Add CLI support for running dockerd in a container on containerd

[dhiltgen]

- What I did

This PR adds support to the Docker CLI to manage the lifecycle of a Docker Engine running as a privileged container on top of containerd. New CLI UX is introduced to initialize a local engine, check for available updates, and update the local engine. Additional UX is introduced to allow users to transition from a community based engine to an enterprise engine if they so desire, by downloading an existing enterprise license from the Docker Store or initiating a new free trial license.

Not included in this PR are packaging level changes to provide a streamlined user experience based on OS level packages, which allow users to continue to use OS level packages and related automation if they desire for installation and update operations.

- How I did it

The implementation leverages the containerd client API and interacts with a local containerd to download images from a registry (defaulting to Docker Hub) as well as a docker licensing library to interact with Docker Store for generating trial licenses and downloading existing licenses.

- How to verify it

Unit tests and a new e2e test are included in the PR. The e2e test runs a nested containerd in a container upon which a nested dockerd is launched.

Nightly builds for the engine will be published at https://hub.docker.com/r/docker/engine-community/tags/

Manual validation may be performed by installing containerd locally, then running this CLI, specifying a nightly version tag. For example:

root@daniel-testkit-CE988A-0:~# docker engine init --engine-version 0.0.0-20180730163646-c19b8d9
Pulling docker.io/docker/engine-community:0.0.0-20180730163646-c19b8d9... done.
docker.io/docker/engine-community:0.0.0-20180730163646-c19b8d9 already present in containerd.
Waiting for engine to start... waiting for engine to be responsive... engine is online.
Success!  The docker engine is now running.

- Description for the changelog

Add support for running dockerd on top of containerd

- A picture of a cute animal (not mandatory but encouraged)

[GordonTheTurtle]

Please sign your commits following these rules:
https://github.com/moby/moby/blob/master/CONTRIBUTING.md#sign-your-work
The easiest way to do this is to amend the last commit:

$ git clone -b "ce_q3" [email protected]:dhiltgen/cli-1.git somewhere
$ cd somewhere
$ git rebase -i HEAD~842354176960
editor opens
change each 'pick' to 'edit'
save the file and quit
$ git commit --amend -s --no-edit
$ git rebase --continue # and repeat the amend for each commit
$ git push -f

Amending updates the existing PR. You DO NOT need to open a new one.

[codecov-io]

Codecov Report

Merging #1260 into master will increase coverage by 0.71%.
The diff coverage is 66.23%.

@@            Coverage Diff             @@
##           master    #1260      +/-   ##
==========================================
+ Coverage   54.05%   54.77%   +0.71%     
==========================================
  Files         272      292      +20     
  Lines       18113    19257    +1144     
==========================================
+ Hits         9791    10548     +757     
- Misses       7706     8055     +349     
- Partials      616      654      +38

[dhiltgen]

The recent lint failure looks like a CI hiccup, unrelated to the changes I just pushed

...
Step 10/10 : COPY . .
 ---> 3b3e3fa522cc
Successfully built 3b3e3fa522cc
Successfully tagged cli-linter:15395
docker: Cannot connect to the Docker daemon at tcp://35.185.65.192:2376. Is the docker daemon running?.
ERRO[0030] error waiting for container: context canceled 
Exited with code 125

Could someone whack CI to re-run that again?

[vdemeester]

On design:

• shouldn't we re-use the same "output formatting" when pulling images, etc… right now, it's telling me it's pulling something, I have no idea of the progress… We could use docker or containerd progress formatting.
• should /etc/docker path be configurable ? For example, my system's /etc/ is read-only (managed by nixos), and I want to test/run this PR, couldn't I be able to specify where it's gonna write the configuration ?
  I though it was --config-file but

λ sudo ./build/docker-linux-amd64 engine init --config-file=/tmp/etc/docker
Failed to create docker daemon: failed to verify host dir /tmp/etc: Failed to create path /tmp/etc

• it seems there is a need to login before having a docker daemon, and this is a problem as docker login needs a deamon — on this, we may want to ask for login(s) whenever the command the require them (listing license, …), and later on issuing a docker login on the newly bootstrapped daemon (programatically). The login client-side only seems hackish to me.
• On update it's possible to change the version and the registry-prefix but not the engine-image, what is the rationale for that ? 🤔
• I wished (might not be possible) that the license checking (mainly used in docker engine activate) would be plugable (as our credential helpers are) — this would remove the need to vendor docker/licensing code, but it would make it harder to migrate from CE to EE…

I still need to bootstrap a sandbox machine to test it fully though.

