Release 7.0.0 - See CHANGELOG.md

tiredofit · Jan 6, 2023 · 24e5018 · 24e5018
1 parent beced1a
commit 24e5018
Show file tree

Hide file tree

Showing 10 changed files with 182 additions and 79 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,18 @@
+## 7.0.0 2023-01-06 <dave at tiredofit dot ca>
+
+This release changes some environment variable names to more explicit variables for this image as opposed to piggybacking off of base image variables. Please review changelog accordingly and make necessary changes by following the variables in the README
+
+   ### Added
+      - [logging] Added Timestamps for Logging. LOG_LEVEL=DEBUG also provides line number of script for troubleshooting
+      - [logging] Add LOG_TYPE (CONSOLE,FILE,BOTH) options for better logging. FILE and BOTH also include log rotation
+      - [runtime] Ability to run as non root - User available is `tcc` by setting environment variable 'TCC_USER' - Will check if it can access Docker Socket and fail if not
+
+   ### Changed
+      - Environment variable SWARM_MODE changes to DOCKER_SWARM_MODE
+      - CONTAINER_LOG_LEVEL changes to LOG_LEVEL
+      - Switch to using packaged Docker python module instead of building ourselves
+
+
 ## 6.10.0 2022-12-14 <dave at tiredofit dot ca>
 
    ### Added

diff --git a/Dockerfile b/Dockerfile
@@ -11,6 +11,14 @@ ENV CONTAINER_ENABLE_MESSAGING=FALSE \
 
 RUN source /assets/functions/00-container && \
     set -x && \
+    addgroup -S -g 10000 tcc && \
+    adduser -D -S -s /sbin/nologin \
+            -h /dev/null \
+            -G tcc \
+            -g "tcc" \
+            -u 10000 tcc \
+            && \
+    \
     package update && \
     package upgrade && \
     package install .tcc-build-deps \
@@ -26,6 +34,7 @@ RUN source /assets/functions/00-container && \
                 && \
     \
     package install .tcc-run-deps \
+                docker-py \
                 py3-beautifulsoup4 \
                 py3-certifi \
                 py3-chardet \
@@ -43,12 +52,11 @@ RUN source /assets/functions/00-container && \
     pip install \
             cloudflare \
             get-docker-secret \
-            docker[tls] \
             requests \
             && \
     \
     package remove .tcc-build-deps && \
-    package cleanup && \ 
+    package cleanup && \
     rm -rf /root/.cache \
            /root/.cargo
 

diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2020 Dave Conroy
+Copyright (c) 2023 Dave Conroy
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/README.md b/README.md
diff --git a/examples/docker-compose.yml b/examples/docker-compose.yml
@@ -1,12 +1,16 @@
-version: '3.7'
 services:
-
   cloudflare-companion:
     image: tiredofit/traefik-cloudflare-companion
     container_name: cloudflare-companion
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./logs:/logs
+      - /var/run/docker.sock:/var/run/docker.sock
     environment:
+      - TIMEZONE=America/Vancouver
+
+      - LOG_TYPE=BOTH
+      - LOG_LEVEL=INFO
+
       - TRAEFIK_VERSION=2
       - [email protected]
       - CF_TOKEN=fbSx3dk3A3mJ6UukLQ7zRbo63H5UdsGSCqQnTvbJDgyQaTp
@@ -18,12 +22,9 @@ services:
       #- DOCKER_CERT_PATH=/docker-certs
       #- DOCKER_TLS_VERIFY=1
     networks:
-    - internal
-    - services
+      - services
     restart: always
 
