forked from toolshed/docs.coopcloud.tech
		
	
		
			
				
	
	
		
			392 lines
		
	
	
		
			19 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			392 lines
		
	
	
		
			19 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| ---
 | ||
| title: Operations handbook
 | ||
| ---
 | ||
| 
 | ||
| ## Understanding `~/.abra`
 | ||
| 
 | ||
| Co-op Cloud stores per-app configuration in the `$USER/.abra/servers` directory, on whichever machine you're running `abra` on (by default, your own work station). In other words, app configurations are grouped under their relevant server directory. This corresponds to the ordering of the output of `abra app ls`.
 | ||
| 
 | ||
| !!! question "What format do the `.env` files use?"
 | ||
| 
 | ||
|     `.env` files use the same format as used by Docker (with the `env_file:` statement in a `docker-compose.yml` file, or the `--env-file` option to `docker run`) and `direnv`. There is no `export ...=...` required since `abra` will take care to thread the values into the recipe configuration at deploy time.
 | ||
| 
 | ||
| `abra` doesn't mind if `~/.abra/servers`, or any of its subdirectories, is a [symlink](https://en.wikipedia.org/wiki/Symlink), so you can keep your app definitions wherever you like!
 | ||
| 
 | ||
| ```
 | ||
| mv ~/.abra/servers/ ~/coop-cloud
 | ||
| ln -s ~/coop-cloud ~/.abra/servers
 | ||
| ```
 | ||
| 
 | ||
| You don't need to worry about `~/.abra/{vendor,catalogue,recipes,autocompletion}`, `abra` manages those automagically.
 | ||
| 
 | ||
| ## Backing up `~/.abra`
 | ||
| 
 | ||
| Just make sure the `~/.abra/servers` is included in the configuration of your favourite backup tool. Because `~/.abra/servers` is a collection of plain-text files, it's easy to keep your backup configuration in a version control system (we use `git`, others would almost certainly work).
 | ||
| 
 | ||
| This is particularly recommended if you're collaborating with others, so that you can all run `abra app ...` commands without having to maintain your own separate, probably-conflicting, configuration files.
 | ||
| 
 | ||
| In the simple case where you only have one server configured with `abra`, or everyone in your team is using the same set of servers, you can version-control the whole `~/.abra/servers` directory:
 | ||
| 
 | ||
| ```
 | ||
| cd ~/.abra/servers
 | ||
| git init
 | ||
| git add .
 | ||
| git commit -m "Initial import"
 | ||
| ```
 | ||
| 
 | ||
| !!! warning "Test your revision-control self-discipline"
 | ||
| 
 | ||
|     `abra` does not yet help keep your `~/.abra/server` configurations up-to-date! Make sure to run `git add` / `git commit` after making configuration changes, and `cd ~/.abra/servers && git pull` before running `abra app ...` commands. Patches to add some safety checks and auto-updates would be very welcome! 🙏
 | ||
| 
 | ||
| ## Sharing `~/.abra`
 | ||
| 
 | ||
| In a more complex situation, where you're using Co-op Cloud to manage several servers, and you're collaborating with different people on different servers, you can set up **a separate repository for each subdirectory in `~/.abra/servers`**, or even a mixture of single-server and multi-server repositories:
 | ||
| 
 | ||
| ```
 | ||
| ls -l ~/.abra/servers
 | ||
| # Example.com's own app configuration:
 | ||
| swarm.example.com -> /home/user/Example/coop-cloud-apps/swarm.example.com
 | ||
| 
 | ||
| # Configuration for one of Example.com's clients – part of the same repository:
 | ||
| swarm.client.com -> /home/user/Example/coop-cloud-apps/swarm.client.com
 | ||
| 
 | ||
| # A completely separate project, part of a different repository:
 | ||
| swarm.demonstration.com -> /home/user/Demonstration/coop-cloud-apps
 | ||
| ```
 | ||
| 
 | ||
| To make setting up these symlinks easier, you might want to include a simple installer script in your configuration repositories.