On code:

• It would be really good to have unit tests on the engine package 👼
• I feel like containerdutils package should be some sort of "wrapper" client that get's created with our "view" of docker and containerd client. That way we wouldn't need to pass them for each and every exported functions.
• In general, command.Cli should be only used in cmd/* packages.. having a dependency on it in the containerdutils package seems like a smell…
• This is a public facing repository, that is easily use as library… and in this context, any exported element (function, struct) should be considered stable.. So the less we exported at first, the better… This is not the case right now.
• github.com/docker/licensing needs some tests, and it would be very handy if it were using either vndr or golang/dep tool

[vdemeester]

use context instead of this deprecated package.

[vdemeester]

Also, we group all non-stdlib imports, so those should be grouped

[vdemeester]

Those should be flags.StringVar when they don't have a shorthand counter-part

[vdemeester]

I think we can keep those long flag only for now 👼

[vdemeester]

s/queit/quiet

[vdemeester]

almost silently ignoring these errors 🤔 shouldn't we at least print some warnings ?

[vdemeester]

Same here

[vdemeester]

use errors.Wrapf here too

[vdemeester]

use errors.Wrapf here too

[vdemeester]

s/queit/quiet

[cpuguy83]

This needs a deeper review, but so far my comments are generally:

1. Functionality needs ownership. Right now all functionality is scoped to a package when it should be scoped to a type.
2. Errors, especially in new functionality that's added here, should be well typed so they can be properly inspected (e.g. not by checking the message itself).
3. Interfaces are quite broad, both in the new interfaces being used and the interfaces being passed in to the new functionality. This should be scoped down so, for instance, a function that just needs an io.Writer doesn't need the whole docker CLI object.
4. The fakeClient approach where there is a struct that does nothing but store configured functions is not very clean and largely redundant. Might as well just make new objects with the needed functionality. Note you can have a base struct that provides "not implemented" sort of behavior and wrap that with specific functionality for what's being tested... but also scoping interfaces down should help a lot here.

[cpuguy83]

Also wy are we passing both client and dockerCli? There's a few places this is done.

[cpuguy83]

Can we get a real error type?

[cpuguy83]

🤕

[cpuguy83]

I'm not sure I see the purpose in these structs that do nothing except take functionality from other things.
Why not provide specific structs? If the interface you are trying to satisfy is too large, can't we narrow down the interface?

[dhiltgen]

It's purely a testing abstraction. I looked around in this repo to find a pattern to emulate with the hope that I'd be following the preferred style and saw https://github.com/docker/cli/blob/master/cli/command/manifest/client_test.go which uses this model.

@cpuguy83 can you point me to a different/better reference you would prefer?

If this model is explicitly not what we want people to follow, could a maintainer put a comment in those files noting that those tests should be refactored so others don't fall into the same trap I did thinking this pattern is OK?

[cpuguy83]

Seems like we shouldn't bother with this.

[cpuguy83]

This is all too much.
Let's consider what type should own this behavior.... e.g. a wrapped client.

[cpuguy83]

Seems like this should be a function to get the default spec (since that's the only way it could be immutable)...
This will probably work, though.

[cpuguy83]

Should also be scoped to the call site, not the package.

[cpuguy83]

Same comment as above for other of these fake clients.

[cpuguy83]

I'm pretty sure I've never seen this done.... not that it shouldn't be done, just that it's not idiomatic in the sense that none of the other code does this.
Can we stick to type Foo T?

[cpuguy83]

Also, is this used? Don't see why we'd need fifo here.

[cpuguy83]

It would be nice if there was an issue, or I suppose a comment in this PR, describing this change (what new commands are, what are they for, demo output, etc).

[crosbymichael]

it's just "context" now

[dhiltgen]

Thanks - I'll clean this up - I started this work quite a while back and I think the CLI was still using that pattern when I started... just overlooked switching these as I rebased.

[crosbymichael]

pass ctx instead of context.Background() here

[crosbymichael]

tisk tisk ;), connect and handle errors on connect os.IsNotExist, not check first. These types of checks are racy

[crosbymichael]

If you want progress, you can use content.Fetch from containerd

[dhiltgen]

shouldn't we re-use the same "output formatting" when pulling images, etc… right now, it's telling me it's pulling something, I have no idea of the progress… We could use docker or containerd progress formatting.

