Skip to content

docker-machine-driver-triton#13 Made machine driver compatible with Rancher #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
blackwood821 wants to merge 14 commits into
base: master
Choose a base branch
from
Open

docker-machine-driver-triton#13 Made machine driver compatible with Rancher #14

blackwood821 wants to merge 14 commits into from

Conversation

@blackwood821
Copy link

@blackwood821 blackwood821 commented Apr 27, 2022

  • Added the ability to pass in the private SSH key as a base64 encoded string
  • Added code to wait for the IP address to become available so that Rancher doesn't try to SSH into the new node until it has all the necessary info

Details in #13.

@blackwood821
Made machine driver compatible with Rancher by adding the ability to …
f2125d5 
…pass in the private SSH key as a base64 encoded string
@bahamat bahamat changed the title Made machine driver compatible with Rancher docker-machine-driver-triton#13 Made machine driver compatible with Rancher Jun 10, 2022
bahamat
bahamat reviewed Jun 10, 2022
View reviewed changes
Copy link

@bahamat bahamat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good, but I'd like to see some test output in both rancher and non-rancher configurations, just to make sure we aren't breaking any existing users.

@blackwood821
Copy link
Author

blackwood821 commented Jun 15, 2022

This looks good, but I'd like to see some test output in both rancher and non-rancher configurations, just to make sure we aren't breaking any existing users.

Sound good, I should be able to get to that in the next few days.

@blackwood821
Copy link
Author

blackwood821 commented Jun 17, 2022
edited
Loading

@bahamat Here is the rancher log snippet from creating a new Triton node via the Rancher UI:

2022/06/17 20:10:26 [INFO] Creating jail for c-r8zg4
2022/06/17 20:10:26 [INFO] Provisioning node worker-4
2022/06/17 20:10:26 [INFO] [node-controller-rancher-machine] Creating CA: /management-state/node/nodes/worker-4/certs/ca.pem
2022/06/17 20:10:26 [INFO] [node-controller-rancher-machine] Creating client certificate: /management-state/node/nodes/worker-4/certs/cert.pem
2022/06/17 20:10:26 [INFO] [node-controller-rancher-machine] Running pre-create checks...
2022/06/17 20:10:27 [INFO] [node-controller-rancher-machine] (worker-4) resolved image "debian-10" to "9bcfe5cc-007d-4f23-bc8a-7e7b4d0c537e" (exact name match)
2022/06/17 20:10:27 [INFO] [node-controller-rancher-machine] Creating machine...
2022/06/17 20:10:27 [INFO] [node-controller-rancher-machine] (worker-4) creating SSH key...
2022/06/17 20:10:30 [INFO] [node-controller-rancher-machine] (worker-4) waiting for ip address to become available
2022/06/17 20:10:37 [INFO] [node-controller-rancher-machine] (worker-4) got the IP Address: "192.168.0.211"
2022/06/17 20:10:37 [INFO] [node-controller-rancher-machine] Waiting for machine to be running, this may take a few minutes...
2022/06/17 20:10:43 [INFO] [node-controller-rancher-machine] Detecting operating system of created instance...
2022/06/17 20:10:43 [INFO] [node-controller-rancher-machine] Waiting for SSH to be available...
2022/06/17 20:10:55 [INFO] [node-controller-rancher-machine] Detecting the provisioner...
2022/06/17 20:10:56 [INFO] [node-controller-rancher-machine] Provisioning with debian...
2022/06/17 20:11:48 [INFO] [node-controller-rancher-machine] Copying certs to the local machine directory...
2022/06/17 20:11:49 [INFO] [node-controller-rancher-machine] Copying certs to the remote machine...
2022/06/17 20:11:52 [INFO] [node-controller-rancher-machine] Setting Docker configuration on the remote daemon...
2022/06/17 20:11:56 [INFO] [node-controller-rancher-machine] Checking connection to Docker...
2022/06/17 20:11:56 [INFO] [node-controller-rancher-machine] Docker is up and running!
2022/06/17 20:12:12 [INFO] Provisioning node worker-4 done

and here is what I saw in the process tree:

rancher-machine create -d triton --engine-install-url https://releases.rancher.com/install-docker/20.10.sh --engine-opt data-root=/data/var/lib/docker --triton-account chad --triton-image debian-10 --triton-key-id <REDACTED> --triton-key-material <REDACTED> --triton-package bhyve-flexible-4G-50G-2CPU --triton-ssh-user root --triton-url https://cloudapi.example.com worker-4