 | ||
| 
 | ||
| Save this as `Makefile` in your repository:
 | ||
| 
 | ||
|    ```
 | ||
|    # -s symlink, -f force creation, -F don't create symlink in the target dir
 | ||
|    default:
 | ||
|    	@mkdir -p ~/.abra/servers/
 | ||
|    	@for SERVER in $$(find -maxdepth 1 -type d -name "[!.]*"); do \
 | ||
|    		echo ln -sfF "$$(pwd)/$${SERVER#./}" ~/.abra/servers/ ; \
 | ||
|    		ln -sfF "$$(pwd)/$${SERVER#./}" ~/.abra/servers/ ; \
 | ||
|    	done
 | ||
|    ```
 | ||
| 
 | ||
|    This will set up symlinks from each directory in your repository to a correspondingly-named directory in `~/.abra/servers` – if your repository has a `swarm.example.com` directory, it'll be linked as `~/.abra/servers/swarm.example.com`.
 | ||
| 
 | ||
| Then, tell your collaborators (e.g. in the repository's `README.md`), to run `make` in their repository check-out.
 | ||
| 
 | ||
| !!! warning "You're on your own!"
 | ||
| 
 | ||
|     As with the [simple repository set-up above](#backing-up-your-abra-configuration), `abra` doesn't yet help you update your version control system when you make changes, nor check version control to make sure you have the latest configuration. Make sure to `commit` and `push` after you make any configuration changes, and `pull` before running any `abra app ...` commands.
 | ||
| 
 | ||
| !!! question "Even more granularity?"
 | ||
| 
 | ||
|     The plain-text, file-based configuration format means that you could even keep the configuration for different apps on the same server in different repositories, e.g. having `git.example.com` configuration in a separate repository to `wordpress.example.com`, using per-file symlinks.
 | ||
| 
 | ||
|     We don't currently recommend this, because it might set inaccurate expectations about the security model – remember that, by default, **any user who can deploy apps to a Docker Swarm can manage _any_ app in that swarm**.
 | ||
| 
 | ||
| ### Migrating a server into a repository
 | ||
| 
 | ||
| Even if you've got your existing server configs in version control, by default, `abra server add` will define the server locally. To move it -- taking the example of `newserver.example.com`:
 | ||
| 
 | ||
| ```
 | ||
| mv ~/.abra/servers/newserver.example.com ~/coop-cloud-apps/
 | ||
| cd ~/coop-cloud-apps
 | ||
| git add newserver.example.com
 | ||
| git commit
 | ||
| make link
 | ||
| ```
 | ||
| 
 | ||
| ## Running abra server side
 | ||
| 
 | ||
| If you're on an environment where it's hard to run Docker, or command-line programs in general, you might want to install `abra` on a server instead of your local work station.
 | ||
| 
 | ||
| To install `abra` on the same server where you'll be hosting your apps, just follow [getting started guide](/operators/tutorial#deploy-your-first-app) as normal except for one difference. Instead of providing your SSH connection details when you run `abra server add ...`, just pass `--local`.
 | ||
| 
 | ||
| ```
 | ||
| abra server add --local
 | ||
| ```
 | ||
| 
 | ||
| !!! note "Technical details"
 | ||
| 
 | ||
| 	This will tell `abra` to look at the Docker system running on the server, instead of a remote one (using the Docker internal `default` context). Once this is wired up, `abra` knows that the deployment target is the local server and not a remote one. This will be handle seamlessly for all other deployments on this server.
 | ||
| 
 | ||
| Make sure to back up your `~/.abra` directory on the server, or put it in version control, as well as other files you'd like to keep safe.
 | ||
| 
 | ||
| ## Managing secret data
 | ||
| 
 | ||
| Co-op Cloud uses [Docker Secrets](https://docs.docker.com/engine/swarm/secrets/) to handle sensitive data, like database passwords and API keys, securely.
