Automate Local and AWS Deployments #667
Conversation
witoff
changed the title
examples/deployment/README.md
Outdated
| terraform apply aws/ | ||
|
|
||
| # Set Variables | ||
| HOST=... |
There was a problem hiding this comment.
merged this with automated launch userdata within terraform (more automation!) and changed to DB_HOST.
examples/deployment/aws/terraform.tf
Outdated
|
|
||
| resource "aws_security_group" "trillian" { | ||
| name = "trillian" | ||
| description = "Allow MySQL from Single IP" |
There was a problem hiding this comment.
This seems to allow from a single CIDR block :)
| } | ||
|
|
||
| download | ||
| echo "ffe253ce564df22adbcf9c799e251ca0 wait-for-it.sh" > file.md5 |
There was a problem hiding this comment.
You could do shas256sum --check <( echo "... wait-for-it.sh" ) and avoid creating the file.md5
|
BTW - we generally rebase topic branches onto latest |
|
rebased :) |
RJPercival
left a comment
RJPercival
left a comment
There was a problem hiding this comment.
Sorry for the wait, since I wasn't marked as a reviewer and @AlCutter had already approved it, I'd managed to overlook this.
examples/deployment/README.md
Outdated
| Both build and example deployment files are stored within this repo. For any of the below deployment methods, start here: | ||
|
|
||
| ```shell | ||
| git clone git@github.com:google/trillian.git |
There was a problem hiding this comment.
examples/deployment/README.md
Outdated
| export DB_PASSWORD="$(openssl rand -hex 16)" | ||
|
|
||
| # Bring up services defined in this compose file. This includes: | ||
| # - local MySQL databse |
examples/deployment/README.md
Outdated
|
|
||
| # Bring up services defined in this compose file. This includes: | ||
| # - local MySQL databse | ||
| # - container to seed the database |
examples/deployment/README.md
Outdated
|
|
||
| **Run With Docker Compose** | ||
|
|
||
| For simple deployments running in a container is an easy way to get up and running with a local database. To use Docker to run and interact with Trillian, start here: |
There was a problem hiding this comment.
s/For simple deployments/For simple deployments,/
examples/deployment/README.md
Outdated
|
|
||
| For simple deployments running in a container is an easy way to get up and running with a local database. To use Docker to run and interact with Trillian, start here: | ||
|
|
||
| Set a random password and bring up the services defined in the provided compose file. This includes a local mysql database database, a one-shot container to create the schema and the trillian server: |
There was a problem hiding this comment.
s/mysql database database/MySQL database/
| ADD . /go/src/github.com/google/trillian | ||
| WORKDIR /go/src/github.com/google/trillian | ||
|
|
||
| RUN go get -v ./server/trillian_log_server |
There was a problem hiding this comment.
Why is trillian_log_server needed in this container?
There was a problem hiding this comment.
removed this line but going to keep the source code included so /scripts/*.sh can be run
scripts/resetdb.sh
Outdated
| [ -z ${DB_NAME+x} ] && DB_NAME="test" | ||
| # format reused supplied environment variables | ||
| FLAGS="" | ||
| [ -z ${DB_PASSWORD+x} ] || FLAGS="${FLAGS} -p$DB_PASSWORD" |
There was a problem hiding this comment.
Assumes that $DB_PASSWORD does not contain spaces.
There was a problem hiding this comment.
fixed with: -p'${DB_PASSWORD}'
scripts/resetdb.sh
Outdated
| case "$1" in | ||
| --force) FORCE=true ;; | ||
| --verbose) VERBOSE=true ;; | ||
| *) FLAGS="${FLAGS} $1" |
There was a problem hiding this comment.
I think this will remove quotation marks around arguments.
There was a problem hiding this comment.
Consider making $FLAGS an array.
There was a problem hiding this comment.
added a verbose logging statement that will print args to clarify what's being run. even as an array i'd still have to reconstruct with proper flags to pass to mysql. if you think this is a blocker we can revert back to passing all flags via $@ to mysql and only accepting other params via envars.
There was a problem hiding this comment.
Suggested fix: https://github.com/RJPercival/trillian/commits/witoff/aws
This will properly handle quoted arguments. I made another couple of small improvements while I was poking around in that file, which you can find just after that commit.
scripts/resetdb.sh
Outdated
| if [ -z ${REPLY+x} ] || [[ $REPLY =~ ^[Yy]$ ]] | ||
| then | ||
| echo "Resetting DB..." | ||
| mysql -u $DB_USER $FLAGS -e "DROP DATABASE IF EXISTS ${DB_NAME};" |
There was a problem hiding this comment.
Some flags, e.g. --defaults-extra-file, will only work if they are the first flag passed to mysql. This flag ordering makes passing that flag impossible.
There was a problem hiding this comment.
reordered to: mysql -u $FLAGS $DB_USER and preserved user supplied order in collect_vars fn.
scripts/resetdb.sh
Outdated
| echo "Resetting DB..." | ||
| mysql -u $DB_USER $FLAGS -e "DROP DATABASE IF EXISTS ${DB_NAME};" | ||
| mysql -u $DB_USER $FLAGS -e "CREATE DATABASE ${DB_NAME};" | ||
| mysql -u $DB_USER $FLAGS -e "GRANT ALL ON ${DB_NAME}.* TO '${DB_NAME}'@'localhost' IDENTIFIED BY 'zaphod';" |
There was a problem hiding this comment.
