Merge pull request #1502 from amaltaro/fix-couchdb-vm

Correct user info for CouchDB image; remove unneded cert/proxy hooks

docker/couchdb/Dockerfile

@@ -6,11 +6,14 @@ RUN pip install CMSCouchapp
 
 ENV WDIR=/data
 ENV USER=_couchdb
+ENV UGID=100022
 
 RUN mkdir -p /etc/grid-security
 
 # add new user
-RUN useradd ${USER} && install -o ${USER} -d ${WDIR}
+RUN groupadd -g ${UGID} ${USER}
+RUN useradd -m ${USER} -u ${UGID} -g ${UGID}
+RUN install -o ${USER} -d ${WDIR}
 # add user to sudoers file
 RUN echo "%$USER ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
 # switch to user
@@ -20,14 +23,6 @@ USER ${USER}
 RUN mkdir -p $WDIR
 WORKDIR ${WDIR}
 
-# pass env variable to the build
-ARG CMSK8S
-ENV CMSK8S=$CMSK8S
-ARG COUCH_USER
-ENV COUCH_USER=$COUCH_USER
-ARG COUCH_PASS
-ENV COUCH_PASS=$COUCH_PASS
-
 # get binary build of couchdb exporter
 RUN curl -ksLO https://github.com/gesellix/couchdb-prometheus-exporter/releases/download/v27.0.0/couchdb-prometheus-exporter_27.0.0_Linux_x86_64.tar.gz
 RUN tar xfz couchdb-prometheus-exporter_27.0.0_Linux_x86_64.tar.gz
@@ -49,7 +44,6 @@ RUN mkdir -p /data/srv/current/config/couchdb \
     && ln -s /etc/secrets/couch_creds /data/srv/current/auth/couchdb/couch_creds \
     && ln -s /etc/secrets/local.ini /data/srv/current/config/couchdb/local.ini
 ADD manage /data/srv/current/config/couchdb/manage
-ADD couchdb-logrotate.conf /data/srv/current/config/couchdb/couchdb-logrotate.conf
 
 ENV PATH="/opt/couchdb/bin:/usr/local/bin/:${PATH}"
 

docker/couchdb/README.md

@@ -1,31 +1,28 @@
-
-
-### build image
-docker build -t cmssw/couchdb .
-
-### list images
-docker images
-
-### list of running containers
-docker ps --no-trunc -aq
-
-### remove all running containers
-docker rm -f `docker ps --no-trunc -aq`
-
-### run given image
-docker run --rm -h `hostname -f` -v /tmp/vk:/etc/secrets -i -t cmssw/couchdb /bin/bash
-
-### remove existing image
-docker rmi cmssw/couchdb
-
-### inspect running container
-docker ps # find docker id
-docker inspect <docker_id> | grep IPAddress
-
-### push image to docker.com
-docker push cmssw/couchdb
-
-### references
-https://stackoverflow.com/questions/18497688/run-a-docker-image-as-a-container#18498313
-https://stackoverflow.com/questions/17236796/how-to-remove-old-docker-containers#17237701
-http://goinbigdata.com/docker-run-vs-cmd-vs-entrypoint/
+### CouchDB image construction
+Image is built with the expected `_couchdb` user, also used to run the service.
+* latest version has been tagged as `3.2.2-stable`.
+* **configuration**: available under `/data/srv/auth/couchdb/`,
+* **database**: both database and views are available under `/data/srv/state/couchdb/database/`.
+* **couchapps**: couchapps libraries and code is available under `/data/srv/state/couchdb/stagingarea/`.
+* **logs**: finally, service logs can be found at `/data/srv/logs/couchdb/`.
+
+### Run CouchDB container
+Connect to the cmsweb backend VM with the cmsweb account and:
+```
+cd /data/srv
+curl https://raw.githubusercontent.com/dmwm/CMSKubernetes/ffb19657b8a768b5a03557bb97021006270fb28b/docker/couchdb/docker-run.sh > docker-run.sh
+chmod +x docker-run.sh 
+./docker-run.sh
+```
+
+### Stop CouchDB container
+Connect to the cmsweb backend VM with the cmsweb account and:
+```
+docker stop couchdb
+docker rm couchdb
+```
+
+### Checking status of CouchDB service
+```
+docker exec -it couchdb sh -c "/data/srv/current/config/couchdb/manage status"
+```

docker/couchdb/db_summary.py

@@ -0,0 +1,30 @@
+#!/usr/bin/env python
+"""
+Script to list all databases in CouchDB and print a basic summary for each of them.
+"""
+import os
+import sys
+import socket
+import requests
+from itertools import chain
+
+# Fetch a list of databases
+resp = requests.get(f'http://localhost:5984/_all_dbs')
+if resp.status_code >= 400:
+    print(f"Failed to list databases: {resp.status_code}")
+else:
+    all_dbs = resp.json()
+print(f"Node contains the following databases: {all_dbs}")
+
+
+print(f"\n***** Summary of databases ****")
+for db_name in all_dbs:
+    resp = requests.get(f'http://localhost:5984/{db_name}')
+    if resp.status_code >= 400:
+        print(f"Request failed for db {db_name} with status code: {resp.status_code}")
+    else:
+        data = {}
+        for kname, kdata in resp.json().items():
+            if kname in ["db_name", "doc_count", "doc_del_count", "sizes"]:
+                data[kname] = kdata
+        print(data)

