feat(appstore): add service volumes and published ports
This commit is contained in:
+274
-15
@@ -5,14 +5,258 @@
|
||||
*/
|
||||
|
||||
import * as plugins from '../plugins.ts';
|
||||
import type { IService, IContainerStats } from '../types.ts';
|
||||
import type { IService, IContainerStats, IServicePublishedPort } from '../types.ts';
|
||||
import { logger } from '../logging.ts';
|
||||
import { getErrorMessage } from '../utils/error.ts';
|
||||
|
||||
type TExpandedPublishedPort = Required<Pick<
|
||||
IServicePublishedPort,
|
||||
'targetPort' | 'publishedPort' | 'protocol' | 'hostIp'
|
||||
>>;
|
||||
|
||||
export class OneboxDockerManager {
|
||||
private dockerClient: InstanceType<typeof plugins.docker.Docker> | null = null;
|
||||
private networkName = 'onebox-network';
|
||||
|
||||
private getDockerSafeName(valueArg: string, maxLengthArg = 120): string {
|
||||
const safeName = valueArg
|
||||
.replace(/[^a-zA-Z0-9_.-]+/g, '-')
|
||||
.replace(/^[^a-zA-Z0-9]+|[^a-zA-Z0-9]+$/g, '')
|
||||
.slice(0, maxLengthArg)
|
||||
.replace(/[^a-zA-Z0-9]+$/g, '');
|
||||
return safeName || 'data';
|
||||
}
|
||||
|
||||
private getServiceVolumeSource(serviceArg: IService, mountPathArg: string, requestedSourceArg?: string): string {
|
||||
if (requestedSourceArg) {
|
||||
return this.getDockerSafeName(requestedSourceArg);
|
||||
}
|
||||
const mountName = this.getDockerSafeName(mountPathArg.replace(/^\/+/, '').replace(/\/+$/g, ''), 40);
|
||||
return this.getDockerSafeName(`onebox-${serviceArg.name}-${mountName}`);
|
||||
}
|
||||
|
||||
private getStandaloneVolumeBinds(serviceArg: IService): string[] {
|
||||
return (serviceArg.volumes || []).map((volumeArg) => {
|
||||
const source = this.getServiceVolumeSource(serviceArg, volumeArg.mountPath, volumeArg.source || volumeArg.name);
|
||||
return `${source}:${volumeArg.mountPath}${volumeArg.readOnly ? ':ro' : ''}`;
|
||||
});
|
||||
}
|
||||
|
||||
private getSwarmVolumeMounts(serviceArg: IService): Array<Record<string, unknown>> {
|
||||
return (serviceArg.volumes || []).map((volumeArg) => ({
|
||||
Type: 'volume',
|
||||
Source: this.getServiceVolumeSource(serviceArg, volumeArg.mountPath, volumeArg.source || volumeArg.name),
|
||||
Target: volumeArg.mountPath,
|
||||
ReadOnly: Boolean(volumeArg.readOnly),
|
||||
VolumeOptions: {
|
||||
DriverConfig: {
|
||||
Name: volumeArg.driver || 'local',
|
||||
Options: volumeArg.options || {},
|
||||
},
|
||||
Labels: {
|
||||
'managed-by': 'onebox',
|
||||
'onebox-service': serviceArg.name,
|
||||
'onebox-mount-path': volumeArg.mountPath,
|
||||
'onebox-backup': String(volumeArg.backup !== false),
|
||||
},
|
||||
},
|
||||
}));
|
||||
}
|
||||
|
||||
public validateServiceSpec(serviceArg: IService): void {
|
||||
this.assertValidPort(serviceArg.port, `service port for ${serviceArg.name}`);
|
||||
|
||||
for (const volumeArg of serviceArg.volumes || []) {
|
||||
if (!volumeArg.mountPath || !volumeArg.mountPath.startsWith('/')) {
|
||||
throw new Error(`Volume mountPath for service ${serviceArg.name} must be an absolute path`);
|
||||
}
|
||||
if (volumeArg.mountPath.includes(':')) {
|
||||
throw new Error(`Volume mountPath for service ${serviceArg.name} must not contain ':'`);
|
||||
}
|
||||
if ((volumeArg.source || volumeArg.name)?.includes(':')) {
|
||||
throw new Error(`Volume source/name for service ${serviceArg.name} must not contain ':'`);
|
||||
}
|
||||
}
|
||||
|
||||
this.expandPublishedPorts(serviceArg);
|
||||
}
|
||||
|
||||
private assertValidPort(portArg: number, labelArg: string): void {
|
||||
if (!Number.isInteger(portArg) || portArg < 1 || portArg > 65535) {
|
||||
