/pull/
2031	2134		required string name = 1;
2032	2135
2033	2136		// Credential to authenticate with docker registry.
2034	2137		// NOTE: This is not encrypted, therefore framework and operators
2035	2138		// should enable SSL when passing this information.
2036			optional Credential credential = 2;
	2139		//
	2140		// This is field is never used in Mesos before and is deprecated
	2141		// since Mesos 1.3. Please use the `Secret::Value` field `config`
	2142		// below (see MESOS-7088 for details).
	2143		optional Credential credential = 2 [deprecated = true]; // Since 1.3.
	2144
	2145		// The UTF-8 character encoded byte data, which is expected as
	2146		// a docker config file in JSON format. This field is used for
	2147		// supporting docker private registry credential per container.
	2148		// Users can specify different docker config files for pulling
	2149		// their private images from different registries.
	2150		optional Secret config = 3;
2037	2151		}
2038	2152
2039	2153		required Type type = 1;
2040	2154
2041	2155		// Only one of the following image messages should be set to match
2042	2156		// the type.
2043	2157		optional Appc appc = 2;
2044	2158		optional Docker docker = 3;
▲ Show 20 Lines • Show All 42 Lines • ▼ Show 20 Line(s)
2087	2201		// ensure that if 'type' is not set, the default value
2088	2202		// is UNKNOWN. This enables enum values to be added
2089	2203		// in a backwards-compatible way. See: MESOS-4997.
2090	2204		UNKNOWN = 0;
2091	2205
2092	2206		// TODO(gyliu513): Add HOST_PATH and IMAGE as volume source type.
2093	2207		DOCKER_VOLUME = 1;
2094	2208		SANDBOX_PATH = 2;
	2209		SECRET = 3;
2095	2210		}
2096	2211
2097	2212		message DockerVolume {
2098	2213		// Driver of the volume, it can be flocker, convoy, raxrey etc.
2099	2214		optional string driver = 1;
2100	2215
2101	2216		// Name of the volume.
2102	2217		required string name = 2;
Show All 26 Lines
2129	2244
2130	2245		// The following specifies the source of this volume. At most one of
2131	2246		// the following should be set.
2132	2247
2133	2248		// The source of the volume created by docker volume driver.
2134	2249		optional DockerVolume docker_volume = 2;
2135	2250
2136	2251		optional SandboxPath sandbox_path = 3;
	2252
	2253		// The volume/secret isolator uses the secret-fetcher module (third-party or
	2254		// internal) downloads the secret and makes it available at container_path.
	2255		optional Secret secret = 4;
2137	2256		}
2138	2257
2139	2258		optional Source source = 5;
2140	2259		}
2141	2260
2142	2261
2143	2262		/**
2144	2263		* Describes a network request from a framework as well as network resolution
▲ Show 20 Lines • Show All 482 Lines • ▼ Show 20 Line(s)
2627	2746		// definition on all systems and is portable.
2628	2747		optional uint32 mode = 5;
2629	2748
2630	2749		// User ID of owner.
2631	2750		optional string uid = 6;
2632	2751
2633	2752		// Group ID of owner.
2634	2753		optional string gid = 7;
	2754		}
	2755
	2756
	2757		/**
	2758		* Describes information abount a device.
	2759		*/
	2760		message Device {
	2761		required string path = 1;
	2762		}
	2763
	2764
	2765		/**
	2766		* Describes a device whitelist entry that expose from host to container.
	2767		*/
	2768		message DeviceAccess {
	2769		message Access {
	2770		optional bool read = 1;
	2771		optional bool write = 2;
	2772		optional bool mknod = 3;
	2773		}
	2774		required Device device = 1;
	2775		required Access access = 2;
	2776		}
	2777
	2778
	2779		message DeviceWhitelist {
	2780		repeated DeviceAccess allowed_devices = 1;
2635	2781		}

View Options

src/main/scala/mesosphere/marathon/api/serialization/ContainerSerializer.scala

Show First 20 Lines • Show All 319 Lines • ▼ Show 20 Line(s)
320	320		def toMesos(credential: Container.Credential): mesos.Protos.Credential = {
321	321		val builder = mesos.Protos.Credential.newBuilder
322	322		.setPrincipal(credential.principal)
323	323		credential.secret.foreach(builder.setSecret)
324	324		builder.build
325	325		}
326	326		}
327	327
	328		object DockerPullConfigSerializer {
	329		def fromProto(pullConfig: Protos.ExtendedContainerInfo.DockerInfo.ImagePullConfig): Container.DockerPullConfig = {
	330		pullConfig.when(_.getType == Protos.ExtendedContainerInfo.DockerInfo.ImagePullConfig.Type.SECRET, _ => {
		timcharperUnsubmitted Done have you seen mesosphere.mesos.protos.Implicits ? you can write secret.when(_.hasType, _.getType).flatMap { case mesos.Protos.Secret.Type.VALUE => secret.when(_.hasValue, _.getValue.getData.toStringUtf8) case mesos.Protos.Secret.Type.REFERENCE => secret.when(_.hasReference _.getReference.getName) }.map(Container.DockerConfig(_)) What you wrote is fine and has certainly has less allocations :) Might be worth considering, though, if you like it. See NetworkConversion.scala for more examples
		ichernetskyAuthorUnsubmitted Not Done Thanks, Tim. Yes, I saw it, but frankly didn't memorize everything in it.
	331		pullConfig.when(_.hasSecret, _.getSecret).flatMap { secret =>
	332		secret.when(_.hasType, _.getType).flatMap {
	333		case mesos.Protos.Secret.Type.REFERENCE =>
		zen-dogUnsubmitted Done Only secret references in 1.10
		jdefUnsubmitted Done I'd be tempted to throw a SerializationFailedException here instead of swallowing unsupported types: case unsupported => throw SerializationFailedException(s"unsupported secret type: $unsupported")
	334		secret.when(_.hasReference, _.getReference.getName).map(Container.DockerPullConfig)
	335		case _ => None
	336		}
	337		}
	338		}).flatten match {
	339		case Some(deserializedPullConfig) => deserializedPullConfig
	340		case _ =>
	341		throw SerializationFailedException(s"Failed to deserialize a docker pull config: $pullConfig")
		jdefUnsubmitted Done nit: should not need `new` here
	342		}
	343		}
		zen-dogUnsubmitted Done Same here and below...
	344
	345		def toProto(pullConfig: Container.DockerPullConfig): Protos.ExtendedContainerInfo.DockerInfo.ImagePullConfig = pullConfig match {
	346		case Container.DockerPullConfig(secret) =>
	347		val builder = Protos.ExtendedContainerInfo.DockerInfo.ImagePullConfig.newBuilder
	348		builder.setType(Protos.ExtendedContainerInfo.DockerInfo.ImagePullConfig.Type.SECRET)
	349		val secretProto = SecretSerializer.toSecretReference(secret)
	350		builder.setSecret(secretProto)
	351		builder.build
	352		}
	353
	354		def toMesos(pullConfig: Container.DockerPullConfig): mesos.Protos.Secret = pullConfig match {
	355		case Container.DockerPullConfig(secret) =>
	356		SecretSerializer.toSecretReference(secret)
	357		}
	358		}
	359
328	360		object MesosDockerSerializer {
329	361		def fromProto(proto: Protos.ExtendedContainerInfo): Container.MesosDocker = {
330	362		val d = proto.getMesosDocker
331	363		val pms = proto.getPortMappingsList
332	364		Container.MesosDocker(
333	365		volumes = proto.getVolumesList.map(Volume(_))(collection.breakOut),
334	366		portMappings = pms.map(PortMappingSerializer.fromProto)(collection.breakOut),
335	367		image = d.getImage,
336			credential = if (d.hasCredential) Some(CredentialSerializer.fromMesos(d.getCredential)) else None,
	368		credential = if (d.hasDeprecatedCredential) Some(CredentialSerializer.fromMesos(d.getDeprecatedCredential)) else None,
	369		pullConfig = if (d.hasPullConfig) Some(DockerPullConfigSerializer.fromProto(d.getPullConfig)) else None,
337	370		forcePullImage = if (d.hasForcePullImage) d.getForcePullImage else false
338	371		)
339	372		}
340	373
341	374		def toProto(docker: Container.MesosDocker): Protos.ExtendedContainerInfo.MesosDockerInfo = {
342	375		val builder = Protos.ExtendedContainerInfo.MesosDockerInfo.newBuilder
343	376		.setImage(docker.image)
344	377		.setForcePullImage(docker.forcePullImage)
345	378
346	379		docker.credential.foreach { credential =>
347			builder.setCredential(CredentialSerializer.toMesos(credential))
	380		builder.setDeprecatedCredential(CredentialSerializer.toMesos(credential))
348	381		}
	382		docker.pullConfig.foreach { pullConfig =>
	383		builder.setPullConfig(DockerPullConfigSerializer.toProto(pullConfig))
	384		}
349	385
350	386		builder.build
351	387		}
352	388
353	389		def toMesos(container: Container.MesosDocker): mesos.Protos.ContainerInfo.MesosInfo = {
354	390		val dockerBuilder = mesos.Protos.Image.Docker.newBuilder
355	391		.setName(container.image)
356	392
357	393		container.credential.foreach { credential =>
358	394		dockerBuilder.setCredential(CredentialSerializer.toMesos(credential))
	395		}
	396		container.pullConfig.foreach { pullConfig =>
	397		dockerBuilder.setConfig(DockerPullConfigSerializer.toMesos(pullConfig))
		aquamatthiasUnsubmitted Done Please add a test for: val app = AppDefinitionWithDockerSecret val roundtrip = app -> toProto -> fromProto roundtrip == app
		ichernetskyAuthorUnsubmitted Not Done Done.
359	398		}
360	399
361	400		val imageBuilder = mesos.Protos.Image.newBuilder
362	401		.setType(mesos.Protos.Image.Type.DOCKER)
363	402		.setDocker(dockerBuilder)
364	403		.setCached(!container.forcePullImage)
365	404
366	405		mesos.Protos.ContainerInfo.MesosInfo.newBuilder.setImage(imageBuilder).build
▲ Show 20 Lines • Show All 42 Lines • Show Last 20 Lines

View Options

src/main/scala/mesosphere/marathon/api/serialization/SecretSerializer.scala

This file was added.

