You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
watchtower/main.go

195 lines
4.0 KiB
Go

package main // import "github.com/CenturyLinkLabs/watchtower"
import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"os"
"os/signal"
"strings"
"sync"
"syscall"
"time"
"github.com/CenturyLinkLabs/watchtower/actions"
"github.com/CenturyLinkLabs/watchtower/container"
log "github.com/Sirupsen/logrus"
"github.com/codegangsta/cli"
)
var (
wg sync.WaitGroup
client container.Client
pollInterval time.Duration
)
func init() {
log.SetLevel(log.InfoLevel)
}
func main() {
rootCertPath := "/etc/ssl/docker"
if os.Getenv("DOCKER_CERT_PATH") != "" {
rootCertPath = os.Getenv("DOCKER_CERT_PATH")
}
app := cli.NewApp()
app.Name = "watchtower"
app.Usage = "Automatically update running Docker containers"
app.Before = before
app.Action = start
app.Flags = []cli.Flag{
cli.StringFlag{
Name: "host, H",
Usage: "daemon socket to connect to",
Value: "unix:///var/run/docker.sock",
EnvVar: "DOCKER_HOST",
},
cli.IntFlag{
Name: "interval, i",
Usage: "poll interval (in seconds)",
Value: 300,
},
cli.BoolFlag{
Name: "no-pull",
Usage: "do not pull new images",
},
cli.BoolFlag{
Name: "tls",
Usage: "use TLS; implied by --tlsverify",
},
cli.BoolFlag{
Name: "tlsverify",
Usage: "use TLS and verify the remote",
EnvVar: "DOCKER_TLS_VERIFY",
},
cli.StringFlag{
Name: "tlscacert",
Usage: "trust certs signed only by this CA",
Value: fmt.Sprintf("%s/ca.pem", rootCertPath),
},
cli.StringFlag{
Name: "tlscert",
Usage: "client certificate for TLS authentication",
Value: fmt.Sprintf("%s/cert.pem", rootCertPath),
},
cli.StringFlag{
Name: "tlskey",
Usage: "client key for TLS authentication",
Value: fmt.Sprintf("%s/key.pem", rootCertPath),
},
cli.BoolFlag{
Name: "debug",
Usage: "enable debug mode with verbose logging",
},
}
if err := app.Run(os.Args); err != nil {
log.Fatal(err)
}
}
func before(c *cli.Context) error {
if c.GlobalBool("debug") {
log.SetLevel(log.DebugLevel)
}
pollInterval = time.Duration(c.Int("interval")) * time.Second
// Set-up container client
tls, err := tlsConfig(c)
if err != nil {
return err
}
client = container.NewClient(c.GlobalString("host"), tls, !c.GlobalBool("no-pull"))
handleSignals()
return nil
}
func start(*cli.Context) {
if err := actions.CheckPrereqs(client); err != nil {
log.Fatal(err)
}
for {
wg.Add(1)
if err := actions.Update(client); err != nil {
fmt.Println(err)
}
wg.Done()
time.Sleep(pollInterval)
}
}
func handleSignals() {
// Graceful shut-down on SIGINT/SIGTERM
c := make(chan os.Signal, 1)
signal.Notify(c, os.Interrupt)
signal.Notify(c, syscall.SIGTERM)
go func() {
<-c
wg.Wait()
os.Exit(1)
}()
}
// tlsConfig translates the command-line options into a tls.Config struct
func tlsConfig(c *cli.Context) (*tls.Config, error) {
var tlsConfig *tls.Config
var err error
caCertFlag := c.GlobalString("tlscacert")
certFlag := c.GlobalString("tlscert")
keyFlag := c.GlobalString("tlskey")
if c.GlobalBool("tls") || c.GlobalBool("tlsverify") {
tlsConfig = &tls.Config{
InsecureSkipVerify: !c.GlobalBool("tlsverify"),
}
// Load CA cert
if caCertFlag != "" {
var caCert []byte
if strings.HasPrefix(caCertFlag, "/") {
caCert, err = ioutil.ReadFile(caCertFlag)
if err != nil {
return nil, err
}
} else {
caCert = []byte(caCertFlag)
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
tlsConfig.RootCAs = caCertPool
}
// Load client certificate
if certFlag != "" && keyFlag != "" {
var cert tls.Certificate
if strings.HasPrefix(certFlag, "/") && strings.HasPrefix(keyFlag, "/") {
cert, err = tls.LoadX509KeyPair(certFlag, keyFlag)
if err != nil {
return nil, err
}
} else {
cert, err = tls.X509KeyPair([]byte(certFlag), []byte(keyFlag))
if err != nil {
return nil, err
}
}
tlsConfig.Certificates = []tls.Certificate{cert}
}
}
return tlsConfig, nil
}