throw new Error(`Invalid ${labelArg}: ${portArg}. Expected an integer port between 1 and 65535.`);
|
||||
}
|
||||
}
|
||||
|
||||
private expandPublishedPorts(serviceArg: IService): TExpandedPublishedPort[] {
|
||||
const expandedPorts: TExpandedPublishedPort[] = [];
|
||||
const seenPublishedPorts = new Set<string>();
|
||||
|
||||
for (const portArg of serviceArg.publishedPorts || []) {
|
||||
const protocol = portArg.protocol || 'tcp';
|
||||
const targetStart = portArg.targetPort;
|
||||
const targetEnd = portArg.targetPortEnd || targetStart;
|
||||
const publishedStart = portArg.publishedPort || targetStart;
|
||||
const publishedEnd = portArg.publishedPortEnd || (publishedStart + (targetEnd - targetStart));
|
||||
const hostIp = portArg.hostIp || '0.0.0.0';
|
||||
|
||||
if (!['tcp', 'udp'].includes(protocol)) {
|
||||
throw new Error(`Invalid published port protocol for service ${serviceArg.name}: ${protocol}`);
|
||||
}
|
||||
this.assertValidPort(targetStart, `published targetPort for service ${serviceArg.name}`);
|
||||
this.assertValidPort(targetEnd, `published targetPortEnd for service ${serviceArg.name}`);
|
||||
this.assertValidPort(publishedStart, `published publishedPort for service ${serviceArg.name}`);
|
||||
this.assertValidPort(publishedEnd, `published publishedPortEnd for service ${serviceArg.name}`);
|
||||
if (targetEnd < targetStart) {
|
||||
throw new Error(`Invalid target port range for service ${serviceArg.name}: ${targetStart}-${targetEnd}`);
|
||||
}
|
||||
if (publishedEnd < publishedStart) {
|
||||
throw new Error(`Invalid published port range for service ${serviceArg.name}: ${publishedStart}-${publishedEnd}`);
|
||||
}
|
||||
if ((targetEnd - targetStart) !== (publishedEnd - publishedStart)) {
|
||||
throw new Error(
|
||||
`Published port range size must match target port range size for service ${serviceArg.name}`,
|
||||
);
|
||||
}
|
||||
if (!this.isValidHostIp(hostIp)) {
|
||||
throw new Error(`Invalid hostIp for service ${serviceArg.name}: ${hostIp}`);
|
||||
}
|
||||
|
||||
for (let offset = 0; offset <= targetEnd - targetStart; offset++) {
|
||||
const publishedPort = publishedStart + offset;
|
||||
const publishedKey = `${hostIp}/${protocol}/${publishedPort}`;
|
||||
const wildcardKey = `0.0.0.0/${protocol}/${publishedPort}`;
|
||||
const conflictsWithWildcard = hostIp === '0.0.0.0'
|
||||
? Array.from(seenPublishedPorts).some((keyArg) => keyArg.endsWith(`/${protocol}/${publishedPort}`))
|
||||
: seenPublishedPorts.has(wildcardKey);
|
||||
if (seenPublishedPorts.has(publishedKey) || conflictsWithWildcard) {
|
||||
throw new Error(`Duplicate published port for service ${serviceArg.name}: ${hostIp}:${publishedPort}/${protocol}`);
|
||||
}
|
||||
seenPublishedPorts.add(publishedKey);
|
||||
expandedPorts.push({
|
||||
targetPort: targetStart + offset,
|
||||
publishedPort,
|
||||
protocol,
|
||||
hostIp,
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
return expandedPorts;
|
||||
}
|
||||
|
||||
private isValidHostIp(hostIpArg: string): boolean {
|
||||
if (['0.0.0.0', '127.0.0.1', '::', '::1', 'localhost'].includes(hostIpArg)) return true;
|
||||
if (/^(\d{1,3}\.){3}\d{1,3}$/.test(hostIpArg)) {
|
||||
return hostIpArg.split('.').every((partArg) => Number(partArg) >= 0 && Number(partArg) <= 255);
|
||||
}
|
||||
return /^[0-9a-fA-F:]+$/.test(hostIpArg);
|
||||
}
|
||||
|
||||
private async assertPublishedPortsAvailable(serviceArg: IService): Promise<void> {
|
||||
const publishedPorts = this.expandPublishedPorts(serviceArg);
|
||||
if (publishedPorts.length === 0) return;
|
||||
|
||||
await this.assertPublishedPortsNotUsedByDocker(serviceArg, publishedPorts);