	1		package mesosphere.marathon
	2		package api.serialization
	3
	4		import org.apache.mesos.{ Protos => mesos }
	5
	6		object SecretSerializer {
	7		def toSecretReference(secret: String): mesos.Secret = {
	8		val builder = mesos.Secret.newBuilder
	9		builder.setType(mesos.Secret.Type.REFERENCE)
	10		val referenceBuilder = mesos.Secret.Reference.newBuilder
	11		referenceBuilder.setName(secret)
	12		builder.setReference(referenceBuilder)
	13		builder.build
	14		}
	15		}

View Options

src/main/scala/mesosphere/marathon/api/v2/validation/AppValidation.scala

Show First 20 Lines • Show All 46 Lines • ▼ Show 20 Line(s)
47	47		portMappings is portMappingsIndependentOfNetworks
48	48		portMappings is every(portMappingIsCompatibleWithNetworks(networks))
49	49		portMappings is every(portMappingNetworkNameValidator(networks.flatMap(_.name)))
50	50		}
51	51
52	52		def dockerDockerContainerValidator(networks: Seq[Network]): Validator[Container] = {
53	53		val validDockerEngineSpec: Validator[DockerContainer] = validator[DockerContainer] { docker =>
54	54		docker.image is notEmpty
	55		docker.pullConfig is isTrue("pullConfig is not supported with Docker containerizer")(_.isEmpty)
		jdefUnsubmitted Done i don't see a validation test case for this. is it there and missed it? if not, please add one
55	56		docker.portMappings is valid(optional(portMappingsValidator(networks)))
56	57		}
57	58		validator { (container: Container) =>
58	59		container.docker is definedAnd(validDockerEngineSpec)
59	60		}
60	61		}
61	62
62			val mesosDockerContainerValidator: Validator[Container] = {
	63		def mesosDockerContainerValidator(secrets: Map[String, SecretDef]): Validator[Container] = {
	64		val validPullConfigSpec: Validator[DockerPullConfig] =
	65		isTrue("pullConfig.secret must refer to an existing secret")(
	66		config => secrets.contains(config.secret))
63	67		val validMesosEngineSpec: Validator[DockerContainer] = validator[DockerContainer] { docker =>
64	68		docker.image is notEmpty
	69		docker.pullConfig is optional(valid(validPullConfigSpec))
65	70		}
66			validator{ (container: Container) =>
	71		validator { (container: Container) =>
67	72		container.docker is valid(definedAnd(validMesosEngineSpec))
68	73		}
69	74		}
70	75
71	76		val mesosAppcContainerValidator: Validator[Container] = {
72	77		val prefix = "sha512-"
73	78
74	79		val validId: Validator[String] =
▲ Show 20 Lines • Show All 41 Lines • ▼ Show 20 Line(s)
116	121		(container.docker, container.appc, container.`type`) match {
117	122		case (Some(_), None, EngineType.Docker) => validate(container)(forDockerContainerizer)
118	123		case (Some(_), None, EngineType.Mesos) => validate(container)(forMesosContainerizer)
119	124		case _ => Success // canonical validation picks up where we leave off
120	125		}
121	126		}
122	127		}
123	128
124			def validContainer(enabledFeatures: Set[String], networks: Seq[Network]): Validator[Container] = {
	129		def validContainer(enabledFeatures: Set[String], networks: Seq[Network], secrets: Map[String, SecretDef]): Validator[Container] = {
125	130		def volumesValidator(container: Container): Validator[Seq[AppVolume]] =
126	131		isTrue("Volume names must be unique") { (vols: Seq[AppVolume]) =>
127	132		val names: Seq[String] = vols.flatMap(_.external.flatMap(_.name))
128	133		names.distinct.size == names.size
129	134		} and every(valid(validVolume(container, enabledFeatures)))
130	135
131	136		val validGeneralContainer: Validator[Container] = validator[Container] { container =>
132	137		container.portMappings is optional(portMappingsValidator(networks))
133	138		container.volumes is volumesValidator(container)
134	139		}
135	140
136	141		val mesosContainerImageValidator = new Validator[Container] {
137	142		override def apply(container: Container): Result = {
138	143		(container.docker, container.appc, container.`type`) match {
139			case (Some(_), None, EngineType.Mesos) => validate(container)(mesosDockerContainerValidator)
	144		case (Some(_), None, EngineType.Mesos) => validate(container)(mesosDockerContainerValidator(secrets))
140	145		case (None, Some(_), EngineType.Mesos) => validate(container)(mesosAppcContainerValidator)
141	146		case (None, None, EngineType.Mesos) => validate(container)(mesosImagelessContainerValidator)
142	147		case _ => Failure(Set(RuleViolation(container, "mesos containers should specify, at most, a single image type", None)))
143	148		}
144	149		}
145	150		}
146	151
147	152		forAll(
▲ Show 20 Lines • Show All 148 Lines • ▼ Show 20 Line(s)
296	301		update.dependencies.map(_.map(PathId(_))) as "dependencies" is optional(every(valid))
297	302		update.env is optional(envValidator(strictNameValidation = false, update.secrets.getOrElse(Map.empty), enabledFeatures))
298	303		update.secrets is optional({ secrets: Map[String, SecretDef] =>
299	304		secrets.nonEmpty
300	305		} -> (featureEnabled(enabledFeatures, Features.SECRETS)))
301	306		update.secrets is optional(featureEnabledImplies(enabledFeatures, Features.SECRETS)(every(secretEntryValidator)))
302	307		update.fetch is optional(every(valid))
303	308		update.portDefinitions is optional(portDefinitionsValidator)
304			update.container is optional(valid(validContainer(enabledFeatures, update.networks.getOrElse(Nil))))
	309		update.container is optional(valid(validContainer(enabledFeatures, update.networks.getOrElse(Nil), update.secrets.getOrElse(Map.empty))))
305	310		update.acceptedResourceRoles is valid(optional(ResourceRole.validAcceptedResourceRoles(update.residency.isDefined) and notEmpty))
306	311		},
307	312		isTrue("must not be root")(!_.id.fold(false)(PathId(_).isRoot)),
308	313		isTrue("must not be an empty string")(_.cmd.forall { s => s.length() > 1 }),
309	314		isTrue("portMappings are not allowed with host-networking") { update =>
310	315		!(update.networks.exists(_.exists(_.mode == NetworkMode.Host)) && update.container.exists(_.portMappings.exists(_.nonEmpty)))
311	316		},
312	317		isTrue("portDefinitions are only allowed with host-networking") { update =>
▲ Show 20 Lines • Show All 66 Lines • ▼ Show 20 Line(s)
379	384		def portIndices(app: App): Range = {
380	385		// should be kept in sync with AppDefinition.portIndices
381	386		app.container.withFilter(_.portMappings.nonEmpty)
382	387		.flatMap(_.portMappings).orElse(app.portDefinitions).getOrElse(Nil).indices
383	388		}
384	389
385	390		/** validate most canonical API fields */
386	391		private def validBasicAppDefinition(enabledFeatures: Set[String]): Validator[App] = validator[App] { app =>
387			app.container is optional(valid(validContainer(enabledFeatures, app.networks)))
	392		app.container is optional(valid(validContainer(enabledFeatures, app.networks, app.secrets)))
388	393		app.portDefinitions is optional(portDefinitionsValidator)
389	394		app is containsCmdArgsOrContainer
390	395		app.healthChecks is every(portIndexIsValid(portIndices(app)))
391	396		app must haveAtMostOneMesosHealthCheck
392	397		app.fetch is every(valid)
393	398		app.secrets is valid({ secrets: Map[String, SecretDef] =>
394	399		secrets.nonEmpty
395	400		} -> (featureEnabled(enabledFeatures, Features.SECRETS)))
▲ Show 20 Lines • Show All 126 Lines • Show Last 20 Lines