Good suggestion. Let me take a look at what it would take to wire that up.

should /etc/docker path be configurable ? For example, my system's /etc/ is read-only (managed by nixos), and I want to test/run this PR, couldn't I be able to specify where it's gonna write the configuration ?

Yes, that was the intention but it seems you found a bug - I'll investigate this further and figure out what's going wrong and add a test case for this.

it seems there is a need to login before having a docker daemon, and this is a problem as docker login needs a deamon — on this, we may want to ask for login(s) whenever the command the require them (listing license, …), and later on issuing a docker login on the newly bootstrapped daemon (programatically). The login client-side only seems hackish to me.

If you're just deploying a community engine from hub it works without a login. If you're using an alternative registry (e.g., a DTR behind a firewall) then you might need to login to pull images. If you're initializing an enterprise engine from hub you'll need to be logged in as well. I tried to wire this up so it's not mandatory, but so we can support initialization from a private repo if necessary. Does that help address your concern, or are you still concerned with this model?

On update it's possible to change the version and the registry-prefix but not the engine-image, what is the rationale for that ?

Good point. That wasn't intentional. I forgot to add the image flag to the update flows when I added it recently to the init flow.

It would be really good to have unit tests on the engine package

I'll see what I can do. :-)

I feel like containerdutils package should be some sort of "wrapper" client that get's created with our "view" of docker and containerd client. That way we wouldn't need to pass them for each and every exported functions.

Let me coordinate with @crosbymichael and @dmcgowan and see what we can come up with.

In general, command.Cli should be only used in cmd/* packages.. having a dependency on it in the containerdutils package seems like a smell…

👍 I'll clean this up.

This is a public facing repository, that is easily use as library… and in this context, any exported element (function, struct) should be considered stable.. So the less we exported at first, the better… This is not the case right now.

Will do - I'll reduce the set of exported components in my next refactoring pass.

github.com/docker/licensing needs some tests, and it would be very handy if it were using either vndr or golang/dep tool

\cc @mason-fish ^^

[dhiltgen]

Functionality needs ownership. Right now all functionality is scoped to a package when it should be scoped to a type.

👍

Errors, especially in new functionality that's added here, should be well typed so they can be properly inspected (e.g. not by checking the message itself).

👍

Interfaces are quite broad, both in the new interfaces being used and the interfaces being passed in to the new functionality. This should be scoped down so, for instance, a function that just needs an io.Writer doesn't need the whole docker CLI object.

👍

The fakeClient approach where there is a struct that does nothing but store configured functions is not very clean and largely redundant. Might as well just make new objects with the needed functionality. Note you can have a base struct that provides "not implemented" sort of behavior and wrap that with specific functionality for what's being tested... but also scoping interfaces down should help a lot here.

I thought I was following existing patterns, but if there's a different preferred model I can adjust the implementation. @cpuguy83 can you point to example's as reference in the code of how you'd like me to structure the test adapters?

[cpuguy83]

can you point to example's as reference in the code of how you'd like me to structure the test adapters

If you need to implement many methods, then I'd use something like this:

type FooBar interface {
    Foo() error
    Bar() error
}
type baseFoo struct {}

func (baseFoo) Foo() error { return errors.New("not implemented") }

func(baseFoo) Bar() error { return errors.New("not implemented") }

type withFoo struct {
    baseFoo
}

func(withFoo) Foo() error {
    return nil
}

But I would also try and reduce the things I need to mock out as much as possible, which means defining interfaces locally for the methods you are actually calling rather than using a concrete type or some (large) external interface.

[dhiltgen]

It would be nice if there was an issue, or I suppose a comment in this PR, describing this change (what new commands are, what are they for, demo output, etc).

The following is a little dated and some changes have been made to the implementation based on UX feedback, but it shows the basic flow.

Problem Abstract

The Docker EE platform is distributed and the software lifecycle
managed using two different patterns today. This inconsistency leads
to customer confusion, operational inefficiencies, and in some cases
avoidable outages due to user mistakes.

This PR enables the docker engine to run as a privileged container running
on top of containerd. This model also enables a smooth upgrade path from
CE to EE engines for users who choose to do so.

UX Example

The following examples outline how users would interact with the local
engine via the CLI.

Before Initialization

This new version of the docker CLI would be capable of initializing
a local engine if containerd was detected via the socket or
named pipe.

% docker info
Cannot connect to the Docker daemon at unix:///var/run/docker.sock however containerd is running locally
- Set DOCKER_HOST or use the `-H` flag to point to a remote docker engine or cluster
- To initialize a local node, run `sudo docker engine init`

Initializing a Local CE Engine

Provided containerd is present on the local system and the user has the
ability to write to the containerd socket (or named pipe), the CLI would
be capable of starting up the docker daemon.