The VM was successfully created by Rancher:

Chads-MacBook-Pro:~ chad$ triton ls brand=bhyve | head -1; triton ls brand=bhyve | grep worker
SHORTID   NAME       IMG                                  STATE    FLAGS  AGE
87cffb89  worker-1   debian-10@20200508                   running  B      5w
fddd96de  worker-2   debian-10@20200508                   running  B      1w
74f18a21  worker-3   debian-10@20200508                   running  B      17m
05777a67  worker-4   debian-10@20200508                   running  B      15m

@blackwood821
Copy link
Author

blackwood821 commented Jun 17, 2022
edited
Loading

@bahamat

Here is the output from using docker-machine locally outside of Rancher:

Chads-MacBook-Pro:docker-machine-driver-triton chad$ docker-machine create -d triton --engine-install-url https://releases.rancher.com/install-docker/20.10.sh --engine-opt data-root=/data/var/lib/docker --triton-account chad --triton-image debian-10 --triton-key-id <REDACTED> --triton-key-material <REDACTED> --triton-package bhyve-flexible-4G-50G-2CPU --triton-ssh-user root --triton-url https://cloudapi.example.com worker-5
Creating CA: /Users/chad/.docker/machine/certs/ca.pem
Creating client certificate: /Users/chad/.docker/machine/certs/cert.pem
Running pre-create checks...
(worker-5) resolved image "debian-10" to "9bcfe5cc-007d-4f23-bc8a-7e7b4d0c537e" (exact name match)
Creating machine...
(worker-5) creating SSH key...
(worker-5) waiting for ip address to become available
(worker-5) got the IP Address: "192.168.0.217"
Waiting for machine to be running, this may take a few minutes...
Detecting operating system of created instance...
Waiting for SSH to be available...
Detecting the provisioner...
Provisioning with debian...
Copying certs to the local machine directory...
Copying certs to the remote machine...
Setting Docker configuration on the remote daemon...
Error creating machine: Error running provisioning: Unable to verify the Docker daemon is listening: Maximum number of retries (10) exceeded

But it appears to have succeeded despite the error in the output:

Chads-MacBook-Pro:~ chad$ triton ls brand=bhyve | head -1; triton ls brand=bhyve | grep worker
SHORTID   NAME       IMG                                  STATE    FLAGS  AGE
87cffb89  worker-1   debian-10@20200508                   running  B      5w
fddd96de  worker-2   debian-10@20200508                   running  B      1w
74f18a21  worker-3   debian-10@20200508                   running  B      17m
05777a67  worker-4   debian-10@20200508                   running  B      15m
4df7cae1  worker-5   debian-10@20200508                   running  B      5m

Chads-MacBook-Pro:~ chad$ triton ssh worker-5
Warning: Permanently added '192.168.0.217' (ED25519) to the list of known hosts.
Linux worker-5 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64
   __        .                   .
 _|  |_      | .-. .  . .-. :--. |-
|_    _|     ;|   ||  |(.-' |  | |
  |__|   `--'  `-' `;-| `-' '  ' `-'
                   /  ;  Instance (Debian 10.3 20200508)
                   `-'   https://docs.joyent.com/images/linux/debian

Last login: Fri Jun 17 20:24:04 2022 from 192.168.0.40
root@worker-5:~# systemctl status docker
● docker.service - Docker Application Container Engine
   Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/docker.service.d
           └─10-machine.conf
   Active: active (running) since Fri 2022-06-17 20:21:47 UTC; 4min 44s ago
     Docs: https://docs.docker.com
 Main PID: 16818 (dockerd)
    Tasks: 8
   Memory: 37.3M
   CGroup: /system.slice/docker.service
           └─16818 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock


root@worker-5:~# docker ps
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES

The only difference is that in Rancher rancher-machine is used which is Rancher's fork of docker-machine (https://github.com/rancher/machine) whereas the test I ran outside of Rancher is using https://github.com/docker/machine. I wonder if Rancher's fork waits longer. I'll have to check the source.