View Options

src/main/scala/mesosphere/marathon/api/v2/validation/PodsValidation.scala

1	1		package mesosphere.marathon
2	2		package api.v2.validation
3	3
4	4		// scalastyle:off
5	5
6	6		import com.wix.accord._
7	7		import com.wix.accord.dsl._
8	8		import mesosphere.marathon.api.v2.Validation
9			import mesosphere.marathon.raml.{ ArgvCommand, Artifact, CommandHealthCheck, Endpoint, FixedPodScalingPolicy, HealthCheck, HttpHealthCheck, Image, ImageType, Lifecycle, Network, NetworkMode, Pod, PodContainer, PodScalingPolicy, Resources, ShellCommand, TcpHealthCheck, Volume, VolumeMount }
	9		import mesosphere.marathon.raml.{ ArgvCommand, Artifact, CommandHealthCheck, Endpoint, FixedPodScalingPolicy, HealthCheck, HttpHealthCheck, Image, ImageType, Lifecycle, Network, NetworkMode, Pod, PodContainer, PodScalingPolicy, Resources, SecretDef, ShellCommand, TcpHealthCheck, Volume, VolumeMount }
10	10		import mesosphere.marathon.state.PathId
11	11		import mesosphere.marathon.util.SemanticVersion
12	12
13	13		// scalastyle:on
14	14
15	15		/**
16	16		* Defines implicit validation for pods
17	17		*/
▲ Show 20 Lines • Show All 91 Lines • ▼ Show 20 Line(s)
109	109		endpoint.protocol is isTrue ("Duplicate protocols within the same endpoint are not allowed") { proto =>
110	110		proto == proto.distinct
111	111		}
112	112		}
113	113
114	114		normalValidation and implied(networks.count(_.mode == NetworkMode.Container) > 1)(hostPortRequiresNetworkName)
115	115		}
116	116
117			val imageValidator = validator[Image] { image =>
118			image.id.length is between(1, 1024)
	117		def imageValidator(secrets: Map[String, SecretDef]): Validator[Image] = new Validator[Image] {
	118		override def apply(image: Image): Result = {
	119		val dockerImageValidator: Validator[Image] = validator[Image] { image =>
		jdefUnsubmitted Done nit: could simplify this `(_.isEmpty)` instead of `{ pullConfig => ...}`
	120		image.pullConfig is optional(
	121		isTrue("pullConfig.secret must refer to an existing secret")(
	122		config => secrets.contains(config.secret)))
119	123		}
120	124
	125		val appcImageValidator: Validator[Image] = validator[Image] { image =>
	126		image.pullConfig is isTrue("pullConfig is supported only with Docker images")(_.isEmpty)
	127		}
		jdefUnsubmitted Not Done Pretty sure that image.id validation is already handled by the generated RAML code: val id = json.\("id").validate[String](play.api.libs.json.JsPath.read[String](maxLength[String](1024) keepAnd minLength[String](1))) so .. no need to duplicate that validation here. the length check above (in the dockerImageValidator) code is redundant, and there's already a JIRA filed for removing redundant validation. we shouldn't add any more
	128
	129		image.kind match {
	130		case ImageType.Docker => validate(image)(dockerImageValidator)
	131		case ImageType.Appc => validate(image)(appcImageValidator)
	132		}
	133		}
	134		}
		jdefUnsubmitted Done this `case _` is superfluous since `ImageType` is a sealed trait
	135
121	136		def volumeMountValidator(volumes: Seq[Volume]): Validator[VolumeMount] = validator[VolumeMount] { volumeMount => // linter:ignore:UnusedParameter
122	137		volumeMount.name.length is between(1, 63)
123	138		volumeMount.name should matchRegexFully(NamePattern)
124	139		volumeMount.mountPath.length is between(1, 1024)
125	140		volumeMount.name is isTrue("Referenced Volume in VolumeMount should exist") { name =>
126	141		volumes.exists(_.name == name)
127	142		}
128	143		}
129	144
130	145		val artifactValidator = validator[Artifact] { artifact =>
131	146		artifact.uri.length is between(1, 1024)
132	147		artifact.destPath.map(_.length).getOrElse(1) is between(1, 1024)
133	148		}
134	149
135	150		val lifeCycleValidator = validator[Lifecycle] { lc =>
136	151		lc.killGracePeriodSeconds.getOrElse(0.0) should be > 0.0
137	152		}
138	153
139	154		def containerValidator(pod: Pod, enabledFeatures: Set[String], mesosMasterVersion: SemanticVersion): Validator[PodContainer] =
140	155		validator[PodContainer] { container =>
141	156		container.resources is valid(resourceValidator)
142	157		container.endpoints is every(endpointValidator(pod.networks))
143			container.image.getOrElse(Image(ImageType.Docker, "abc")) is valid(imageValidator)
	158		container.image is optional(imageValidator(pod.secrets))
		jdefUnsubmitted Not Done wow, we really left `abc` in there, eh?
144	159		container.environment is envValidator(strictNameValidation = false, pod.secrets, enabledFeatures)
145	160		container.healthCheck is optional(healthCheckValidator(container.endpoints, mesosMasterVersion))
146	161		container.volumeMounts is every(volumeMountValidator(pod.volumes))
147	162		container.artifacts is every(artifactValidator)
148	163		}
149	164
150	165		def volumeValidator(containers: Seq[PodContainer]): Validator[Volume] = validator[Volume] { volume =>
151	166		volume.host is optional(notEmpty)
▲ Show 20 Lines • Show All 65 Lines • Show Last 20 Lines

View Options

src/main/scala/mesosphere/marathon/raml/ContainerConversion.scala

Show First 20 Lines • Show All 49 Lines • ▼ Show 20 Line(s)
50	50		}
51	51
52	52		implicit val containerWrites: Writes[state.Container, Container] = Writes { container =>
53	53
54	54		implicit val credentialWrites: Writes[state.Container.Credential, DockerCredentials] = Writes { credentials =>
55	55		DockerCredentials(credentials.principal, credentials.secret)
56	56		}
57	57
	58		implicit val pullConfigWrites: Writes[state.Container.DockerPullConfig, DockerPullConfig] = Writes {
	59		case state.Container.DockerPullConfig(secret) => DockerPullConfig(secret)
	60		}
	61
58	62		implicit val dockerDockerContainerWrites: Writes[state.Container.Docker, DockerContainer] = Writes { container =>
59	63		DockerContainer(
60	64		forcePullImage = container.forcePullImage,
61	65		image = container.image,
62	66		parameters = container.parameters.toRaml,
63	67		privileged = container.privileged)
64	68		}
65	69
66	70		implicit val mesosDockerContainerWrites: Writes[state.Container.MesosDocker, DockerContainer] = Writes { container =>
67	71		DockerContainer(
68	72		image = container.image,
69	73		credential = container.credential.toRaml,
	74		pullConfig = container.pullConfig.toRaml,
70	75		forcePullImage = container.forcePullImage)
71	76		}
72	77
73	78		implicit val mesosContainerWrites: Writes[state.Container.MesosAppC, AppCContainer] = Writes { container =>
74	79		AppCContainer(container.image, container.id, container.labels, container.forcePullImage)
75	80		}
76	81
77	82		def create(kind: EngineType, docker: Option[DockerContainer] = None, appc: Option[AppCContainer] = None): Container = {
78	83		Container(kind, docker = docker, appc = appc, volumes = container.volumes.toRaml,
79	84		portMappings = Option(container.portMappings.toRaml) // this might need to be None, but we can't check networking here
80	85		)
81	86		}
82	87
83	88		container match {
84	89		case docker: state.Container.Docker => create(EngineType.Docker, docker = Some(docker.toRaml[DockerContainer]))
85	90		case mesos: state.Container.MesosDocker => create(EngineType.Mesos, docker = Some(mesos.toRaml[DockerContainer]))
86	91		case mesos: state.Container.MesosAppC => create(EngineType.Mesos, appc = Some(mesos.toRaml[AppCContainer]))
87			case mesos: state.Container.Mesos => create(EngineType.Mesos)
	92		case _: state.Container.Mesos => create(EngineType.Mesos)
88	93		}
89	94		}
90	95
	96		implicit val pullConfigReads: Reads[DockerPullConfig, state.Container.DockerPullConfig] = Reads {
	97		case DockerPullConfig(secret) => state.Container.DockerPullConfig(secret)
	98		}
	99
91	100		implicit val appContainerRamlReader: Reads[Container, state.Container] = Reads { container =>
92	101		val volumes = container.volumes.map(Raml.fromRaml(_))
93	102		val portMappings: Seq[state.Container.PortMapping] = container.portMappings.getOrElse(Nil).map(Raml.fromRaml(_))
94	103
95	104		val result: state.Container = (container.`type`, container.docker, container.appc) match {
96	105		case (EngineType.Docker, Some(docker), None) =>
97	106		state.Container.Docker(
98	107		volumes = volumes,
99	108		image = docker.image,
100	109		portMappings = portMappings, // assumed already normalized, see AppNormalization
101	110		privileged = docker.privileged,
102	111		parameters = docker.parameters.map(p => Parameter(p.key, p.value)),
103	112		forcePullImage = docker.forcePullImage
104	113		)
105	114		case (EngineType.Mesos, Some(docker), None) =>
106	115		state.Container.MesosDocker(
107	116		volumes = volumes,
108	117		image = docker.image,
109	118		portMappings = portMappings, // assumed already normalized, see AppNormalization
110	119		credential = docker.credential.map(c => state.Container.Credential(principal = c.principal, secret = c.secret)),
	120		pullConfig = docker.pullConfig.map(_.fromRaml),
111	121		forcePullImage = docker.forcePullImage
112	122		)
113	123		case (EngineType.Mesos, None, Some(appc)) =>
114	124		state.Container.MesosAppC(
115	125		volumes = volumes,
116	126		image = appc.image,
117	127		portMappings = portMappings,
118	128		id = appc.id,
Show All 32 Lines
151	161		DockerParameter(
152	162		key = param.getKey,
153	163		value = param.getValue
154	164		)
155	165		}
156	166
157	167		implicit val dockerProtoToRamlWriter: Writes[Protos.ExtendedContainerInfo.DockerInfo, DockerContainer] = Writes { docker =>
158	168		DockerContainer(
159			credential = DockerContainer.DefaultCredential, // we don't store credentials in protobuf
	169		credential = DockerContainer.DefaultCredential, // we don't store credentials in protobuf for Docker containerizer
	170		pullConfig = DockerContainer.DefaultPullConfig, // we don't store a Docker config in protobuf for Docker containerizer
		aquamatthiasUnsubmitted Not Done Didn't you add this to marathon.proto?
		ichernetskyAuthorUnsubmitted Not Done It is a copy & pasted. I did add to the `.proto` file, but on the other hand, `credential` is there as well. Is the other one outdated?
		jdefUnsubmitted Done "... for docker containerizer"
		jdefUnsubmitted Done please amend the comment with something similar to the proposed clarification
160	171		forcePullImage = docker.when(_.hasForcePullImage, _.getForcePullImage).getOrElse(DockerContainer.DefaultForcePullImage),
161	172		image = docker.getImage,
162	173		network = docker.when(_.hasOBSOLETENetwork, _.getOBSOLETENetwork.toRaml).orElse(DockerContainer.DefaultNetwork),
163	174		parameters = docker.whenOrElse(_.getParametersCount > 0, _.getParametersList.map(_.toRaml)(collection.breakOut), DockerContainer.DefaultParameters),
164	175		portMappings = Option.empty[Seq[ContainerPortMapping]].unless(
165	176		docker.when(_.getOBSOLETENetwork != Mesos.ContainerInfo.DockerInfo.Network.HOST, _.getOBSOLETEPortMappingsList.map(_.toRaml)(collection.breakOut))),
166	177		privileged = docker.when(_.hasPrivileged, _.getPrivileged).getOrElse(DockerContainer.DefaultPrivileged)
167	178		)
168	179		}
169	180
170	181		implicit val dockerCredentialsProtoRamlWriter: Writes[Mesos.Credential, DockerCredentials] = Writes { cred =>
171	182		DockerCredentials(
172	183		principal = cred.getPrincipal,
173	184		secret = cred.when(_.hasSecret, _.getSecret).orElse(DockerCredentials.DefaultSecret)
174	185		)
175	186		}
176	187
	188		implicit val dockerPullConfigProtoRamlWriter: Writes[Protos.ExtendedContainerInfo.DockerInfo.ImagePullConfig, DockerPullConfig] = Writes { pullConfig =>
	189		pullConfig.when(_.getType == Protos.ExtendedContainerInfo.DockerInfo.ImagePullConfig.Type.SECRET, _ => {
	190		pullConfig.when(_.hasSecret, _.getSecret).flatMap { secret =>
	191		secret.when(_.hasType, _.getType).flatMap {
	192		case Mesos.Secret.Type.REFERENCE =>
		jdefUnsubmitted Done ditto, don't swallow unsupported type here: better to throw an exception instead
	193		secret.when(_.hasReference, _.getReference.getName).map(DockerPullConfig(_))
	194		case _ => None
	195		}
	196		}
	197		}).flatten match {
	198		case Some(deserializedPullConfig) => deserializedPullConfig
	199		case _ =>
	200		throw SerializationFailedException(s"Failed to deserialize a docker pull config: $pullConfig")
		jdefUnsubmitted Done ditto, `new` is not required here
	201		}
	202		}
	203
177	204		implicit val mesosDockerProtoToRamlWriter: Writes[Protos.ExtendedContainerInfo.MesosDockerInfo, DockerContainer] = Writes { docker =>
178	205		DockerContainer(
179			credential = docker.when(_.hasCredential, _.getCredential.toRaml).orElse(DockerContainer.DefaultCredential),
	206		credential = docker.when(_.hasDeprecatedCredential, _.getDeprecatedCredential.toRaml).orElse(DockerContainer.DefaultCredential),
	207		pullConfig = docker.when(_.hasPullConfig, _.getPullConfig.toRaml).orElse(DockerContainer.DefaultPullConfig),
180	208		forcePullImage = docker.when(_.hasForcePullImage, _.getForcePullImage).getOrElse(DockerContainer.DefaultForcePullImage),
181	209		image = docker.getImage
182	210		// was never stored for mesos containers:
183	211		// - network
184	212		// - parameters
185	213		// - portMappings
186	214		// - privileged
187	215		)
Show All 21 Lines