 networks:
-  internal:
-    external: false
   services:
     external: true
diff --git a/install/assets/defaults/10-cloudflare-companion b/install/assets/defaults/10-cloudflare-companion
@@ -0,0 +1,7 @@
+#!/command/with-contenv bash
+
+DOCKER_ENTRYPOINT=${DOCKER_ENTRYPOINT:-"unix:///var/run/docker.sock"}
+LOG_FILE=${LOG_FILE:-"tcc.log"}
+LOG_PATH=${LOG_PATH:-"/logs/"}
+LOG_TYPE=${LOG_TYPE:-"BOTH"}
+TCC_USER=${TCC_USER:-"root"}
diff --git a/install/assets/functions/10-cloudflare-companion b/install/assets/functions/10-cloudflare-companion
@@ -0,0 +1,35 @@
+#!/command/with-contenv bash
+
+bootstrap_filesystem() {
+    case "${LOG_TYPE,,}" in
+        both | file )
+            print_debug "[bootstrap_filesystem] Logging to file at '${LOG_PATH}/${LOG_FILE}'"
+            if [ ! -d "${LOG_PATH}" ] ; then
+                mkdir -p "${LOG_PATH}"
+            fi
+            if [ $(stat -c %U "${LOG_PATH}") != "${TCC_USER}" ] ; then chown "${TCC_USER}":"${TCC_USER}" "${LOG_PATH}" ; fi
+            if [ ! -f "${LOG_PATH}"/"${LOG_FILE}" ] ; then
+                sudo -u "${TCC_USER}" touch "${LOG_PATH}"/"${LOG_FILE}"
+            fi
+            create_logrotate tcc "${LOG_PATH}"/"${LOG_FILE}" "${TCC_USER}" "${TCC_USER}" tcc
+            if [ "$(stat -c %U "${LOG_PATH}"/"${LOG_FILE}")" != "${TCC_USER}" ] ; then chown "${TCC_USER}":"${TCC_USER}" "${LOG_PATH}"/"${LOG_FILE}" ; fi
+        ;;
+    esac
+}
+
+sanity_test() {
+    if [ -z "${DOCKER_HOST}" ] && [ "${TCC_USER}" != "root" ] ; then
+        if [ "$(echo "${DOCKER_ENTRYPOINT}" | sed -e 's,^\(.*://\).*,\1,g')" = "unix://" ] ; then
+            docker_socket="$(echo "${DOCKER_ENTRYPOINT}" | sed 's/^\s*.*:\/\///g'})"
+            if [ "$(stat -c %F "${docker_socket}")" = "socket" ] && [ "$(sudo -u "${TCC_USER}" test -r "${docker_socket}")" ] ; then
+                print_debug "[sanity_test] Can access Docker socket at '${docker_socket}' as user '${TCC_USER}'"
+            else
+                print_error "[sanity_test] Can't access Docker socket at '${docker_socket}' as user '${TCC_USER}'"
+            exit 1
+            fi
+        fi
+    fi
+
+    sanity_var TARGET_DOMAIN "Target Domain"
+    sanity_var DOMAIN1 "Domain 1"
+}
diff --git a/install/etc/cont-init.d/10-cloudflare-companion b/install/etc/cont-init.d/10-cloudflare-companion
@@ -4,8 +4,6 @@ source /assets/functions/00-container
 prepare_service single
 PROCESS_NAME="traefik-cloudflare-companion"
 
-### Sanity Test
-sanity_var TARGET_DOMAIN "Target Domain"
-sanity_var DOMAIN1 "Domain 1"
-
+bootstrap_filesystem
+sanity_test
 liftoff
diff --git a/install/etc/services.available/10-cloudflare-companion/run b/install/etc/services.available/10-cloudflare-companion/run
@@ -1,11 +1,14 @@
 #!/command/with-contenv bash
 
 source /assets/functions/00-container
+prepare_service defaults single
 PROCESS_NAME="traefik-cloudflare-companion"
 
 check_container_initialized
 check_service_initialized init
 liftoff
 
 print_start "Starting Traefik Cloudflare Companion"
-exec python3 -u /usr/sbin/cloudflare-companion
+exec s6-setuidgid "${TCC_USER}" \
+                                python3 \
+                                        -u /usr/sbin/cloudflare-companion
diff --git a/install/usr/sbin/cloudflare-companion b/install/usr/sbin/cloudflare-companion
@@ -7,55 +7,63 @@ from get_docker_secret import get_docker_secret
 import atexit
 import CloudFlare
 import docker
+import logging
+from logging.handlers import RotatingFileHandler
+from logging import handlers
 import os
 import re
 import requests
-import logging
+import sys
 import time
 import threading
 from urllib.parse import urlparse
 
+DRY_RUN = os.environ.get('DRY_RUN', "FALSE")
 DEFAULT_TTL = os.environ.get('DEFAULT_TTL', "1")
-SWARM_MODE = os.environ.get('SWARM_MODE', "FALSE")
+DOCKER_SWARM_MODE = os.environ.get('DOCKER_SWARM_MODE', "FALSE")
 ENABLE_TRAEFIK_POLL = os.environ.get('ENABLE_TRAEFIK_POLL', "FALSE")
+LOGFILE = os.environ.get('LOG_PATH', "/logs") + '/' + os.environ.get('LOG_FILE', "tcc.log")
+LOG_LEVEL = os.environ.get('LOG_LEVEL', "INFO")
+LOG_TYPE = os.environ.get('LOG_TYPE', "BOTH")
 REFRESH_ENTRIES = os.environ.get('REFRESH_ENTRIES', "FALSE")
-TRAEFIK_VERSION = os.environ.get('TRAEFIK_VERSION', "2")
-TRAEFIK_POLL_URL = os.environ.get('TRAEFIK_POLL_URL', None)
 TRAEFIK_POLL_SECONDS = int(os.environ.get('TRAEFIK_POLL_SECONDS', "60"))
-CONTAINER_LOG_LEVEL = os.environ.get('CONTAINER_LOG_LEVEL', "INFO")
-DRY_RUN = os.environ.get('DRY_RUN', "FALSE")
+TRAEFIK_POLL_URL = os.environ.get('TRAEFIK_POLL_URL', None)
+TRAEFIK_VERSION = os.environ.get('TRAEFIK_VERSION', "2")
 
 # set up logging
 logger = logging.getLogger(__name__)
 DEBUG = False
 VERBOSE = False
 date_fmt = "%Y-%m-%dT%H:%M:%S%z"
 
-if CONTAINER_LOG_LEVEL.upper() == "DEBUG":
+if LOG_LEVEL.upper() == "DEBUG":
     logger.setLevel(logging.DEBUG)
     fmt = "%(asctime)s %(levelname)s %(lineno)d | %(message)s"
     DEBUG = True
 