% docker engine init --help

Usage:  docker engine init [OPTIONS]

Initialize a docker engine on the local containerd

Options:
      --config-file string       Specify the location of the daemon configuration file
                                 on the host (default "/etc/docker/daemon.json")
      --engine-version string    Specify engine version (default '18.09.0')
      --registry-prefix string   Override the default location where engine images are
                                 pulled (default "docker.io/docker")
      --root-dir string          Specify the location of the Docker Root Dir on the host
                                 (default "/var/lib/docker")

% sudo docker engine init
Pulling docker.io/dockereng/ce-engine:18.09.0... done.
Waiting for engine to start... waiting for engine to be responsive... engine 18.09.0 is online.
Success!  The docker engine is now running.

Notes:

• Tag conventions
  • CLI builds default to install their corresponding engine version
  • YY.MM.P - Immutable version specific tag
  • nightly-YYMMDD - maps to an nightly edge build
• helper packages would be generated to handle bootstrapping the
  engine via OS level packages to mimic the current packaging behavior, but
  those would leverage these CLI commands under the covers in post-install
  packaging scripts.
• If the image is already present, it will not be pulled, so offline use-cases
  can be supported by pre-loading the image via OS level packaging.

Activating EE

If the user wants to start running an EE engine they would use the
following command to activate an EE engine with applicable license.
This can be performed after initing a CE engine, or can be done directly
on top of containerd as the first step. If they already have CE running
and workloads on top, those would be preserved.

% docker engine activate --help

Usage:  docker engine activate [OPTIONS]

With this command you may apply an existing Docker enterprise license, or
interactively download one from Docker.  In the interactive exchange, you can
sign up for a new trial, or download an existing license.  If you are currently
running a Community Edition engine, the daemon will be updated to the
Enterprise Edition Docker engine with additional capabilities and long term
support.

For more information about different Docker Enterprise license types visit
http://www.docker.com/licenses

For non-interactive scriptable deployments, download your license from
https://hub.docker.com/ then specify the file with the '--license' flag.

Options:
      --engine-version string    Specify engine version (default is to use existing version)
  -l, --license string           License File
      --registry-prefix string   Override the default location where engine images are pulled (default
                                 "docker.io/dockereng")

The following example shows the UX for a brand-new customer who has never logged into hub

% docker engine activate
Please run 'docker login' with your existing account then re-run 'docker engine activate'

% docker engine activate
You don't have any existing Docker licenses
0) Generate a new trial license for EE Basic (individual engines)
1) Generate a new trial license for EE Advanced (cluster support)
Please pick the license above by number (0): 0

Pulling docker.io/dockereng/ee-engine:18.09.0... done.
Starting the docker engine... waiting for engine to be responsive... engine 18.09.0 is online.
Success!  Your engine has been activated.

Notes:

• The users hub account would be granted access to the EE engines during their trial
• The license would be stored locally and may be used to activate specific license enabled features
• Tag conventions
  • Not visible unless you've paid, or have a trial license
  • $VER - Immutable version specific tag

The following variation shows the UX for an existing customer with some existing licenses.

% docker engine activate

Checking Docker Hub for licenses for dhiltgen... Licenses found.
0) Docker EE Basic- Sat Oct 14 2017
1) Docker EE Advanced, 10 nodes- Sat Oct 14 2017
Please pick the license above by number (0): 1

Pulling docker.io/dockereng/ee-engine:18.09.0... done.
Starting the docker engine... waiting for engine to be responsive... engine 18.09.0 is online.
Success!  Your engine has been activated.
See https://docs.docker.com/ee/ucp/admin/install/ for UCP installation instructions.

Seeing current engine status

The info and version commands should be updated to expose if the engine
is a CE or EE engine, and the status of the license (expired, type of
license, etc.)

% docker info
Containers: 11
 Running: 0
 Paused: 0
 Stopped: 11
Images: 703
...
License: Community Edition Engine

License: Enterprise Standard trial - 20 days remaining.  To purchase go to http://hub.docker.com/renew

License: Enterprise Standard 10 nodes - expires 1/1/2019

License: EXPIRED!  You will no longer receive updates.  Please renew at http://hub.docker.com/renew

Notes:

• Once expired, the users access to EE patches would be disabled on the hub side.