@blackwood821
Copy link
Author

blackwood821 commented Jun 20, 2022

I checked the docker machine source code and it runs if ! type netstat 1>/dev/null; then ss -tln; else netstat -tln; fi via SSH:

root@worker-5:~# if ! type netstat 1>/dev/null; then ss -tln; else netstat -tln; fi
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN

And then it does a regex match against the output for the docker port which doesn't find a match because by default the docker daemon only listens on a unix socket and not on tcp:

root@worker-5:~# ps -aux | grep dockerd
root     16818  0.0  2.1 1311868 84588 ?       Ssl  Jun17   0:17 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

So that explains why it thinks Docker isn't running but it is. I'm just not sure how the rancher machine version gets around this because looking at the source code it appears to do the same thing but it must handle it differently/correctly.

@blackwood821
Copy link
Author

blackwood821 commented Jun 20, 2022
edited
Loading

Looks like this is an issue that was never closed in the docker machine repo:
docker-archive-public/docker.machine#4567

root@worker-5:/etc/systemd/system/docker.service.d# cat 10-machine.conf 
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --storage-driver overlay2 --tlsverify --tlscacert /etc/docker/ca.pem --tlscert /etc/docker/server.pem --tlskey /etc/docker/server-key.pem --label provider=triton --data-root=/data/var/lib/docker 
Environment=

The docker service invocations has -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock which is why it's not using TCP.

Anyway, @bahamat my changes in this pull request don't seem to have any negative impact as far as I can tell.

@blackwood821
Copy link
Author

blackwood821 commented Jun 20, 2022

I ran the same test with the driver from the master branch and the same issue occurs which confirms that my changes didn't introduce this issue:

Chads-MacBook-Pro:docker-machine-driver-triton chad$ pwd
/Users/chad/go/src/github.com/TritonDataCenter/docker-machine-driver-triton

Chads-MacBook-Pro:docker-machine-driver-triton chad$ docker-machine create -d triton --engine-install-url https://releases.rancher.com/install-docker/20.10.sh --engine-opt data-root=/data/var/lib/docker --triton-account chad --triton-image debian-10 --triton-key-id <REDACTED> --triton-package bhyve-flexible-4G-50G-2CPU --triton-ssh-user root --triton-url https://cloudapi.example.com worker-6
Running pre-create checks...
(worker-6) resolved image "debian-10" to "9bcfe5cc-007d-4f23-bc8a-7e7b4d0c537e" (exact name match)
Creating machine...
Waiting for machine to be running, this may take a few minutes...
Detecting operating system of created instance...
Waiting for SSH to be available...
Detecting the provisioner...
Provisioning with debian...
Copying certs to the local machine directory...
Copying certs to the remote machine...
Setting Docker configuration on the remote daemon...
Error creating machine: Error running provisioning: Unable to verify the Docker daemon is listening: Maximum number of retries (10) exceeded

root@worker-6:~# systemctl status docker
● docker.service - Docker Application Container Engine
   Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/docker.service.d
           └─10-machine.conf
   Active: active (running) since Mon 2022-06-20 16:35:17 UTC; 5min ago
     Docs: https://docs.docker.com
 Main PID: 16816 (dockerd)
    Tasks: 8
   Memory: 32.5M
   CGroup: /system.slice/docker.service
           └─16816 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

Jun 20 16:35:16 worker-6 dockerd[16816]: time="2022-06-20T16:35:16.759804240Z" level=warning msg="Your kernel 
Jun 20 16:35:16 worker-6 dockerd[16816]: time="2022-06-20T16:35:16.759865874Z" level=warning msg="Your kernel 
Jun 20 16:35:16 worker-6 dockerd[16816]: time="2022-06-20T16:35:16.760683451Z" level=info msg="Loading contain
Jun 20 16:35:17 worker-6 dockerd[16816]: time="2022-06-20T16:35:17.110462048Z" level=info msg="Default bridge 
Jun 20 16:35:17 worker-6 dockerd[16816]: time="2022-06-20T16:35:17.180801033Z" level=info msg="Loading contain
Jun 20 16:35:17 worker-6 dockerd[16816]: time="2022-06-20T16:35:17.210967401Z" level=info msg="Docker daemon" 
Jun 20 16:35:17 worker-6 dockerd[16816]: time="2022-06-20T16:35:17.211221176Z" level=info msg="Daemon has comp
Jun 20 16:35:17 worker-6 systemd[1]: Started Docker Application Container Engine.
Jun 20 16:35:17 worker-6 dockerd[16816]: time="2022-06-20T16:35:17.224181830Z" level=info msg="API listen on /
Jun 20 16:35:17 worker-6 systemd[1]: docker.service: Current command vanished from the unit file, execution of
lines 1-22/22 (END)