docker/couchdb/docker-run.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+COUCH_LOGS_DIR=/data/srv/logs/couchdb/
+COUCH_DB_DIR=/data/srv/state/couchdb/database/
+COUCH_STAGING_DIR=/data/srv/state/couchdb/stagingarea/
+COUCH_USR=_couchdb
+
+echo "Creating necessary directories on the host to persist logs and data"
+mkdir -p $COUCH_LOGS_DIR
+mkdir -p $COUCH_DB_DIR
+mkdir -p $COUCH_STAGING_DIR
+sudo chown $COUCH_USR:zh $COUCH_LOGS_DIR
+sudo chown -R $COUCH_USR:zh $COUCH_DB_DIR/..
+
+# Define directory to store credentials and standard configuration
+COUCH_SECR_DIR=/data/srv/auth/couchdb/
+echo "Creating directory to store credentials and local.ini under: $COUCH_SECR_DIR"
+mkdir -p $COUCH_SECR_DIR
+sudo chown -R $COUCH_USR:zh $COUCH_SECR_DIR
+
+# Define command line arguments for docker run
+dockerOpts=" \
+--detach \
+--network=host \
+--hostname=$(hostname -f) \
+--name=couchdb \
+--mount type=bind,source=$COUCH_SECR_DIR,target=/etc/secrets \
+--mount type=bind,source=$COUCH_DB_DIR,target=$COUCH_DB_DIR \
+--mount type=bind,source=$COUCH_STAGING_DIR,target=$COUCH_STAGING_DIR \
+--mount type=bind,source=$COUCH_LOGS_DIR,target=$COUCH_LOGS_DIR \
+"
+
+couch_tag=3.2.2-stable
+echo "Executing docker run for CouchDB tag: $couch_tag"
+docker run $dockerOpts registry.cern.ch/cmsweb/couchdb:$couch_tag && docker logs -f couchdb

docker/couchdb/run.sh

@@ -1,33 +1,10 @@
 #!/bin/bash
-srv=`echo $USER | sed -e "s,_,,g"`
-
-# overwrite host PEM files in /data/srv area
-if [ -f /etc/secrets/robotkey.pem ]; then
-    sudo cp /etc/secrets/robotkey.pem /data/srv/current/auth/$srv/dmwm-service-key.pem
-    sudo cp /etc/secrets/robotcert.pem /data/srv/current/auth/$srv/dmwm-service-cert.pem
-    sudo chown $USER.$USER /data/srv/current/auth/$srv/dmwm-service-key.pem
-    sudo chown $USER.$USER /data/srv/current/auth/$srv/dmwm-service-cert.pem
-fi
+srv=$(echo $USER | sed -e "s,_,,g")
 
 if [ -f /etc/secrets/couch_creds ]; then
     export COUCH_CREDS=/etc/secrets/couch_creds
 fi
 
-# overwrite proxy if it is present in /etc/proxy
-if [ -f /etc/proxy/proxy ]; then
-    export X509_USER_PROXY=/etc/proxy/proxy
-    mkdir -p /data/srv/state/$srv/proxy
-    if [ -f /data/srv/state/$srv/proxy/proxy.cert ]; then
-        rm /data/srv/state/$srv/proxy/proxy.cert
-    fi
-    ln -s /etc/proxy/proxy /data/srv/state/$srv/proxy/proxy.cert
-    mkdir -p /data/srv/current/auth/proxy
-    if [ -f /data/srv/current/auth/proxy/proxy ]; then
-        rm /data/srv/current/auth/proxy/proxy
-    fi
-    ln -s /etc/proxy/proxy /data/srv/current/auth/proxy/proxy
-fi
-
 # overwrite header-auth key file with one from secrets
 if [ -f /etc/secrets/hmac ]; then
     mkdir -p /data/srv/current/auth/wmcore-auth
@@ -53,7 +30,7 @@ fi
 
 # use service configuration files from /etc/secrets if they are present
 cdir=/data/srv/current/config/$srv
-files=`ls $cdir`
+files=$(ls $cdir)
 for fname in $files; do
     if [ -f /etc/secrets/$fname ]; then
         if [ -f $cdir/$fname ]; then
@@ -63,7 +40,7 @@ for fname in $files; do
         sudo chown $USER.$USER $cdir/$fname
     fi
 done
-files=`ls /etc/secrets`
+files=$(ls /etc/secrets)
 for fname in $files; do
     if [ ! -f $cdir/$fname ]; then
         sudo cp /etc/secrets/$fname /data/srv/current/auth/$srv/$fname