Detecting Updates are Available

Checking for updates requires scanning hub repos for new tags, and requires
hub credentials, so this should be done using an explicit command, not included
in existing commands like info.

% docker engine check --help

Usage:  docker engine check [OPTIONS]

Check for available updates

Options:
      --all                      Report all versions (older and pre-release versions)
      --patch-only               Only report available patch versions
      --registry-prefix string   Override the default location where engine images are
                                 pulled (default "docker.io/dockereng")

% docker engine check
TYPE        VERSION         RELEASE NOTES
current     18.03.0
patch       18.03.1         http://docs.docker.com/releases/18.03.1-ee.releasenotes
patch       18.03.2         http://docs.docker.com/releases/18.03.2-ee.releasenotes
upgrade     18.09.0         http://docs.docker.com/releases/18.09.0-ee.releasenotes

% docker engine check
(WARNING: your version is no longer supported, consider upgrading)
TYPE        VERSION         RELEASE NOTES
current     18.02.0
upgrade     18.09.0         http://docs.docker.com/releases/18.09.0-ee.releasenotes

Notes:

• If the EE license has expired, CE updates should be shown to allow "reverting" back to CE
  if you decide to

Updating a Local Engine

% docker engine update --help

Usage:  docker engine update [OPTIONS]

Update the local docker engine

Options:
      --engine-version string    Specify engine version - by default this command will update to the latest
                                 patch for the current engine version
      --registry-prefix string   Override the default location where engine images are
                                 pulled (default "docker.io/docker")

% docker engine update --engine-version 18.03.2
Using tag: 18.03.2
latest: Pulling from docker/ee-engine
57310166fe88: Pull complete
Digest: sha256:1669a6aa7350e1cdd28f972ddad5aceba2912f589f19a090ac75b7083da748db
Updating Local Docker Engine...
Docker Engine is ready.

[dhiltgen]

If you need to implement many methods, then I'd use something like this:

Hmm... maybe I'm just not seeing it, but isn't this pattern going to result in a massive explosion in the amount of code necessary to mock out various different scenarios? Wouldn't I then have to create unique types for each scenario? That seems pretty heavy weight. The nice thing about the existing pattern I replicated is it only gets involved in the test code, not the mainline production code, and each test case can easily alter the behavior of any routine.

Do you have a good example in the tree that's following your pattern for test cases I can look more closely at to see how it should map?

Since the comment's now hidden - some more explanation on why I used this pattern is here #1260 (comment)

[dhiltgen]

@vdemeester @cpuguy83 I've pushed two new commits that should hopefully address almost all your comments. I still need to add some unit test coverage for the engine package, and I'm still not sure what the preferred mock model is in this tree.

Update: I forgot to mention I haven't made substantive changes to the licensing portion yet, as the upstream licensing lib work is still WIP - hoping we'll have a bump there in the next few days and then I can update the related glue code in this PR.

[seemethere]

Wouldn't this make more sense to have it as just docker.io/ and let the engine-image contain the prefix for the registry organization?

[seemethere]

This applies to all other uses of the registry-prefix

[dhiltgen]

I think this boils down to a question of use-case and when these flags will be used. I was trying to optimize the UX around end-user use-cases to support local mirrors, while enabling developer use-cases.

Specifically, if you're a typical user, I don't think you'll ever use --engine-image - the default behavior for the community engine and enterprise engine scenarios will do the right thing. This flag is really only meant for developers who want to deviate from the standard naming scheme.

Many customers run an internal registry in their firewalled environments, and the intention with the --registry-prefix flag was to give them a flag to establish the prefix where they store all their docker product mirrored images, both community and enterprise engines, and in the future, additional products like UCP and DTR itself.

My concern with splitting it the way you suggest is I think it makes it harder for end-users using local registry mirrors to benefit from the automatic community/enterprise logic. These mirroring customer would always have to pin the exact image name to use a mirror. In this version of the engine, we're using a single image so it seems ~simple, but it's entirely possible as we work on the modularization work in moby (buildkit, etc.) we will start to split the engine into multiple images in the future. When/if we do so, then we'd have to add new flags for developers to select the other component images, but one could see this getting out of control for a typical user. By using a common prefix and letting the CLI select the right image names by default using the common prefix we hide that complexity of multiple component images from the typical end user. It also will make it harder for us to support this mirroring pattern for other products down the road. For example, UCP today doesn't support installing from a mirror, and UCP itself is made up of a dozen plus images already. I'd like to see us follow this pattern so someday you can docker ucp install --registry-prefix mylocalregistry.acme.com/docker ... (or something along those lines) where the registry-prefix is common for all the mirrored content.