View Options

src/main/scala/mesosphere/marathon/state/Container.scala

Show First 20 Lines • Show All 88 Lines • ▼ Show 20 Line(s)
89	89
90	90		val HostPortDefault = AppDefinition.RandomPortValue // HostPortDefault only applies when in BRIDGE mode
91	91		}
92	92
93	93		case class Credential(
94	94		principal: String,
95	95		secret: Option[String] = None)
96	96
	97		case class DockerPullConfig(secret: String)
		jdefUnsubmitted Not Done ditto on naming
	98
97	99		case class MesosDocker(
98	100		volumes: Seq[Volume] = Seq.empty,
99	101		image: String = "",
100	102		override val portMappings: Seq[PortMapping] = Nil,
101	103		credential: Option[Credential] = None,
	104		pullConfig: Option[DockerPullConfig] = None,
102	105		forcePullImage: Boolean = false) extends Container {
103	106
104	107		override def copyWith(portMappings: Seq[PortMapping] = portMappings, volumes: Seq[Volume] = volumes) =
105	108		copy(portMappings = portMappings, volumes = volumes)
106	109		}
107	110
108	111		object MesosDocker {
109	112		val validMesosDockerContainer = validator[MesosDocker] { docker =>
▲ Show 20 Lines • Show All 53 Lines • Show Last 20 Lines

View Options

src/test/scala/mesosphere/marathon/api/v2/AppsResourceTest.scala

1	1		package mesosphere.marathon
2	2		package api.v2
3	3
4	4		import java.util
5	5		import javax.ws.rs.core.Response
6	6
7	7		import akka.Done
8	8		import mesosphere.AkkaUnitTest
9	9		import mesosphere.marathon.api._
10	10		import mesosphere.marathon.core.appinfo.AppInfo.Embed
11	11		import mesosphere.marathon.core.appinfo._
12	12		import mesosphere.marathon.core.base.ConstantClock
13	13		import mesosphere.marathon.core.deployment.DeploymentPlan
14	14		import mesosphere.marathon.core.group.GroupManager
15	15		import mesosphere.marathon.core.plugin.PluginManager
16	16		import mesosphere.marathon.core.pod.ContainerNetwork
17			import mesosphere.marathon.raml.{ App, AppUpdate, ContainerPortMapping, DockerContainer, DockerNetwork, EngineType, EnvVarValueOrSecret, IpAddress, IpDiscovery, IpDiscoveryPort, Network, NetworkConversionMessages, NetworkMode, Raml, SecretDef }
	17		import mesosphere.marathon.raml.{ Container => RamlContainer }
	18		import mesosphere.marathon.raml.{ App, AppUpdate, ContainerPortMapping, DockerContainer, DockerNetwork, DockerPullConfig, EngineType, EnvVarValueOrSecret, IpAddress, IpDiscovery, IpDiscoveryPort, Network, NetworkConversionMessages, NetworkMode, Raml, SecretDef }
18	19		import mesosphere.marathon.state.PathId._
19	20		import mesosphere.marathon.state._
20	21		import mesosphere.marathon.storage.repository.GroupRepository
21	22		import mesosphere.marathon.test.GroupCreation
22	23		import org.mockito.Matchers
23	24		import play.api.libs.json._
24	25
25	26		import scala.collection.immutable
▲ Show 20 Lines • Show All 131 Lines • ▼ Show 20 Line(s)
157	158		if (!result.isSuccess) {
158	159		result.failed.foreach {
159	160		case v: ValidationFailedException =>
160	161		assert(result.isSuccess, s"JSON body = ${new String(body)} :: violations = ${v.failure.violations}")
161	162		case th =>
162	163		throw th
163	164		}
164	165		}
	166		}
	167
	168		"Create a new app with w/ Mesos containerizer and a Docker config.json" in new Fixture(configArgs = Seq("--enable_features", "secrets")) {
		jdefUnsubmitted Not Done happy to see some tests here. i'd like a more thorough exercise of the validation rules to appear in AppValidationTest
	169		Given("An app with a Docker config.json")
	170		val container = RamlContainer(
	171		`type` = EngineType.Mesos,
	172		docker = Option(DockerContainer(
	173		image = "private/image",
	174		pullConfig = Option(DockerPullConfig("pullConfigSecret")))))
	175		val app = App(
	176		id = "/app", cmd = Some("cmd"), container = Option(container),
	177		secrets = Map("pullConfigSecret" -> SecretDef("/config")))
	178		val (body, plan) = prepareApp(app, groupManager)
	179
	180		When("The create request is made")
	181		clock += 5.seconds
	182		val response = appsResource.create(body, force = false, auth.request)
	183		val result = Try(prepareApp(app, groupManager))
	184
	185		Then("It is successful")
	186		assert(response.getStatus == 201, s"body=${new String(body)}, response=${response.getEntity.asInstanceOf[String]}")
	187		}
	188
	189		"Creating a new app with w/ Docker containerizer and a Docker config.json should fail" in new Fixture(configArgs = Seq("--enable_features", "secrets")) {
	190		Given("An app with a Docker config.json")
	191		val container = RamlContainer(
	192		`type` = EngineType.Docker,
	193		docker = Option(DockerContainer(
	194		image = "private/image",
	195		pullConfig = Option(DockerPullConfig("pullConfigSecret")))))
	196		val app = App(
	197		id = "/app", cmd = Some("cmd"), container = Option(container),
	198		secrets = Map("pullConfigSecret" -> SecretDef("/config")))
	199		val (body, plan) = prepareApp(app, groupManager)
	200
	201		When("The create request is made")
	202		clock += 5.seconds
	203		val response = appsResource.create(body, force = false, auth.request)
	204		val result = Try(prepareApp(app, groupManager))
	205
	206		Then("It fails")
	207		assert(response.getStatus == 422, s"body=${new String(body)}, response=${response.getEntity.asInstanceOf[String]}")
	208		response.getEntity.toString should include("pullConfig is not supported with Docker containerizer")
	209		}
	210
	211		"Creating a new app with non-existing Docker config.json secret should fail" in new Fixture(configArgs = Seq("--enable_features", "secrets")) {
	212		Given("An app with a Docker config.json")
	213		val container = RamlContainer(
	214		`type` = EngineType.Mesos,
	215		docker = Option(DockerContainer(
	216		image = "private/image",
	217		pullConfig = Option(DockerPullConfig("pullConfigSecret")))))
	218		val app = App(
	219		id = "/app", cmd = Some("cmd"), container = Option(container))
	220		val (body, plan) = prepareApp(app, groupManager)
	221
	222		When("The create request is made")
	223		clock += 5.seconds
	224		val response = appsResource.create(body, force = false, auth.request)
	225		val result = Try(prepareApp(app, groupManager))
	226
	227		Then("It fails")
	228		assert(response.getStatus == 422, s"body=${new String(body)}, response=${response.getEntity.asInstanceOf[String]}")
	229		response.getEntity.toString should include("pullConfig.secret must refer to an existing secret")
165	230		}
166	231
167	232		"Do partial update with patch methods" in new Fixture {
168	233		Given("An app")
169	234		val id = "/app"
170	235		val app = App(
171	236		id = id,
172	237		cmd = Some("cmd"),
▲ Show 20 Lines • Show All 1201 Lines • Show Last 20 Lines

