Merge pull request #6 from kolayne-IU-assignments/lab6

Lab6

ansible/ANSIBLE.md

@@ -1,6 +1,6 @@
 # Ansible
 
-## `ansible-playbook --diff`
+## `ansible-playbook --diff` (lab 5), last 50 lines
 
 ```
   aufs-tools cgroupfs-mount | cgroup-lite git-daemon-run | git-daemon-sysvinit
@@ -94,6 +94,60 @@ In the above output there are two hosts defined: `{ anshible_host: localhost }`
 `ungrouped` group, the second belongs to the `myhosts` group, both belong to the `all`
 metagroup (which is a special group that contains all defined hosts).
 
+## `ansible-playbook --diff` for app_python, last 50 lines
+```
+  libpython3-dev libpython3.8-dev libquadmath0 libstdc++-9-dev libtsan0
+  libubsan1 linux-libc-dev make manpages-dev python-pip-whl python3-dev
+  python3-wheel python3.8-dev zlib1g-dev
+Suggested packages:
+  binutils-doc cpp-doc gcc-9-locales debian-keyring g++-multilib
+  g++-9-multilib gcc-9-doc gcc-multilib autoconf automake libtool flex bison
+  gdb gcc-doc gcc-9-multilib glibc-doc bzr libstdc++-9-doc make-doc
+The following NEW packages will be installed:
+  binutils binutils-common binutils-x86-64-linux-gnu build-essential cpp cpp-9
+  dpkg-dev fakeroot g++ g++-9 gcc gcc-9 gcc-9-base libalgorithm-diff-perl
+  libalgorithm-diff-xs-perl libalgorithm-merge-perl libasan5 libatomic1
+  libbinutils libc-dev-bin libc6-dev libcc1-0 libcrypt-dev libctf-nobfd0
+  libctf0 libdpkg-perl libexpat1-dev libfakeroot libfile-fcntllock-perl
+  libgcc-9-dev libgomp1 libisl22 libitm1 liblsan0 libmpc3 libmpfr6
+  libpython3-dev libpython3.8-dev libquadmath0 libstdc++-9-dev libtsan0
+  libubsan1 linux-libc-dev make manpages-dev python-pip-whl python3-dev
+  python3-pip python3-wheel python3.8-dev zlib1g-dev
+0 upgraded, 51 newly installed, 0 to remove and 15 not upgraded.
+changed: [terraform1]
+
+TASK [docker : Install docker-compose via pip] ***********************************************************************
+changed: [terraform1]
+
+TASK [web_app : Pull image] ******************************************************************************************
+--- before
++++ after
+@@ -1,3 +1,3 @@
+ {
+-    "exists": false
++    "id": "sha256:55ef999c615bdb60c47911f0a4d11b1f5eb5eb9975d1f34d105cbaeac08626ca"
+ }
+
+changed: [terraform1]
+
+TASK [web_app : Create container] ************************************************************************************
+--- before
++++ after
+@@ -1,4 +1,4 @@
+ {
+-    "exists": false,
+-    "running": false
++    "exists": true,
++    "running": true
+ }
+
+changed: [terraform1]
+
+PLAY RECAP ***********************************************************************************************************
+terraform1                 : ok=12   changed=9    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0   
+
+```
+
 ## Best practices
 
 The project uses the following best practices:
@@ -107,3 +161,9 @@ The project uses the following best practices:
 -   Use fully qualified collection names
 
 -   Use dynamic inventory with clouds
+
+-   Use blocks to group related tasks together
+
+-   Use role dependencies between roles that require others to run before
+
+-   Use tags for conditional execution

ansible/playbooks/dev/app_go/main.yml

@@ -0,0 +1,18 @@
+- name: Deploy go app
+  hosts: all
+  roles:
+    - name: "Deploy kolay0ne/app_go:lab6"
+      role: web_app
+      image_name: "kolay0ne/app_go"
+      image_tag: "lab6"
+      publish_ports:
+        - "5500:5000"
+      wipe: false
+      tags: []  # Run by default
+
+    - name: "Wipe kolay0ne/app_go:lab6"
+      role: web_app
+      image_name: "kolay0ne/app_go"
+      image_tag: "lab6"
+      wipe: true
+      tags: [never, wipe]  # Only run on wipe

ansible/playbooks/dev/app_python/main.yml

@@ -0,0 +1,18 @@