|
||||
await this.assertPublishedPortsNotUsedByHost(serviceArg, publishedPorts);
|
||||
}
|
||||
|
||||
private async assertPublishedPortsNotUsedByDocker(
|
||||
serviceArg: IService,
|
||||
publishedPortsArg: TExpandedPublishedPort[],
|
||||
): Promise<void> {
|
||||
const requestedPorts = new Set(
|
||||
publishedPortsArg.map((portArg) => `${portArg.protocol}/${portArg.publishedPort}`),
|
||||
);
|
||||
|
||||
try {
|
||||
const containersResponse = await this.dockerClient!.request('GET', '/containers/json?all=true', {});
|
||||
if (containersResponse.statusCode === 200 && Array.isArray(containersResponse.body)) {
|
||||
for (const containerArg of containersResponse.body) {
|
||||
const labels = containerArg.Labels || {};
|
||||
if (labels['onebox-service'] === serviceArg.name) continue;
|
||||
for (const portArg of containerArg.Ports || []) {
|
||||
if (!portArg.PublicPort || !portArg.Type) continue;
|
||||
if (requestedPorts.has(`${portArg.Type}/${portArg.PublicPort}`)) {
|
||||
throw new Error(
|
||||
`Published port ${portArg.PublicPort}/${portArg.Type} is already used by container ${containerArg.Names?.[0] || containerArg.Id}`,
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
const servicesResponse = await this.dockerClient!.request('GET', '/services', {});
|
||||
if (servicesResponse.statusCode === 200 && Array.isArray(servicesResponse.body)) {
|
||||
for (const service of servicesResponse.body) {
|
||||
if (service.Spec?.Name === `onebox-${serviceArg.name}`) continue;
|
||||
for (const portArg of service.Endpoint?.Ports || []) {
|
||||
if (!portArg.PublishedPort || !portArg.Protocol) continue;
|
||||
if (requestedPorts.has(`${portArg.Protocol}/${portArg.PublishedPort}`)) {
|
||||
throw new Error(
|
||||
`Published port ${portArg.PublishedPort}/${portArg.Protocol} is already used by Docker service ${service.Spec?.Name || service.ID}`,
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
} catch (error) {
|
||||
if (error instanceof Error && error.message.startsWith('Published port ')) throw error;
|
||||
logger.warn(`Could not complete Docker published-port preflight: ${getErrorMessage(error)}`);
|
||||
}
|
||||
}
|
||||
|
||||
private async assertPublishedPortsNotUsedByHost(
|
||||
serviceArg: IService,
|
||||
publishedPortsArg: TExpandedPublishedPort[],
|
||||
): Promise<void> {
|
||||
for (const portArg of publishedPortsArg) {
|
||||
try {
|
||||
if (portArg.protocol === 'udp') {
|
||||
await this.assertUdpPortAvailable(portArg.hostIp, portArg.publishedPort);
|
||||
} else {
|
||||
const listener = Deno.listen({ hostname: portArg.hostIp, port: portArg.publishedPort });
|
||||
listener.close();
|
||||
}
|
||||
} catch (error) {
|
||||
throw new Error(
|
||||
`Published port ${portArg.hostIp}:${portArg.publishedPort}/${portArg.protocol} for service ${serviceArg.name} is not available: ${getErrorMessage(error)}`,
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private async assertUdpPortAvailable(hostIpArg: string, portArg: number): Promise<void> {
|
||||
const dgram = await import('node:dgram');
|
||||
const socket = dgram.createSocket(hostIpArg.includes(':') ? 'udp6' : 'udp4');
|
||||
await new Promise<void>((resolve, reject) => {
|
||||
socket.once('error', reject);
|
||||
socket.bind(portArg, hostIpArg, () => {
|
||||
socket.close();
|
||||
resolve();
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
private getStandalonePortConfig(serviceArg: IService): {
|
||||
exposedPorts: Record<string, Record<string, never>>;
|
||||
portBindings: Record<string, Array<{ HostIp: string; HostPort: string }>>;
|
||||
} {
|
||||