 | ||
| 
 | ||
| `abra` includes several commands to make it easier to manage secrets:
 | ||
| 
 | ||
| - `abra app secret generate <domain>`: to auto-generate app secrets
 | ||
| - `abra app secret insert <domain>`: to insert a single secret
 | ||
| - `abra app secret rm <domain>`: to remove secrets
 | ||
| 
 | ||
| ### Secret versions
 | ||
| 
 | ||
| Docker secrets are immutable, which means that their values can't be changed after they're set. To accommodate this, Co-op Cloud uses the established convention of "secret versions". Every time you change (rotate) a secret, you will insert it as a new version. Because secret versions are managed per-instance by the people deploying their apps, secret versions are stored in the `.env` file for each app:
 | ||
| 
 | ||
| ```
 | ||
| find -L ~/.abra/servers/ -name '*.env' -print0 | xargs -0 grep -h SECRET
 | ||
| OIDC_CLIENT_SECRET_VERSION=v1
 | ||
| RPC_SECRET_VERSION=v1
 | ||
| CLIENT_SECRET_VERSION=v1
 | ||
| ...
 | ||
| ```
 | ||
| 
 | ||
| If you try and add a secret version which already exists, Docker will helpfully complain:
 | ||
| 
 | ||
| ```
 | ||
| abra app secret insert mywordpress.com db_password v1 foobar
 | ||
| Error response from daemon: rpc error: code = AlreadyExists desc = secret mywordpress_com_db_password_v1 already exists
 | ||
| ```
 | ||
| 
 | ||
| By default, new app instances will look for `v1` secrets.
 | ||
| 
 | ||
| ### Generating secrets automatically
 | ||
| 
 | ||
| You can generate secrets in one of two ways:
 | ||
| 
 | ||
| 1. While running `abra app new <recipe>`, by passing `-S/--secrets`
 | ||
| 2. At any point once an app instance is defined, by running `abra app secret generate <domain> ...` (see `abra app secret generate -h` for more)
 | ||
| 
 | ||
| ### Inserting secrets manually
 | ||
| 
 | ||
| For third-party API tokens, like OAuth client secrets, or keys for services like Mailgun, you will be storing values you already have as the appropriately-named Docker secrets. `abra` provides a convenient interface to the underlying `docker secret create` command:
 | ||
| 
 | ||
| ```
 | ||
| abra app secret insert <domain> db_password v2 "your-secret-value-here"
 | ||
| ```
 | ||
| 
 | ||
| ### Rotating a secret
 | ||
| 
 | ||
| So, given how [secret versions](/operators/handbook/#secret-versions) work, here's how you change a secret:
 | ||
| 
 | ||
| 1. Find out the current version number of the secret, e.g. by running `abra app config <domain>`, and choose a new one. Let's assume it's currently `v1`, so by convention the new secret will be `v2`
 | ||
| 2. Generate or insert the new secret: `abra app secret generate <domain> db_password v2` or `abra app secret insert <domain> db_password v2 "foobar"`
 | ||
| 3. Edit the app configuration to change which secret version the app will use: `abra app config <domain>`
 | ||
| 4. Re-reploy the app with the new secret version: `abra app deploy <domain>`
 | ||
| 
 | ||
| ### Storing secrets in `pass`
 | ||
| 
 | ||
| The Co-op Cloud authors use the [UNIX `pass` tool][pass] to share sensitive data, including Co-op Cloud secrets, and `abra app secret ...` commands include a `--pass` option to automatically manage generated / inserted secrets:
 | ||
| 
 | ||
| ```
 | ||
| # Store generated secrets in `pass`:
 | ||
| abra app new wordpress --secrets --pass
 | ||
| abra app secret generate mywordpress.com --all --pass
 | ||
| 
 | ||
| # Store inserted secret in `pass`:
 | ||
| abra app secret insert mywordpress.com db_password v2 --pass
 | ||
| 
 | ||
| # Remove secrets from Docker, and `pass`:
 | ||
| abra app secret rm mywordpress.com --all --pass
 | ||
| ```
 | ||
| 
 | ||
| This functionality currently relies on our specific `pass` storage conventions; patches to make that configurable are very welcome!