+- name: Deploy python app
+  hosts: all
+  roles:
+    - name: "Deploy kolay0ne/app_py:lab6"
+      role: web_app
+      image_name: "kolay0ne/app_py"
+      image_tag: "lab6"
+      publish_ports:
+        - "5000:5000"
+      wipe: false
+      tags: []  # Run by default
+
+    - name: "Wipe kolay0ne/app_py:lab6"
+      role: web_app
+      image_name: "kolay0ne/app_py"
+      image_tag: "lab6"
+      wipe: true
+      tags: [never, wipe]  # Only run on wipe

ansible/roles/docker/tasks/docker.yaml

@@ -1,23 +1,23 @@
-- name: Ensure /etc/apt/keyrings exists
-  file:
-    path: /etc/apt/keyrings
-    state: directory
-  become: true
+- name: Prepare apt for docker installation
+  block:
+    - name: Ensure /etc/apt/keyrings exists
+      file:
+        path: /etc/apt/keyrings
+        state: directory
 
-- name: Add docker's GPG
-  ansible.builtin.get_url:
-    url: 'https://download.docker.com/linux/ubuntu/gpg'
-    dest: /etc/apt/keyrings/docker.asc
-    mode: a+r
-    force: true  # Redownload every time
-    decompress: false
-  become: true
+    - name: Add docker's GPG
+      ansible.builtin.get_url:
+        url: 'https://download.docker.com/linux/ubuntu/gpg'
+        dest: /etc/apt/keyrings/docker.asc
+        mode: a+r
+        force: true  # Redownload every time
+        decompress: false
 
-- name: Create docker source list for apt
-  shell: >
-    echo "deb [arch=$(dpkg --print-architecture)
-    signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu
-    $(. /etc/os-release && echo "$VERSION_CODENAME") stable" > /etc/apt/sources.list.d/docker.list
+    - name: Create docker source list for apt
+      shell: >
+        echo "deb [arch=$(dpkg --print-architecture)
+        signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu
+        $(. /etc/os-release && echo "$VERSION_CODENAME") stable" > /etc/apt/sources.list.d/docker.list
   become: true
 
 - name: Install docker via apt
@@ -30,3 +30,15 @@
     state: present
     update_cache: true
   become: true
+
+- name: Give normal user access to docker
+  block:
+    - name: Add user `ubuntu` to group `docker`
+      ansible.builtin.user:
+        user: "ubuntu"
+        groups: ["docker"]
+        append: true
+      become: true
+
+    - name: Restart ssh connection for changes to the user's groups to take effect
+      ansible.builtin.meta: reset_connection

ansible/roles/web_app/README.md

@@ -0,0 +1,42 @@
+# Dockerized web app deploy role
+
+An ansible role for deploying a dockerized web app.
+
+## Requirements
+
+This role depends on the `docker` role from the same repository. No additional
+requirements are imposed.
+
+## Usage
+
+All parameters of the role are optional. The most basic usage:
+```
+roles:
+  - name: "Deploy hello-world"
+    role: web_app
+```
+The above will pull the `hello-world` image tagged `latest`, create a container
+`hello-world-0` corresponding to it, and start it.
+
+The most advanced usage:
+```
+roles:
+  - name: "Deploy asciiquarium"
+    role: web_app
+    image_name: "danielkraic/asciiquarium"
+    image_tag: "master"
+    container_name: "aq"
+    publish_ports:
+      - 5000:6000
+      - 7000
+    wipe: false
+```
+The above will pull the `danielkraic/asciiquarium` image tagged `master`, create
+a container `aq` corresponding to it, and start it. The container's port `6000` will
+be mapped to host `5000` and container's port `7000` will be mapped to an arbitrarily
+selected host port.
+
+Changing the `wipe` parameter to `true` (or another value that represents a boolean true
+according to ansible) causes the container to be destroyed and the pulled image to be
+removed from the managed machine. When `wipe` is `true`, the value of `publish_ports` is
+ignored.