const exposedPorts: Record<string, Record<string, never>> = {
|
||||
[`${serviceArg.port}/tcp`]: {},
|
||||
};
|
||||
const portBindings: Record<string, Array<{ HostIp: string; HostPort: string }>> = {
|
||||
[`${serviceArg.port}/tcp`]: [],
|
||||
};
|
||||
|
||||
for (const publishedPort of this.expandPublishedPorts(serviceArg)) {
|
||||
const key = `${publishedPort.targetPort}/${publishedPort.protocol}`;
|
||||
exposedPorts[key] = {};
|
||||
portBindings[key] = [{ HostIp: publishedPort.hostIp, HostPort: String(publishedPort.publishedPort) }];
|
||||
}
|
||||
|
||||
return { exposedPorts, portBindings };
|
||||
}
|
||||
|
||||
/**
|
||||
* Initialize Docker client and create onebox network
|
||||
*/
|
||||
@@ -122,6 +366,9 @@ export class OneboxDockerManager {
|
||||
*/
|
||||
async createContainer(service: IService): Promise<string> {
|
||||
try {
|
||||
this.validateServiceSpec(service);
|
||||
await this.assertPublishedPortsAvailable(service);
|
||||
|
||||
// Check if Docker is in Swarm mode
|
||||
let isSwarmMode = false;
|
||||
try {
|
||||
@@ -158,6 +405,8 @@ export class OneboxDockerManager {
|
||||
env.push(`${key}=${value}`);
|
||||
}
|
||||
|
||||
const portConfig = this.getStandalonePortConfig(service);
|
||||
|
||||
// Create container using Docker REST API directly
|
||||
const response = await this.dockerClient!.request('POST', `/containers/create?name=onebox-${service.name}`, {
|
||||
Image: fullImage,
|
||||
@@ -166,18 +415,14 @@ export class OneboxDockerManager {
|
||||
'managed-by': 'onebox',
|
||||
'onebox-service': service.name,
|
||||
},
|
||||
ExposedPorts: {
|
||||
[`${service.port}/tcp`]: {},
|
||||
},
|
||||
ExposedPorts: portConfig.exposedPorts,
|
||||
HostConfig: {
|
||||
NetworkMode: this.networkName,
|
||||
RestartPolicy: {
|
||||
Name: 'unless-stopped',
|
||||
},
|
||||
PortBindings: {
|
||||
// Don't bind to host ports - nginx will proxy
|
||||
[`${service.port}/tcp`]: [],
|
||||
},
|
||||
PortBindings: portConfig.portBindings,
|
||||
Binds: this.getStandaloneVolumeBinds(service),
|
||||
},
|
||||
});
|
||||
|
||||
@@ -207,6 +452,25 @@ export class OneboxDockerManager {
|
||||
env.push(`${key}=${value}`);
|
||||
}
|
||||
|
||||
const expandedPublishedPorts = this.expandPublishedPorts(service);
|
||||
const endpointPorts: Array<Record<string, unknown>> = [];
|
||||
if (!expandedPublishedPorts.some((publishedPort) => publishedPort.protocol === 'tcp' && publishedPort.targetPort === service.port)) {
|
||||
endpointPorts.push({
|
||||
Protocol: 'tcp',
|
||||
TargetPort: service.port,
|
||||
PublishMode: 'host',
|
||||
});
|
||||
}
|
||||
|
||||
for (const publishedPort of expandedPublishedPorts) {
|
||||
endpointPorts.push({
|
||||
Protocol: publishedPort.protocol,
|
||||
TargetPort: publishedPort.targetPort,
|
||||
PublishedPort: publishedPort.publishedPort,
|
||||
PublishMode: 'host',
|
||||
});
|
||||
}
|
||||
|
||||
// Create Swarm service using Docker REST API
|
||||
const response = await this.dockerClient!.request('POST', '/services/create', {
|
||||
Name: `onebox-${service.name}`,
|
||||
@@ -218,6 +482,7 @@ export class OneboxDockerManager {
|
||||
ContainerSpec: {
|
||||
Image: fullImage,
|
||||
Env: env,
|
||||
Mounts: this.getSwarmVolumeMounts(service),
|
||||
Labels: {
|
||||
'managed-by': 'onebox',
|
||||
'onebox-service': service.name,
|
||||
@@ -239,13 +504,7 @@ export class OneboxDockerManager {
|
||||
},
|
||||
},
|
||||
EndpointSpec: {
|
||||
Ports: [
|
||||
{
|
||||
Protocol: 'tcp',
|
||||
TargetPort: service.port,
|
||||
PublishMode: 'host',
|
||||
},
|
||||
],
|
||||
Ports: endpointPorts,
|
||||
},
|
||||
});
|
||||
|
||||
|
||||
Reference in New Issue
Block a user