I'm still not sure how this is supposed to work. Granting access for the user to connect only from localhost shouldn't work if the Trillian server/signer is running on a different machine, as will likely be the case on cloud infrastructure. It may work if $DB_NAME == "test", because some MySQL installations come with default privileges that grant unrestricted access to that database for all users.
There was a problem hiding this comment.
i'm also not entirely clear on this. this change mirrors what's currently in the master branch and just makes DB_NAME a variable. after this is merged i'd like work on better integration testing here which may prove this unnecessary.
There was a problem hiding this comment.
With the database name hardcoded as "test", it's going to get the special treatment that MySQL gives that table by default. By replacing this with a variable, that's no longer true unless $DB_NAME == "test". Therefore, I think replacing 'localhost' with '%' on this line is warranted. Access to the database server should be restricted to certain IP ranges, so it won't allow brute force attacks on this user by just anyone.
witoff
force-pushed
the
witoff/aws
branch
2 times, most recently
from
9b39cce to
47bf243
Compare
|
I think you need to rebase - looks like master was broken due to a change in a dependency when you last rebased. |
|
Yeah, Prometheus changed underneath us upstream -- pull #724 should have fixed it though. |
DB operations should be flexibile to run against many environments Dockerize core components remove deprecated comment
simplify cloud and docker deployments
|
k, rebased and tests passing now. |
scripts/resetdb.sh
Outdated
| mysql -u $FLAGS $DB_USER -e "DROP DATABASE IF EXISTS ${DB_NAME};" | ||
| mysql -u $FLAGS $DB_USER -e "CREATE DATABASE ${DB_NAME};" | ||
| mysql -u $FLAGS $DB_USER -e "GRANT ALL ON ${DB_NAME}.* TO '${DB_NAME}'@'localhost' IDENTIFIED BY 'zaphod';" | ||
| mysql -u $FLAGS $DB_USER -D ${DB_NAME} < ${TRILLIAN_PATH}/storage/mysql/storage.sql |
There was a problem hiding this comment.
I don't think you meant to separate "-u" and "$DB_USER". FYI, I've fixed this in the branch I referenced above, as a side-effect of adding "-u $DB_USER" to $FLAGS in collect_vars().
|
These should be my final comments; it's looking good to merge bar those. |
witoff
force-pushed
the
witoff/aws
branch
2 times, most recently
from
67f235b to
115c4da
Compare
|
edits are merged (thank you!) and waiting on #756 to fix broken golang/mocks updates before we can merge. |
|
Hi @witoff, thanks for this PR. Rather than moving the opinionated Dockerfiles to the example directory, would you mind keeping them in-place and making them less opinionated? Having some kind of starting Dockerfile would help other projects adopt Trillian faster. If you feel that the opinionated Dockerfiles have value, please use the Thanks! |
|
@gdbelvin updated PR with a proposal on how these could work. my thought process is that Specifying flags/healthcheck/envars in the Dockerfile makes assumptions about one's infrastructure that could reasonably be incorrect which would force me to write a separate Dockerfile anyways. I've also kept the wdyt? if you're okay with this approach does this break any other uses of these dockerfiles that i can help update? |
|
This is great. I now remember why I had the flags in the original docker files, and that is because go flags doesn't pick up environment variables, so I basically duplicated the flags with an additional (confusing) set of defaults. These non-opinionated Docker files would be great if we had a way for go flags to pick up passed-in environment variables. @RJPercival @Martin2112 Do we have a plan for passing flags via environment variables? |
|
No, we had no plans to implement that. It's easy to do, probably something like this in cmd/flags.go: func ParseFlagsFromEnv() {
flag.VisitAll(func (f *Flag) {
// Might want to modify the flag name before using it as the envar name, e.g. uppercase and/or prefix with "TRILLIAN_".
if env, ok := os.LookupEnv(f.Name); ok {
f.Value.Set(env)
}
})
}The only question is how much value there is in supporting this. Presumably this is to support people following the 12 Factor App guidelines, which lays out the advantages. The main cost is that it adds a non-obvious, third way of controlling the behaviour of Trillian's binaries. |
|
We've deliberately kept flags isolated and e.g. the logserver main.go is
just over 100 lines of code. Anybody who needs this should easily be able
create an alternate main() that gets the configuration from somewhere else.
Martin
…On 25 July 2017 at 22:53, Rob Percival ***@***.***> wrote:
No, we had no plans to implement that. It's easy to do, probably something
like this in cmd/flags.go:
func ParseFlagsFromEnv() {
flag.VisitAll(func (f *Flag) {
// Might want to modify the flag name before using it as the envar name, e.g. uppercase and/or prefix with "TRILLIAN_".
if env, ok := os.LookupEnv(f.Name); ok {
f.Value.Set(env)
}
})
}
The only question is how much value there is in supporting this.
Presumably this is to support people following the 12 Factor App
<https://12factor.net/config> guidelines, which lays out the advantages.
The main cost is that it adds a non-obvious, third way of controlling the
behaviour of Trillian's binaries.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#667 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AMv2Twhx_AWZp7ffc9wSFwH8QBS0DXhMks5sRmPFgaJpZM4Nzok9>
.
|
gdbelvin
left a comment
gdbelvin
left a comment
There was a problem hiding this comment.
I think we can use the command option in docker-compose to add commandline flags now that we're using ENTRYPOINT
LGTM.
7 participants
Summary
Per #666 (yikes!), we'd like to better document deployment configurations for trillian. This builds on pull #631 to provide simple, few-line local and cloud deployments using docker-compose and terraform.
Notes
storage.sql's which is incompatible with aurora./examples/deployments/directory. Shipping these opinionated Dockerfiles next to source code felt like a stretch.