View Options

src/test/scala/mesosphere/marathon/api/v2/PodsResourceTest.scala

Show First 20 Lines • Show All 231 Lines • ▼ Show 20 Line(s)
232	232		withClue(s"response body: ${response.getEntity}") {
233	233		response.getStatus should be(HttpServletResponse.SC_NOT_FOUND)
234	234		val body = Option(response.getEntity.asInstanceOf[String])
235	235		body should not be None
236	236		body.foreach(_ should include("mypod does not exist"))
237	237		}
238	238		}
239	239
	240		"Create a new pod with w/ Docker image and config.json" in {
		jdefUnsubmitted Not Done happy to see some tests here. i'd like a more thorough exercise of the validation rules to appear in PodsValidationTest
	241		implicit val podSystem = mock[PodManager]
	242		val f = Fixture(configArgs = Seq("--enable_features", "secrets"))
	243
	244		podSystem.create(any, eq(false)).returns(Future.successful(DeploymentPlan.empty))
	245
	246		val podJson =
	247		"""
	248		\|{
	249		\| "id": "/pod",
	250		\| "containers": [{
	251		\| "name": "container0",
	252		\| "resources": {
	253		\| "cpus": 0.1,
	254		\| "mem": 32
	255		\| },
	256		\| "image": {
	257		\| "kind": "DOCKER",
	258		\| "id": "private/image",
	259		\| "pullConfig": {
	260		\| "secret": "pullConfigSecret"
	261		\| }
	262		\| },
	263		\| "exec": {
	264		\| "command": {
	265		\| "shell": "sleep 1"
	266		\| }
	267		\| }
	268		\| }],
	269		\| "secrets": {
	270		\| "pullConfigSecret": {
	271		\| "source": "/config"
	272		\| }
	273		\| }
	274		\|}
	275		""".stripMargin
	276
	277		val response = f.podsResource.create(podJson.getBytes(), force = false, f.auth.request)
	278
	279		withClue(s"response body: ${response.getEntity}") {
	280		response.getStatus should be(HttpServletResponse.SC_CREATED)
	281
	282		val parsedResponse = Option(response.getEntity.asInstanceOf[String]).map(Json.parse)
	283		parsedResponse should be (defined)
	284		val maybePod = parsedResponse.map(_.as[Pod])
	285		maybePod should be (defined) // validate that we DID get back a pod definition
	286		val pod = maybePod.get
	287		pod.containers.headOption should be (defined)
	288		val container = pod.containers.head
	289		container.image should be (defined)
	290		val image = container.image.get
	291		image.pullConfig should be (defined)
	292		val pullConfig = image.pullConfig.get
	293		pullConfig.secret should be ("pullConfigSecret")
	294
	295		response.getMetadata.containsKey(RestResource.DeploymentHeader) should be(true)
	296		}
	297		}
	298
	299		"Creating a new pod with w/ AppC image and config.json should fail" in {
	300		implicit val podSystem = mock[PodManager]
	301		val f = Fixture(configArgs = Seq("--enable_features", "secrets"))
	302
	303		podSystem.create(any, eq(false)).returns(Future.successful(DeploymentPlan.empty))
	304
	305		val podJson =
	306		"""
	307		\|{
	308		\| "id": "/pod",
	309		\| "containers": [{
	310		\| "name": "container0",
	311		\| "resources": {
	312		\| "cpus": 0.1,
	313		\| "mem": 32
	314		\| },
	315		\| "image": {
	316		\| "kind": "APPC",
	317		\| "id": "private/image",
	318		\| "pullConfig": {
	319		\| "secret": "pullConfigSecret"
	320		\| }
	321		\| },
	322		\| "exec": {
	323		\| "command": {
	324		\| "shell": "sleep 1"
	325		\| }
	326		\| }
	327		\| }],
	328		\| "secrets": {
	329		\| "pullConfigSecret": {
	330		\| "source": "/config"
	331		\| }
	332		\| }
	333		\|}
	334		""".stripMargin
	335
	336		val response = f.podsResource.create(podJson.getBytes(), force = false, f.auth.request)
	337
	338		withClue(s"response body: ${response.getEntity}") {
	339		response.getStatus should be(422)
	340		response.getEntity.toString should include("pullConfig is supported only with Docker images")
	341		}
	342		}
	343
	344		"Creating a new pod with w/ Docker image and non-existing secret should fail" in {
	345		implicit val podSystem = mock[PodManager]
	346		val f = Fixture(configArgs = Seq("--enable_features", "secrets"))
	347
	348		podSystem.create(any, eq(false)).returns(Future.successful(DeploymentPlan.empty))
	349
	350		val podJson =
	351		"""
	352		\|{
	353		\| "id": "/pod",
	354		\| "containers": [{
	355		\| "name": "container0",
	356		\| "resources": {
	357		\| "cpus": 0.1,
	358		\| "mem": 32
	359		\| },
	360		\| "image": {
	361		\| "kind": "Docker",
	362		\| "id": "private/image",
	363		\| "pullConfig": {
	364		\| "secret": "pullConfigSecret"
	365		\| }
	366		\| },
	367		\| "exec": {
	368		\| "command": {
	369		\| "shell": "sleep 1"
	370		\| }
	371		\| }
	372		\| }],
	373		\| "secrets": {
	374		\| "pullConfigSecretA": {
	375		\| "source": "/config"
	376		\| }
	377		\| }
	378		\|}
	379		""".stripMargin
	380
	381		val response = f.podsResource.create(podJson.getBytes(), force = false, f.auth.request)
	382
	383		withClue(s"response body: ${response.getEntity}") {
	384		response.getStatus should be(422)
	385		response.getEntity.toString should include("pullConfig.secret must refer to an existing secret")
	386		}
	387		}
	388
240	389		"support versions" when {
241	390		implicit val ctx = ExecutionContexts.global
242	391
243	392		"there are no versions" when {
244	393		"list no versions" in {
245	394		val groupManager = mock[GroupManager]
246	395		groupManager.pod(any).returns(None)
247	396		implicit val podManager = PodManagerImpl(groupManager)
▲ Show 20 Lines • Show All 244 Lines • Show Last 20 Lines

View Options

src/test/scala/mesosphere/marathon/api/v2/validation/AppValidationTest.scala

1	1	package mesosphere.marathon
2	2	package api.v2.validation
3	3
4	4	import com.wix.accord.scalatest.ResultMatchers
5	5	import mesosphere.{ UnitTest, ValidationTestLike }
6	6	import mesosphere.marathon.raml._
7	7	import mesosphere.UnitTest
8	8
9	9	class AppValidationTest extends UnitTest with ResultMatchers with ValidationTestLike {
10	10
11	11	import Normalization._
12	12
	13	"Docker image pull config validation" when {
	14	implicit val basicValidator = AppValidation.validateCanonicalAppAPI(Set("secrets"))
	15
	16	"pull config when the Mesos containerizer is used and the corresponding secret is provided" should {
	17	"be accepted" in {
	18	val app = App(
	19	id = "/foo",
	20	cmd = Some("bar"),
	21	container = Some(Container(
	22	`type` = EngineType.Mesos,
	23	docker = Some(DockerContainer(
	24	image = "xyz", pullConfig = Some(DockerPullConfig("aSecret")))))),
	25	secrets = Map("aSecret" -> SecretDef("/secret")))
	26
	27	basicValidator(app) shouldBe (aSuccess)
	28	}
	29	}
	30
	31	"pull config when the Mesos containerizer is used and the corresponding secret is not provided" should {
	32	"fail" in {
	33	val app = App(
	34	id = "/foo",
	35	cmd = Some("bar"),
	36	container = Some(Container(
	37	`type` = EngineType.Mesos,
	38	docker = Some(DockerContainer(
	39	image = "xyz", pullConfig = Some(DockerPullConfig("aSecret")))))))
	40
	41	basicValidator(app).normalize should failWith(
	42	"/container/docker/pullConfig" ->
	43	"pullConfig.secret must refer to an existing secret")
	44	}
	45	}
	46
	47	"pull config when the Docker containerizer is used and the corresponding secret is provided" should {
	48	"fail" in {
	49	val app = App(
	50	id = "/foo",
	51	cmd = Some("bar"),
	52	container = Some(Container(
	53	`type` = EngineType.Docker,
	54	docker = Some(DockerContainer(
	55	image = "xyz", pullConfig = Some(DockerPullConfig("aSecret")))))),
	56	secrets = Map("aSecret" -> SecretDef("/secret")))
	57
	58	basicValidator(app).normalize should failWith(
	59	"/container/docker" ->
	60	"pullConfig is not supported with Docker containerizer")
	61	}
	62	}
	63	}
	64
13	65	"network validation" when {
14	66	implicit val basicValidator = AppValidation.validateCanonicalAppAPI(Set.empty)
15	67
16	68	def networkedApp(portMappings: Seq[ContainerPortMapping], networks: Seq[Network], docker: Boolean = false) = {
17	69	App(
18	70	id = "/foo",
19	71	cmd = Some("bar"),
20	72	networks = networks,
▲ Show 20 Lines • Show All 148 Lines • Show Last 20 Lines