ansible/roles/web_app/defaults/main.yaml

@@ -0,0 +1,6 @@
+---
+image_name: "hello-world"
+image_tag: "latest"
+container_name: "{{ image_name | basename }}-0"
+publish_ports: []
+wipe: false

ansible/roles/web_app/meta/main.yaml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - docker

ansible/roles/web_app/tasks/main.yaml

@@ -0,0 +1,42 @@
+---
+- name: Create directory for compose
+  ansible.builtin.file:
+    path: "~/{{image_name|basename}}"
+    state: "directory"
+  register: compose_dir
+
+- name: Stop old containers
+  community.docker.docker_compose_v2:
+    project_src: "{{ compose_dir.path }}"
+    state: stopped
+  # Compose file may not exist yet, thus ignoring errors
+  ignore_errors: true
+
+- name: Render new docker-compose.yml
+  ansible.builtin.template:
+    src: docker-compose.yml.j2
+    dest: "{{ compose_dir.path }}/docker-compose.yml"
+  vars:
+    image_full: "{{image_name}}:{{image_tag}}"
+    expose_ports: "{{ publish_ports }}"
+  when: not wipe
+
+- name: Manage containers
+  # If wiping, remove containers, otherwise start them
+  community.docker.docker_compose_v2:
+    project_src: "{{ compose_dir.path }}"
+    state: "{{ wipe | ternary('absent', 'present') }}"
+    pull: always
+
+- name: Wipe image
+  community.docker.docker_image:
+    name: "{{ image_name }}"
+    tag: "{{ image_tag }}"
+    state: "absent"
+  when: wipe
+
+- name: Remove compose file from the filesystem
+  ansible.builtin.file:
+    path: "{{ compose_dir.path }}"
+    state: "absent"
+  when: wipe

ansible/roles/web_app/templates/docker-compose.yml.j2

@@ -0,0 +1,9 @@
+services:
+  web_app:
+    image: {{ image_full }}
+{% if expose_ports is iterable and expose_ports|length > 0 %}
+    ports:
+{% for port_expr in expose_ports %}
+      - {{ port_expr }}
+{% endfor %}
+{% endif %}

app_go/Dockerfile

@@ -9,8 +9,9 @@ COPY go.mod *.go /usr/src/app/
 RUN ["env", "CGO_ENABLED=0", "go", "build", "-o", "catfact_webapp", "."]
 
 
-# Like `FROM scratch` but with SSL
-FROM damdo/sscratch
+FROM scratch
+# Enable https requests from within the container
+COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 
 EXPOSE 5000
 

app_go/main.go

@@ -10,7 +10,7 @@ func handler(w http.ResponseWriter, r *http.Request) {
 	fact, err := catFact()
 	if err == nil {
         w.WriteHeader(http.StatusOK)
-		_, _ = fmt.Fprintf(w, fact)
+		_, _ = fmt.Fprintf(w, "%s", fact)
 	} else {
         w.WriteHeader(http.StatusInternalServerError)
 		_, _ = fmt.Fprintf(w, "Failed to query a cat fact :(")

app_python/Dockerfile

@@ -3,9 +3,10 @@ FROM python:3.10.13-alpine3.19
 WORKDIR /app
 EXPOSE 5000
 RUN ["adduser", "-Ds", "/usr/bin/nologin", "flask"]
-COPY requirements.txt moscow_time/*.py /app/
+COPY requirements.txt /app/
+COPY moscow_time/ /app/moscow_time
 # Note: keeping the project files owned by root so
 # the web server has less privileges over them
 USER flask:flask
 RUN ["pip", "install", "--user", "-r", "requirements.txt"]
-CMD ["python", "main.py"]
+CMD ["python", "-m", "moscow_time"]

app_python/moscow_time/__init__.py

@@ -0,0 +1,32 @@
+import datetime
+
+from flask import Flask
+import requests
+
+from .cache import cache_for
+
+
+app = Flask(__name__)
+
+
+# In case of high load, to avoid frequent requests, cache results for
+# one second
+@cache_for(1000)
+def get_time():
+    """
+    Get current Moscow time from worldtimeapi.org.
+
+    The returned value is of type `datetime.time` and it may be up to
+    1000ms out of date, as results of calls to the function are cached
+    for up to 1 second.
+    """
+    r = requests.get('http://worldtimeapi.org/api/timezone/Europe/Moscow')
+    dt = datetime.datetime.fromisoformat(r.json()['datetime'])
+    return dt.time()
+
+
+@app.route('/')
+def index():
+    time = get_time()
+    return f"In MSK it's {time.hour}:{time.minute}:{time.second}. " \
+        "Have you brushed your teeth today yet?"

app_python/moscow_time/__main__.py

@@ -0,0 +1,4 @@
+from . import app
+
+
+app.run(host='0.0.0.0', port=5000, debug=False)

app_python/tests/test_web_app.py

@@ -4,7 +4,7 @@
 
 from pytest import fixture
 
-from moscow_time.main import app
+from moscow_time import app
 
 
 app.config.update({