 | ||
| 
 | ||
| ## Networking
 | ||
| 
 | ||
| !!! note "So dark the con of Docker Networking"
 | ||
| 
 | ||
|     Our understanding of Docker networking is probably wrong. We're working on it. Plz send halp :pray:
 | ||
| 
 | ||
| ### Traefik networking
 | ||
| 
 | ||
| [Traefik](https://doc.traefik.io/traefik/) is our core web proxy, all traffic on a Co-op Cloud deployment goes through a running Traefik container. When setting up a new Co-op Cloud delpyment, `abra` creates a "global" [overlay network](https://docs.docker.com/network/overlay/) which traefik is hooked up to. This is the network that other apps use to speak to traefik and get traffic routed to them. Not every service in every app is also included in this network and hence not internet-facing (by convention, we name this network `internal`, see more below).
 | ||
| 
 | ||
| ### App networking
 | ||
| 
 | ||
| By convention, the main `app` service is wired up to the "global" traefik overlay network. This container is the one that should be publicy reachable on the internet. The other services in the app such as the database and caches should be not be publicly reachable or visible to other apps on the same instance.
 | ||
| 
 | ||
| To deal with this, we make an additional "internal" network for each app which is namespaced to that app. So, if you deploy a Wordpress instance called `my_wordpress_blog` then there will be a network called `my_wordpress_blog_internal` created. This allows all the services in an app to speak to each other but not be reachable on the public internet.
 | ||
| 
 | ||
| ## Multiple apps on the same domain?
 | ||
| 
 | ||
| At time of writing (Jan 2022), we think there is a limitation in our design which doesn't support multiple apps sharing the same domain (e.g. `example.com/app1/` & `example.com/app2/`). `abra` treats each domain as unique and as the singler reference for a single app.
 | ||
| 
 | ||
| This may be possible to overcome if someone really needs it, we encourage people to investigate. We've found that often, there are limitations in the actual software which don't support this anyway and several of the current operators simply use a new domain per app.
 | ||
| 
 | ||
| ## Validating `abra` binary checksums
 | ||
| 
 | ||
|  You can download `abra` yourself from the [releases page](https://git.coopcloud.tech/coop-cloud/abra/releases) along with the `checksums.txt` file.
 | ||
| 
 | ||
| ```bash
 | ||
| grep $(sha256sum abra_[version]_[platform]) checksums.txt > /dev/null && echo "checksum OK"
 | ||
| ```
 | ||
| 
 | ||
| If "checksum OK" appears in your terminal - you're good to go!
 | ||
| 
 | ||
| Otherwise, you have downloaded a corrupted file.
 | ||
| 
 | ||
| ## Creating a new server
 | ||
| 
 | ||
| `abra server new` can create servers if you have an account with a supported 3rd party integration. We currently support [Servers.coop](https://servers.coop) & [Hetzner](https://hetzner.com). The process of creating a new server usually goes like this:
 | ||
| 
 | ||
| 1. Create an account with a server hosting provider
 | ||
| 2. Generate an API client key which you'll give to `abra`
 | ||
| 3. Run `abra server new` & fill in the values
 | ||
| 
 | ||
| `abra` supports creating, listing and removing servers if the 3rd party integration supports it.
 | ||
| 
 | ||
| If you want to teach `abra` how to support your favourite server hosting provider, we'd glady accept patches.
 | ||
| 
 | ||
| ## How do I bootstrap a server for running Co-op Cloud apps?