View Options

src/test/scala/mesosphere/marathon/raml/ContainerConversionTest.scala

Show All 40 Lines
41	41	mc.portMappings should be(Seq(corePortMapping))
42	42	mc.volumes should be(Seq(coreHostVolume))
43	43	}
44	44	}
45	45	}
46	46
47	47	"A Mesos Docker container is converted" when {
48	48	"a mesos-docker container" should {
49		val container = state.Container.MesosDocker(Seq(coreHostVolume), "test", Seq(corePortMapping), Some(credentials))
	49	val container = state.Container.MesosDocker(Seq(coreHostVolume), "test", Seq(corePortMapping),
	50	Some(credentials), Some(dockerPullConfig))
50	51	val raml = container.toRaml[Container]
51	52
52	53	behave like convertToProtobufThenToRAML(container, raml)
53	54
54	55	"convert to a RAML container" in {
55	56	raml.`type` should be(EngineType.Mesos)
56	57	raml.appc should be(empty)
57	58	raml.volumes should be(Seq(ramlHostVolume))
58	59	raml.portMappings should contain(Seq(ramlPortMapping))
59	60	raml.docker should be(defined)
60	61	raml.docker.get.image should be("test")
61	62	raml.docker.get.credential should be(defined)
62	63	raml.docker.get.credential.get.principal should be(credentials.principal)
63	64	raml.docker.get.credential.get.secret should be(credentials.secret)
	65	raml.docker.get.pullConfig should be(defined)
	66	raml.docker.get.pullConfig.get shouldBe a[DockerPullConfig]
	67	raml.docker.get.pullConfig.get shouldBe DockerPullConfig(dockerPullConfig.secret)
64	68	}
65	69	}
66	70	"a mesos-docker container w/o port mappings" should {
67		val container = state.Container.MesosDocker(Seq(coreHostVolume), "test", portMappings = Seq.empty, Some(credentials))
	71	val container = state.Container.MesosDocker(Seq(coreHostVolume), "test", portMappings = Seq.empty,
	72	Some(credentials), Some(dockerPullConfig))
68	73	val raml = container.toRaml[Container]
69	74	behave like convertToProtobufThenToRAML(container, raml)
70	75	}
71	76	"a RAML container" should {
72	77	"convert to a mesos-docker container" in {
73	78	val container = Container(EngineType.Mesos, portMappings = Option(Seq(ramlPortMapping)), docker = Some(DockerContainer(
74		image = "foo", credential = Some(DockerCredentials(credentials.principal, credentials.secret)))),
75		volumes = Seq(ramlHostVolume))
	79	image = "foo", credential = Some(DockerCredentials(credentials.principal, credentials.secret)),
	80	pullConfig = Some(DockerPullConfig(dockerPullConfig.secret)))), volumes = Seq(ramlHostVolume))
76	81	val mc = Some(container.fromRaml).collect {
77	82	case c: state.Container.MesosDocker => c
78	83	}.getOrElse(fail("expected Container.MesosDocker"))
79	84	mc.portMappings should be(Seq(corePortMapping))
80	85	mc.volumes should be(Seq(coreHostVolume))
81	86	mc.image should be("foo")
82		mc.credential should be(Some(credentials))
	87	mc.credential shouldBe Some(credentials)
	88	mc.pullConfig shouldBe Some(dockerPullConfig)
83	89	mc.forcePullImage should be(container.docker.head.forcePullImage)
84	90	}
85	91	}
86	92	}
87	93
88	94	"A Mesos AppC container is created correctly" when {
89	95	"a mesos-appc container" should {
90	96	val container = state.Container.MesosAppC(Seq(coreHostVolume), "test", Seq(corePortMapping), Some("id"))
▲ Show 20 Lines • Show All 115 Lines • ▼ Show 20 Line(s)
206	212
207	213	"convert to a RAML container" in {
208	214	raml.`type` should be(EngineType.Docker)
209	215	raml.appc should be(empty)
210	216	raml.volumes should be(Seq(ramlHostVolume))
211	217	raml.docker should be(defined)
212	218	raml.docker.get.image should be("test")
213	219	raml.docker.get.credential should be(empty)
	220	raml.docker.get.pullConfig shouldBe empty
214	221	raml.docker.get.network should be(empty)
215	222	raml.portMappings should contain(Seq(ramlPortMapping))
216	223	}
217	224	}
218	225	"a docker-docker container w/o port mappings" should {
219	226	val container = state.Container.Docker(Seq(coreHostVolume), "test")
220	227	val raml = container.toRaml[Container]
221	228	behave like convertToProtobufThenToRAML(container, raml)
Show All 11 Lines
233	240	mc.forcePullImage should be(container.docker.head.forcePullImage)
234	241	mc.parameters should be(Seq(state.Parameter("qws", "erf")))
235	242	mc.privileged should be(container.docker.head.privileged)
236	243	}
237	244	}
238	245	}
239	246
240	247	private lazy val credentials = state.Container.Credential("principal", Some("secret"))
	248	private lazy val dockerPullConfig = state.Container.DockerPullConfig("aConfigSecret")
241	249	private lazy val ramlPortMapping = ContainerPortMapping(
242	250	containerPort = 80,
243	251	hostPort = Some(90),
244	252	servicePort = 100,
245	253	name = Some("pok"),
246	254	labels = Map("wer" -> "rty")
247	255	)
248	256	private lazy val corePortMapping = state.Container.PortMapping(
Show All 9 Lines

View Options

src/test/scala/mesosphere/mesos/TaskBuilderTest.scala

Show First 20 Lines • Show All 623 Lines • ▼ Show 20 Line(s)
624	624
625	625		"build creates task for MESOS Docker container" in {
626	626		val offer = MarathonTestHelper.makeBasicOfferWithRole(
627	627		cpus = 1.0, mem = 128.0, disk = 1000.0, beginPort = 31000, endPort = 31010, role = ResourceRole.Unreserved
628	628		)
629	629		.addResources(RangesResource(Resource.PORTS, Seq(protos.Range(33000, 34000)), "marathon"))
630	630		.build
631	631
	632		val dockerPullConfigSecret = "aConfigSecret"
	633		val dockerPullConfig = Container.DockerPullConfig(dockerPullConfigSecret)
632	634		val task: Option[(MesosProtos.TaskInfo, _)] = buildIfMatches(
633	635		offer, AppDefinition(
634	636		id = "/testApp".toPath,
635	637		resources = Resources(cpus = 1.0, mem = 64.0, disk = 1.0),
636	638		executor = "//cmd",
637	639		container = Some(Container.MesosDocker(
638	640		image = "busybox",
639	641		credential = Some(Container.Credential(
640	642		principal = "aPrincipal",
641	643		secret = Some("aSecret")
642			))
643	644		)),
	645		pullConfig = Some(dockerPullConfig)
		aquamatthiasUnsubmitted Not Done Please add a test for secret ref
	646		)),
644	647		portDefinitions = Seq.empty,
645	648		networks = Seq(ContainerNetwork("vnet"))
646	649		)
647	650		)
648	651		assert(task.isDefined, "expected task to match offer")
649	652		val (taskInfo: TaskInfo, _) = task.get
650	653		taskInfo.hasContainer should be (true)
651	654		taskInfo.getContainer.getType should be (MesosProtos.ContainerInfo.Type.MESOS)
652	655		taskInfo.getContainer.hasMesos should be (true)
653	656		taskInfo.getContainer.getMesos.hasImage should be (true)
654	657		taskInfo.getContainer.getMesos.getImage.getType should be (MesosProtos.Image.Type.DOCKER)
655	658		taskInfo.getContainer.getMesos.getImage.hasDocker should be (true)
656	659		taskInfo.getContainer.getMesos.getImage.getDocker.hasCredential should be (true)
657	660		taskInfo.getContainer.getMesos.getImage.getDocker.getCredential.getPrincipal should be ("aPrincipal")
658	661		taskInfo.getContainer.getMesos.getImage.getDocker.getCredential.hasSecret should be (true)
659	662		taskInfo.getContainer.getMesos.getImage.getDocker.getCredential.getSecret should be ("aSecret")
	663		taskInfo.getContainer.getMesos.getImage.getDocker.hasConfig shouldBe true
	664		taskInfo.getContainer.getMesos.getImage.getDocker.getConfig.getReference.getName shouldBe dockerPullConfigSecret
660	665		}
661	666
662	667		"build creates task for MESOS AppC container" in {
663	668		val offer = MarathonTestHelper.makeBasicOfferWithRole(
664	669		cpus = 1.0, mem = 128.0, disk = 1000.0, beginPort = 31000, endPort = 31010, role = ResourceRole.Unreserved
665	670		)
666	671		.addResources(RangesResource(Resource.PORTS, Seq(protos.Range(33000, 34000)), "marathon"))
667	672		.build
▲ Show 20 Lines • Show All 1278 Lines • Show Last 20 Lines