This also confirms that my changes don't break the existing functionality when used without the new --triton-key-material argument.

blackwood821 and others added 6 commits June 20, 2022 11:45
@blackwood821
Removed default CloudAPI URL
65d1f77
@blackwood821
Adding new optional --triton-tls-insecure argument to provide the opt…
625a5ce 
…ion not to validate the CloudAPI SSL certificate in development setups.
@blackwood821
Fixed bug where the TritonTLSInsecure field was not getting set from …
c511adb 
…the argument
@blackwood821
Modified ping so that it doesn't hide the error
8fc6230
@blackwood821
Added support for --act-as=<account> just like node-triton
ea2c35c
@nmvrc
Added support for specifying VM tags with --tags
f0afe75 
Specifying a single tag is functionally the same as node-triton's `-t` argument, Multiple tags can be specified in a comma-delimited format, such as `<tag1>=<value1>,<tag2>=<value2>`.
This was linked to issues Feb 1, 2024
Machine driver for Rancher #12
Open
Make machine driver compatible with Rancher #13
Open
@blackwood821
Added support for specifying metadata via --metadata
331743f
@blackwood821
Changed "metadata" to "mdata" since the former is a reserved field na…
cf4f375 
…me in RKE2.
@blackwood821
Modernized dependency management and added OpenSSH key support
137c69d 
Modernized dependency management and fixed OpenSSH key support

- Migrated from deprecated dep to Go modules for better dependency management
- Upgraded triton-go from v0.2.0 (2017) to v1.8.6 (2023) which includes modern OpenSSH private key format support
- Updated authentication API calls to use new PrivateKeySignerInput and SSHAgentSignerInput structures
- Updated import paths from github.com/joyent to github.com/TritonDataCenter following repository migration
- Replaced deprecated ioutil.ReadFile with os.ReadFile
- Removed old vendor directory and dep configuration files (Gopkg.toml, Gopkg.lock)

This resolves SSH connection failures when users have modern OpenSSH format keys (BEGIN OPENSSH PRIVATE KEY) that were unsupported by the previous triton-go version which only handled legacy RSA format keys (BEGIN RSA PRIVATE KEY).
@blackwood821
Fixed bug where the username was being set as the account name even w…
40c6a1c 
…hen acting as another user
@blackwood821
Fix authentication issues with triton-go v1.8.6 by removing Username …
d81a8db 
…from signers

The Username field in PrivateKeySignerInput and SSHAgentSignerInput was causing authentication failures ("InvalidCredentials: Invalid authorization credentials") when using "act as" functionality with admin accounts acting on behalf of target accounts in Rancher. Commenting out Username from signers and relying on ClientConfig.AccountName for "act as" functionality restores the working behavior from before the triton-go upgrade.

🤖 Generated with [Claude Code](https://claude.ai/code)
@blackwood821
Add .gitignore to exclude build artifacts
fd0be92 
Ignore the docker-machine-driver-triton binary output to keep it out of version control.

🤖 Generated with [Claude Code](https://claude.ai/code)
@blackwood821
Add CLAUDE.md with project documentation for Claude Code
f1f0a82 
Provides guidance to Claude Code instances working in this repository, including build commands, architecture overview, and key configuration patterns for the Docker Machine driver.

🤖 Generated with [Claude Code](https://claude.ai/code)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@bahamat bahamat bahamat left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Make machine driver compatible with Rancher Machine driver for Rancher

3 participants

@blackwood821 @bahamat @nmvrc