 | ||
| 
 | ||
| The requirements are:
 | ||
| 
 | ||
| 1. Docker installed
 | ||
| 1. User in Docker user group
 | ||
| 1. Swarm mode initialised
 | ||
| 1. Proxy network created
 | ||
| 
 | ||
| ```
 | ||
| # docker install convenience script
 | ||
| wget -O- https://get.docker.com | bash
 | ||
| 
 | ||
| # add user to docker group
 | ||
| usermod -aG docker $USER
 | ||
| 
 | ||
| # setup swarm
 | ||
| docker swarm init
 | ||
| docker network create -d overlay proxy
 | ||
| 
 | ||
| # on debian machines as of 2023-02-17
 | ||
| apt install apparmor
 | ||
| systemctl restart docker containerd
 | ||
| ```
 | ||
| 
 | ||
| ## Managing DNS entries
 | ||
| 
 | ||
| `abra record ...` can help you manage your DNS entries if you have an account with a supported 3rd party provider. We currently support [Gandi](https://gandi.net). The process of managing DNS with `abra` usually goes like this:
 | ||
| 
 | ||
| 1. Create an account with a DNS service provider
 | ||
| 2. Generate an API client key which you'll give to `abra`
 | ||
| 3. Run `abra record ls` to check everything works
 | ||
| 
 | ||
| `abra` supports creating, listing and removing DNS entries if the 3rd party integration supports it.
 | ||
| 
 | ||
| If you want to teach `abra` how to support your favourite server hosting provider, we'd glady accept patches.
 | ||
| 
 | ||
| ## How do I persist container logs after they go away?
 | ||
| 
 | ||
| This is a big topic but in general, if you're looking for something quick & easy, you can use the [journald logging driver](https://docs.docker.com/config/containers/logging/journald/). This will hook the container logs into systemd which can handle persistent log collection & managing log file size.
 | ||
| 
 | ||
| You need to add the following to your `/etc/docker/daemon.json` file on the server:
 | ||
| 
 | ||
| ```json
 | ||
| {
 | ||
|     "log-driver": "journald",
 | ||
|     "log-opts": {
 | ||
|       "labels":"com.docker.swarm.service.name"
 | ||
|     }
 | ||
| }
 | ||
| ```
 | ||
| 
 | ||
| And for log size management, edit `/etc/systemd/journald.conf`:
 | ||
| 
 | ||
| ```
 | ||
| [Journal]
 | ||
| Storage=persistent
 | ||
| SystemMaxUse=5G
 | ||
| MaxFileSec=1month
 | ||
| ```
 | ||
| 
 | ||
| Tne restart `docker` & `journald`:
 | ||
| 
 | ||
| ```
 | ||
| systemctl restart docker
 | ||
| systemctl restart systemd-journald
 | ||
| ```
 | ||
| 
 | ||
| Now when you use `docker service logs` or `abra app logs`, it will read from the systemd journald logger seamlessly! Some useful `journalctl` commands are as follows, if you're doing some more fine grained logs investigation:
 | ||
| 
 | ||
| - `journalctl -f`
 | ||
| - `journalctl CONTAINER_NAME=my_git_com_app.1.jxn9r85el63pdz42ykjnmh792 -f`
 | ||
| - `journalctl COM_DOCKER_SWARM_SERVICE_NAME=my_git_com_app --since="2020-09-18 13:00:00" --until="2020-09-18 13:01:00"`
 | ||
| - `journalctl CONTAINER_ID=$(docker ps -qf name=my_git_com_app) -f`
 | ||
| 
 | ||
| Also, for more system wide analysis stuff:
 | ||
| 
 | ||
| - `journalctl --disk-usage`
 | ||
| - `du -sh /var/log/journal/*`
 | ||
| - `man journalctl` / `man systemd-journald` / `man journald.conf`
 | ||
| 
 | ||
| ## How do I specify a custom user/port for SSH connections with `abra`?
 | ||
| 
 | ||
| `abra` uses plain 'ol SSH under the hood and aims to make use of your existing SSH configurations in `~/.ssh/config` and interfaces with your running `ssh-agent` for password protected secret key files.
 | ||
| 
 | ||
| The `server add` command listed above assumes that that you make SSH connections on port 22 using your current username. If that is not he case, pass the new values as positional arguments. See `abra server add -h` for more on this.
 | ||
| 
 | ||
| ```bash
 | ||
| abra server add <domain> <user> <port> -p
 | ||
| ```
 | ||
| 
 | ||
| Running `server add` with `-d/--debug` should help you debug what is going on under the hood. It's best to take a moment to read [this troubleshooting entry](/abra/trouble/#ssh-connection-issues) if you're running into SSH connection issues with `abra`.