-if CONTAINER_LOG_LEVEL.upper() == "VERBOSE":
+if LOG_LEVEL.upper() == "VERBOSE":
     logger.setLevel(logging.DEBUG)
     fmt = "%(asctime)s %(levelname)s | %(message)s"
     DEBUG = True
     VERBOSE = True
 
-if CONTAINER_LOG_LEVEL.upper() == "NOTICE":
+if LOG_LEVEL.upper() == "NOTICE" or LOG_LEVEL.upper() == "INFO":
+    logger.setLevel(logging.INFO)
     fmt = "%(asctime)s %(levelname)s | %(message)s"
 
-if CONTAINER_LOG_LEVEL.upper() == "INFO":
-    fmt = "%(asctime)s %(levelname)s | %(message)s"
+if LOG_TYPE.upper() == "CONSOLE" or LOG_TYPE.upper() == "BOTH":
+    ch = logging.StreamHandler(sys.stdout)
+    formatter = logging.Formatter(fmt, date_fmt)
+    ch.setFormatter(formatter)
+    logger.addHandler(ch)
 
-ch = logging.StreamHandler()
-formatter = logging.Formatter(fmt, date_fmt)
-ch.setFormatter(formatter)
-logger.addHandler(ch)
+if LOG_TYPE.upper() == "FILE" or LOG_TYPE.upper() == "BOTH":
+    fh = handlers.logging.FileHandler(LOGFILE)
+    fh.setFormatter(formatter)
+    logger.addHandler(fh)
 
 synced_mappings = {}
 
-
 class RepeatedTimer(object):
     def __init__(self, interval, function, *args, **kwargs):
         self._timer = None
@@ -374,7 +382,7 @@ def get_initial_mappings(included_hosts, excluded_hosts):
         elif TRAEFIK_VERSION == "2":
             add_to_mappings(mappings, check_container_t2(c))
 
-    if SWARM_MODE:
+    if DOCKER_SWARM_MODE:
         logger.debug("Service List Discovery Loop")
         for s in api.services():
             full_serv_id = s["ID"]
@@ -446,10 +454,10 @@ if REFRESH_ENTRIES.lower() == "true":
 elif REFRESH_ENTRIES.lower() == "false":
     REFRESH_ENTRIES = False
 
-if SWARM_MODE.lower() == "true":
-    SWARM_MODE = True
-elif SWARM_MODE.lower() == "false":
-    SWARM_MODE = False
+if DOCKER_SWARM_MODE.lower() == "true":
+    DOCKER_SWARM_MODE = True
+elif DOCKER_SWARM_MODE.lower() == "false":
+    DOCKER_SWARM_MODE = False
 
 if ENABLE_TRAEFIK_POLL.lower() == "true":
     ENABLE_TRAEFIK_POLL = True
@@ -458,10 +466,11 @@ elif ENABLE_TRAEFIK_POLL.lower() == "false":
 
 if DRY_RUN:
     logger.warning("Dry Run: %s", DRY_RUN)
-logger.debug("Swarm Mode: %s", SWARM_MODE)
+logger.debug("Swarm Mode: %s", DOCKER_SWARM_MODE)
 logger.debug("Refresh Entries: %s", REFRESH_ENTRIES)
 logger.debug("Traefik Version: %s", TRAEFIK_VERSION)
 logger.debug("Default TTL: %s", DEFAULT_TTL)
+
 if not email:
     logger.debug("API Mode: Scoped")
     cf = CloudFlare.CloudFlare(debug=VERBOSE, token=token)
@@ -486,7 +495,7 @@ logger.debug("Traefik Polling Mode: %s", False)
 
 client = docker.from_env()
 
-if SWARM_MODE:
+if DOCKER_SWARM_MODE:
     DOCKER_HOST = os.environ.get('DOCKER_HOST', None)
     api = docker.APIClient(base_url=DOCKER_HOST)
 
@@ -512,17 +521,17 @@ for event in client.events(since=t, filters={'Type': 'service', 'Action': u'upda
         try:
             if TRAEFIK_VERSION == "1":
                 add_to_mappings(new_mappings, check_container_t1(client.containers.get(event.get(u'id'))))
-                if SWARM_MODE:
+                if DOCKER_SWARM_MODE:
                     add_to_mappings(new_mappings, check_service_t1(client.services.get(event.get(u'id'))))
             elif TRAEFIK_VERSION == "2":
                 add_to_mappings(new_mappings, check_container_t2(client.containers.get(event.get(u'id'))))
-                if SWARM_MODE:
+                if DOCKER_SWARM_MODE:
                     add_to_mappings(new_mappings, check_service_t2(client.services.get(event.get(u'id'))))
 
         except docker.errors.NotFound as e:
             pass
 
-    if SWARM_MODE:
+    if DOCKER_SWARM_MODE:
         if event.get(u'Action') == u'update':
             try:
                 if TRAEFIK_VERSION == "1":