View Options

tests/system/common.py

Show All 12 Lines
13	13		import pytest
14	14		import shakedown
15	15
16	16
17	17		marathon_1_3 = pytest.mark.skipif('marthon_version_less_than("1.3")')
18	18		marathon_1_4 = pytest.mark.skipif('marthon_version_less_than("1.4")')
19	19		marathon_1_5 = pytest.mark.skipif('marthon_version_less_than("1.5")')
20	20
	21		def escape_cli_arg(arg):
	22		acc = []
	23		for char in arg:
	24		if char in ('"', '\\'):
	25		acc.append('\\')
	26		acc.append(char)
	27		return ''.join(acc)
	28
21	29
22	30		def app(id=1, instances=1):
23	31		app_json = {
24	32		"id": "",
25	33		"instances": 1,
26	34		"cmd": "sleep 100000000",
27	35		"cpus": 0.01,
28	36		"mem": 1,
▲ Show 20 Lines • Show All 427 Lines • ▼ Show 20 Line(s)
456	464		"fetch": [
457	465		{
458	466		"uri": "file:///home/core/{}".format(docker_credentials_filename)
459	467		}
460	468		]
461	469		}
462	470
463	471
464			def private_mesos_container_app(principal, secret):
	472		def private_mesos_container_app(secret_name, app_id=None):
	473		""" Returns an application definition that uses Mesos containerizer and
	474		expects a valid Docker config.json referenced by the given `secret_name`.
	475
	476		:param secret_name: secret name which value is a Docker config.json
	477		:param app_id: optional application ID, if not given, a random UUID is used
	478		:return: application definition represented using Python data structures
	479		"""
	480		if app_id is None:
	481		app_id = '/{}'.format(uuid.uuid4().hex)
	482
		kensipeUnsubmitted Done I don't know what "private_mesos_app" means... can we rename this to something meaningful? or add docs that explains why it should be used?
		zen-dogUnsubmitted Done App id should have a random part (see using of `uuid` in other tests). Prevents collisions and makes debugging easier.
		kensipeUnsubmitted Not Done your comment doesn't address the comment or concern... the issue isn't app_id... it is the meaning of private_mesos_container and documentation
		zen-dogUnsubmitted Not Done It was meant as an addition to your comment ;)
465	483		return {
466			"id": "/private-mesos-app",
	484		"id": app_id,
467	485		"instances": 1,
468	486		"cpus": 1,
469	487		"mem": 128,
470	488		"container": {
471			"type": 'MESOS',
472			"docker": {
473			"image": "mesosphere/simple-docker-ee:latest",
474			"credential": {
475			"principal": principal,
476			"secret": secret
	489		"type": 'MESOS',
	490		"docker": {
	491		"image": "mesosphere/simple-docker-ee:latest",
	492		"config": {
	493		"secret": "pullConfigSecret"
	494		}
	495		}
	496		},
	497		"secrets": {
	498		"pullConfigSecret": {
	499		"source": secret_name
	500		}
	501		}
	502		}
	503
	504
	505		def private_docker_pod(secret_name, pod_id=None):
	506		""" Returns a pod definition that uses a Docker image and
	507		expects a valid Docker config.json referenced by the given `secret_name`.
	508
	509		:param secret_name: secret name which value is a Docker config.json
	510		:param pod_id: optional pod ID, if not given, a random UUID is used
	511		:return: pod definition represented using Python data structures
	512		"""
	513		if pod_id is None:
	514		pod_id = '/{}'.format(uuid.uuid4().hex)
	515
	516		return {
	517		"id": pod_id,
	518		"scaling": {
	519		"kind": "fixed",
	520		"instances": 1
	521		},
	522		"containers": [{
	523		"name": "simple-docker",
	524		"resources": {
	525		"cpus": 1,
	526		"mem": 128
	527		},
	528		"image": {
	529		"kind": "DOCKER",
	530		"id": "mesosphere/simple-docker-ee:latest",
	531		"config": {
	532		"secret": "pullConfigSecret"
477	533		}
478	534		}
	535		}],
	536		"secrets": {
	537		"pullConfigSecret": {
	538		"source": secret_name
	539		}
479	540		}
480	541		}
481	542
482	543
483	544		def pinger_localhost_app(id='pinger', port=7777):
484	545		""" pinger app requires, the pinger.py app in fixure_dir and the master
485	546		http service started at port 7777
486	547
▲ Show 20 Lines • Show All 288 Lines • ▼ Show 20 Line(s)
775	836		def is_enterprise_cli_package_installed():
776	837		""" Returns `True` if `dcos-enterprise-cli` package is installed.
777	838		"""
778	839		stdout, stderr, return_code = run_dcos_command('package list --json')
779	840		result_json = json.loads(stdout)
780	841		return any(cmd['name'] == 'dcos-enterprise-cli' for cmd in result_json)
781	842
782	843
	844		def create_docker_pull_config_json(username, password):
	845		""" Create a Docker config.json represented using Python data structures.
	846
	847		:param username: username for a private Docker registry
	848		:param password: password for a private Docker registry
	849		:return: Docker config.json
	850		"""
	851		print('Creating a config.json content for dockerhub username {}'.format(username))
	852
	853		import base64
	854		auth_hash = base64.b64encode('{}:{}'.format(username, password).encode()).decode()
	855
	856		return {
	857		"auths": {
	858		"https://index.docker.io/v1/": {
	859		"auth": auth_hash
	860		}
	861		}
	862		}
	863
	864
783	865		def create_docker_credentials_file(username, password, file_name='docker.tar.gz'):
		kensipeUnsubmitted Not Done this is in shakedown... all of this can be replaced with `shakedown. distribute_docker_credentials_to_private_agents()` https://github.com/dcos/shakedown/blob/master/shakedown/dcos/docker.py#L65
		zen-dogUnsubmitted Not Done This is not the same - there is no need to distribute the file, since it's passed as part of the app definition. However we should extract creation part into a separate function and maybe move it to shakedown later.
		ichernetskyAuthorUnsubmitted Not Done Aleksey is correct.
784	866		""" Create a docker credentials file. Docker username and password are used to create
785	867		a `{file_name}` with `.docker/config.json` containing the credentials.
786	868
787	869		:param file_name: credentials file name `docker.tar.gz` by default
788	870		:type command: str
789	871		"""
790	872
791	873		print('Creating a tarball {} with json credentials for dockerhub username {}'.format(file_name, username))
792	874		config_json_filename = 'config.json'
793	875
794			import base64
	876		config_json = create_docker_pull_config_json(username, password)
		zen-dogUnsubmitted Done It seems like next 10 lines can be replaced by `create_docker_pull_config_json()` call?
		ichernetskyAuthorUnsubmitted Not Done Yep, forgot to do it.
795			auth_hash = base64.b64encode('{}:{}'.format(username, password).encode()).decode()
796
797			config_json = {
798			"auths": {
799			"https://index.docker.io/v1/": {
800			"auth": auth_hash
801			}
802			}
803			}
804	877
805	878		# Write config.json to file
806	879		with open(config_json_filename, 'w') as f:
807	880		json.dump(config_json, f, indent=4)
808	881
809	882		try:
810	883		# Create a docker.tar.gz
811	884		import tarfile
Show All 25 Lines
837	910		copy_file_to_agent(agent, file_name)
838	911		except Exception as e:
839	912		print('Failed to upload {} to agent: {}'.format(file_name, agent))
840	913		raise e
841	914		finally:
842	915		os.remove(file_name)
843	916
844	917
	918		def create_secret(secret_name, secret_value):
	919		""" Create a secret with a given name and a value.
	920		This method uses `dcos security secrets` command and assumes that `dcos-enterprise-cli`
	921		package is installed.
	922
	923		:param secret_name: secret name
	924		:type secret_name: str
	925		:param secret_value: secret_value
	926		:type secret_value: str
	927		"""
	928		escaped_secret_value = escape_cli_arg(secret_value)
	929		stdout, stderr, return_code = run_dcos_command(
	930		'security secrets create --value="{}" {}'.format(escaped_secret_value, secret_name))
	931		assert return_code == 0, "Failed to create a secret: {}".format(secret_name)
	932
	933
845	934		def has_secret(secret_name):
846	935		""" Returns `True` if the secret with given name exists in the vault.
847	936		This method uses `dcos security secrets` command and assumes that `dcos-enterprise-cli`
848	937		package is installed.
849	938
850	939		:param secret_name: secret name
851	940		:type secret_name: str
852	941		"""
Show All 12 Lines
865	954		:param secret_name: secret name
866	955		:type secret_name: str
867	956		"""
868	957		print('Removing existing secret {}'.format(secret_name))
869	958		stdout, stderr, return_code = run_dcos_command('security secrets delete {}'.format(secret_name))
870	959		assert return_code == 0, "Failed to remove existing secret"
871	960
872	961
873			def create_secret(secret_name, service_account, strict=False, private_key_filename='private-key.pem'):
	962		def create_sa_secret(secret_name, service_account, strict=False, private_key_filename='private-key.pem'):
874	963		""" Create a secret with a given private key file for passed service account in the vault. Both
875	964		(service account and secret) should share the same key pair. `{strict}` parameter should be
876	965		`True` when creating a secret in a `strict` secure cluster. Private key file will be removed
877	966		after secret is successfully created.
878	967		This method uses `dcos security org` command and assumes that `dcos-enterprise-cli`
879	968		package is installed.
880	969
881	970		:param secret_name: secret name
▲ Show 20 Lines • Show All 132 Lines • Show Last 20 Lines