 | ||
| 
 | ||
| ## How do I attach to a running container?
 | ||
| 
 | ||
| If you need to run a command within a running container you can use `abra app run <domain> <service> <command>`. For example, you could run `abra app run cloud.lumbung.space app bash` to open a new bash terminal session inside your remote container.
 | ||
| 
 | ||
| ## How do I attach on a non-running container?
 | ||
| 
 | ||
| If you need to run a command on a container that won't start (eg. the container is stuck in a restart loop) you can temporarily disable its default entrypoint by setting it in `compose.yml` to something like ['tail', '-f', '/dev/null'], then redeploy the stack (with `--force --chaos` so you don't need to commit), then [get into the now running container](#how-do-i-attach-to-a-running-container), do your business, and when done revert the compose.yml change and redeploy again. 
 | ||
| 
 | ||
| ## Can I run Co-op Cloud on ARM?
 | ||
| 
 | ||
| `@Mayel`:
 | ||
| 
 | ||
| > FYI I've been running on ARM for a while with no troubles (as long as images
 | ||
| > used support it of course, `abra` doesn't work yet!) 😀 ... in cases where I
 | ||
| > couldn't find a multiarch image I simply have eg. image: ${DB_DOCKER_IMAGE}
 | ||
| > in the docker-compose and set that to a compatible image in the env config
 | ||
| > ... there was really nothing to it, apart from making sure to use multiarch
 | ||
| > or arm images
 | ||
| 
 | ||
| See [`#312`](https://git.coopcloud.tech/coop-cloud/organising/issues/312) for more.
 | ||
| 
 | ||
| ## How do I backup/restore my app?
 | ||
| 
 | ||
| If you're app [supports backup/restore](/maintainers/handbook/#how-do-i-configure-backuprestore) then you have two options: [`backup-bot-two`](https://git.coopcloud.tech/coop-cloud/backup-bot-two) & [`abra`](https://git.coopcloud.tech/coop-cloud/abra).
 | ||
| 
 | ||
| With `abra`, you can simply run `abra app backup ...` & `abra app restore ...`.
 | ||
| Pass `-h` for more information on the specific flags & arguments.
 | ||
| 
 | ||
| ## How do I take a manual database backup?
 | ||
| 
 | ||
| MySQL / MariaDB:
 | ||
| 
 | ||
| ```
 | ||
| abra app run foo.bar.com db mysqldump -u root <database> | gzip > ~/.abra/backups/foo.bar.com_db_`date +%F`.sql.gz
 | ||
| ```
 | ||
| 
 | ||
| Postgres:
 | ||
| 
 | ||
| ```
 | ||
| abra app run foo.bar.com db pg_dump -u root <database> | gzip > ~/.abra/backups/foo.bar.com_db_`date +%F`.sql.gz
 | ||
| ```
 | ||
| 
 | ||
| If you get errors about database access:
 | ||
| - Make sure you've specified the right database user (`root` above) and db name
 | ||
| - If you have a database password set, you might need to load it from a secret,
 | ||
|     something like this:
 | ||
| 
 | ||
| ```
 | ||
| abra app run foo.bar.com db bash -c 'mysqldump -u root -p"$(cat /run/secrets/db_oot_password)" <database>' | gzip > ~/.abra/backups/foo.bar.com_db_`date +%F`.sql.gz
 | ||
| ```
 | ||
| 
 | ||
| ## Can I deploy a recipe without `abra`?
 | ||
| 
 | ||
| Yes! It's a design goal to keep the recipes not dependent on `abra` or any
 | ||
| single tool that we develop. This means the configurationc commons can still be
 | ||
| useful beyond this project. You can deploy a recipe with standard commands like
 | ||
| so:
 | ||
| 
 | ||
| ```
 | ||
| set -a
 | ||
| source example.com.env
 | ||
| cd ~/.abra/recipes/myrecipe
 | ||
| docker stack deploy -c compose.yml example_com
 | ||
| ```
 | ||
| 
 | ||
| `abra` makes all of this more cenvenient but other tooling could follow this
 | ||
| approach.
 |