View Options

tests/system/marathon_common_tests.py

Show First 20 Lines • Show All 973 Lines • ▼ Show 20 Line(s)
974	974		client = marathon.create_client()
975	975		app_def = common.private_docker_container_app()
976	976		client.add_app(app_def)
977	977		shakedown.deployment_wait()
978	978
979	979		common.assert_app_tasks_running(client, app_def)
980	980
981	981
982			@pytest.mark.skip(reason="Not yet implemented in mesos")
	982		@pytest.mark.skipif("docker_env_set()")
	983		@dcos_1_10
983	984		def test_private_repository_mesos_app():
984			""" Test private docker registry with mesos containerizer using "credentials" container field.
985			Note: Despite of what DC/OS docmentation states this feature is not yet implemented:
986			https://issues.apache.org/jira/browse/MESOS-7088
987			"""
	985		""" Test private docker registry with mesos containerizer using "config" container's image field."""
988	986
989			client = marathon.create_client()
	987		username = os.environ['DOCKER_HUB_USERNAME']
		zen-dogUnsubmitted Done Those asserts here and in `test_create_pod_with_private_image()` are not necessary since you skip the test if they're not there anyway?
		kensipeUnsubmitted Not Done yes
		kensipeUnsubmitted Not Done I don't see `docker_env_set()` in the skipif.. however it is likely that we are skipping if we are missing expected ENV.. that makes these assert 'DOCKER_XYZ` not useful.
990			assert 'DOCKER_HUB_USERNAME' in os.environ, "Couldn't find docker hub username. $DOCKER_HUB_USERNAME is not set"
991			assert 'DOCKER_HUB_PASSWORD' in os.environ, "Couldn't find docker hub password. $DOCKER_HUB_PASSWORD is not set"
	988		password = os.environ['DOCKER_HUB_PASSWORD']
992	989
993			principal = os.environ['DOCKER_HUB_USERNAME']
994			secret = os.environ['DOCKER_HUB_PASSWORD']
	990		secret_name = "dockerPullConfig"
	991		secret_value_json = common.create_docker_pull_config_json(username, password)
995	992
996			app_def = common.private_mesos_container_app(principal, secret)
997			client.add_app(app_def)
998			shakedown.deployment_wait()
	993		import json
	994		secret_value = json.dumps(secret_value_json)
999	995
1000			common.assert_app_tasks_running(client, app_def)
	996		client = marathon.create_client()
	997		common.create_secret(secret_name, secret_value)
	998
	999		try:
	1000		app_def = common.private_mesos_container_app(secret_name)
	1001		client.add_app(app_def)
	1002		shakedown.deployment_wait()
	1003
	1004		common.assert_app_tasks_running(client, app_def)
	1005		finally:
	1006		common.delete_secret(secret_name)
1001	1007
1002	1008
1003	1009		def test_ping(marathon_service_name):
1004	1010		""" Tests the API end point for marathon /ping
1005	1011		This isn't provided by the client object and will need to create the url to test
1006	1012		"""
1007	1013		response = common.http_get_marathon_path('ping', marathon_service_name)
1008	1014		assert response.status_code == 200
▲ Show 20 Lines • Show All 238 Lines • Show Last 20 Lines

View Options

tests/system/marathon_pods_tests.py

1	1		"""Marathon pod acceptance tests for DC/OS."""
2	2
	3		import common
3	4		import os
4	5		import pytest
5	6		import uuid
6	7		import retrying
7	8		import shakedown
8	9		import time
9	10
10	11		from distutils.version import LooseVersion
11	12		from urllib.parse import urljoin
12	13
13	14		from common import (block_port, cluster_info, event_fixture, get_pod_tasks, ip_other_than_mom,
14	15		pin_pod_to_host, restore_iptables, save_iptables)
15	16		from dcos import marathon, util, http
16			from shakedown import dcos_1_9, dcos_version_less_than, private_agents, required_private_agents
	17		from shakedown import dcos_1_9, dcos_1_10, dcos_version_less_than, private_agents, required_private_agents
17	18		from utils import fixture_dir, get_resource, parse_json
18	19
19	20
20	21		PACKAGE_NAME = 'marathon'
21	22		DCOS_SERVICE_URL = shakedown.dcos_service_url(PACKAGE_NAME) + "/"
22	23
23	24
24	25		def _pods_json(file="simple-pods.json"):
25	26		return get_resource(os.path.join(fixture_dir(), file))
26	27
27	28
28	29		def _clear_pods():
29	30		# clearing doesn't cause
30	31		try:
31	32		client = marathon.create_client()
32	33		pods = client.list_pod()
33	34		for pod in pods:
34	35		client.remove_pod(pod["id"], True)
35	36		shakedown.deployment_wait()
36	37		except:
37	38		pass
38	39
39
40	40		def _pods_url(path=""):
41	41		return "v2/pods/" + path
42	42
43	43
44	44		def _pod_status_url(pod_id):
45	45		path = pod_id + "/::status"
46	46		return _pods_url(path)
47	47
Show All 35 Lines
83	83		pod_json = _pods_json()
84	84		pod_json["id"] = pod_id
85	85		client.add_pod(pod_json)
86	86		shakedown.deployment_wait()
87	87		pod = client.show_pod(pod_id)
88	88		assert pod is not None
89	89
90	90
	91		@pytest.mark.skipif("docker_env_set()")
	92		@dcos_1_10
	93		def test_create_pod_with_private_image():
	94		username = os.environ['DOCKER_HUB_USERNAME']
	95		password = os.environ['DOCKER_HUB_PASSWORD']
		kensipeUnsubmitted Done do we need these assertions?
	96
	97		secret_name = "dockerPullConfig"
	98		secret_value_json = common.create_docker_pull_config_json(username, password)
	99
	100		import json
	101		secret_value = json.dumps(secret_value_json)
	102
	103		client = marathon.create_client()
	104		common.create_secret(secret_name, secret_value)
	105
	106		try:
	107		pod_def = common.private_docker_pod(secret_name)
	108		client.add_pod(pod_def)
	109		shakedown.deployment_wait()
	110		pod = client.show_pod(pod_def["id"])
		kensipeUnsubmitted Done why do we define the app json for secrets behind a function and for the longer pod json we do not? I'm a fan of pulling this out so the test focuses on the setup and assertion.. but it isn't that big of a deal.
	111		assert pod is not None
	112		finally:
	113		client.delete_secret(secret_name)
	114
	115
91	116		@dcos_1_9
92	117		@pytest.mark.usefixtures("event_fixture")
93	118		def test_event_channel_for_pods():
94	119		""" Tests the Marathon event channnel specific to pod events.
95	120		"""
96	121		client = marathon.create_client()
97	122		pod_id = "/pod-create"
98	123
▲ Show 20 Lines • Show All 332 Lines • Show Last 20 Lines

View Options

tests/system/test_marathon_on_marathon_ee.py

Show First 20 Lines • Show All 159 Lines • ▼ Show 20 Line(s)
160	160	url = urljoin(dcos_url(), 'acs/api/v1/acls/dcos:superuser/users/{}'.format(MOM_EE_SERVICE_ACCOUNT))
161	161	req = http.get(url)
162	162	assert req.json()['array'][0]['url'] == '/acs/api/v1/acls/dcos:superuser/users/{}/full'.format(MOM_EE_SERVICE_ACCOUNT), "Service account permissions couldn't be set"
163	163
164	164
165	165	def ensure_secret(strict=False):
166	166	if has_secret(MOM_EE_SECRET_NAME):
167	167	delete_secret(MOM_EE_SECRET_NAME)
168		create_secret(MOM_EE_SECRET_NAME, MOM_EE_SERVICE_ACCOUNT, strict)
	168	create_sa_secret(MOM_EE_SECRET_NAME, MOM_EE_SERVICE_ACCOUNT, strict)
169	169	assert has_secret(MOM_EE_SECRET_NAME)
170	170
171	171
172	172	def ensure_docker_credentials():
173	173	# Docker username and password should be passed as environment variables `DOCKER_HUB_USERNAME`
174	174	# and `DOCKER_HUB_PASSWORD` (usually by jenkins)
175	175	assert 'DOCKER_HUB_USERNAME' in os.environ, "Couldn't find docker hub username. $DOCKER_HUB_USERNAME is not set"
176	176	assert 'DOCKER_HUB_PASSWORD' in os.environ, "Couldn't find docker hub password. $DOCKER_HUB_PASSWORD is not set"
Show All 24 Lines

Support passing a Docker config.json for app / pod being launchedClosedAll UsersActions

Details

Diff Detail

Revision Contents

Diff 3383

docs/docs/blue-green-deploy.md

docs/docs/native-docker.md

docs/docs/pods.md

docs/docs/rest-api/public/api/v2/schema/AppDefinition.json

docs/docs/rest-api/public/api/v2/types/appContainer.raml

docs/docs/rest-api/public/api/v2/types/docker.raml

docs/docs/rest-api/public/api/v2/types/podContainer.raml

project/Dependencies.scala

project/RamlGeneratorPlugin.scala

project/plugins.sbt

src/main/java/mesosphere/marathon/Protos.java

src/main/proto/README.md

src/main/proto/marathon.proto

src/main/proto/mesos/mesos.proto

src/main/scala/mesosphere/marathon/api/serialization/ContainerSerializer.scala

src/main/scala/mesosphere/marathon/api/serialization/SecretSerializer.scala

src/main/scala/mesosphere/marathon/api/v2/validation/AppValidation.scala

src/main/scala/mesosphere/marathon/api/v2/validation/PodsValidation.scala

src/main/scala/mesosphere/marathon/raml/ContainerConversion.scala

src/main/scala/mesosphere/marathon/state/Container.scala

src/test/scala/mesosphere/marathon/api/v2/AppsResourceTest.scala

src/test/scala/mesosphere/marathon/api/v2/PodsResourceTest.scala

src/test/scala/mesosphere/marathon/api/v2/validation/AppValidationTest.scala

src/test/scala/mesosphere/marathon/raml/ContainerConversionTest.scala

src/test/scala/mesosphere/mesos/TaskBuilderTest.scala

tests/system/common.py

tests/system/marathon_common_tests.py

tests/system/marathon_pods_tests.py

tests/system/test_marathon_on_marathon_ee.py

Support passing a Docker config.json for app / pod being launched
ClosedAll Users
Actions