[vdemeester]

λ ./docker engine init --config-file=/tmp/etc/docker
docker engine init is only supported on a Docker cli with experimental cli features enabled
λ cat ~/.docker/config.json
{
        // […]
        "experimental": "enabled"
}

Getting a weird error on my experimental enabled cli 😝

[vdemeester]

Pretty sure Login doesn't need to get the whole command.Cli interface as argument.

[vdemeester]

Not really fan of boolean args as it doesn't really provide any insight of what we read (i.e. reading only that line, I have no idea what false mean for this func.)

[vdemeester]

these append can be extracted in a function I think 😉

[vdemeester]

This could definitely be a local type (at least)

type resolver func(ctx Context.Context, index *registrytypes.IndexInfo) type.AuthConfig
// …
activateEngineFunc func(ctx context.Context, opts …EngineInitOptions, out …OutStream, authResolver resolver) error

[vdemeester]

Not that really, we should just pass it the types.AuthConfig instead and not require the func/wrapper 😉

[vdemeester]

This flow is getting weirder and weirder to read. (from command.GetDefaultAuthConfig to the last if err != nil line 133). We may want to refactor that a bit 👼

[vdemeester]

Same as above types.AuthConfig instead of the resolver func.

[vdemeester]

Same as above, if we use opts only for that, we're better of passing the image reference string directly

[vdemeester]

We should pass a types.AuthConfig to this package instead of having to define this one. This would remove a lot of package deps (containerizedengine, trust, …)

[vdemeester]

Those are already defined above (and exported too it seems), We should define them only once and use on both (or… not defined them as exported)

[vdemeester]

Why ignoring the linter here ? I guess it's on client *containerd.Client that could only be client oci.Client (or even a local interface)

[dhiltgen]

Yeah, it wanted me to change the types to be incompatible with the upstream containerd pattern which I think is wrong.

[vdemeester]

how is it incompatible with the upstream containerd pattern ? it just says there is a small interface you can "declare your variable with". The other "way around" would be to define a local interface that satisfy the contract you need 😝

[silvin-lubecki]

I only reviewed the commands yet, still need to review the containeriedengine package.

[silvin-lubecki]

nit: it should be newActivateCommand

[silvin-lubecki]

nit: . In <- Extra space

[silvin-lubecki]

Extra space . If

[silvin-lubecki]

Use https instead?
By the way the link seems to be broken...
Maybe move this part into another PR, ready to be merged as soon as the page is online?

[silvin-lubecki]

I think existing version can be misleading. Do you mean current version? Maybe installed version or running version instead?

[silvin-lubecki]

nit: availUpdates -> availableUpdates

[silvin-lubecki]

nit: empty line

[silvin-lubecki]

nit: out := &bytes.Buffer{}

[silvin-lubecki]

Same as above

[silvin-lubecki]

nit: empty line

[silvin-lubecki]

nit: empty line

[silvin-lubecki]

Why are there 2 '%s'? Is it missing an argument?

[silvin-lubecki]

I don't think imgRefAndAuth in the message will help a user...

[silvin-lubecki]

shadowing active with another active variable makes the code not easy to review...

[silvin-lubecki]

const?

[silvin-lubecki]

if _, err := ... ; err != nil{

[silvin-lubecki]

if err := ... ; err != nil{

[silvin-lubecki]

if err := ... ; err != nil{

[silvin-lubecki]

if data, defined := config["data-root"]; defined{
    rootDir = data.(string)
}

[silvin-lubecki]

This pattern seems to be the same as in baseClient.InitEngine, it could be extracted and factorized.

[dhiltgen]

Getting a weird error on my experimental enabled cli

Hmm... I'm a bit confused by what's going on here. I tried switching the Annotations from "experimentalCLI" to "experimental" but that seems to break it worse. I couldn't find any docs covering this, so maybe I've got some other piece of wiring hooked up incorrectly. Any pointers?

[dhiltgen]

@vdemeester @cpuguy83 I've added one commit that refactors one of the test mocks using the model that I think you are proposing. - 9d73826 Please take a look at that and let me know what you think.

My preference is the original model as I think its easier to reason about, but if this is how you'd like the tests structured, I'll apply it to the other mocks in a follow up commit.

[vdemeester]

• pkg/containerized can be move to internal too 👼
• Any commented code should be removed (no need for it for now)

[vdemeester]

This seems wrong — the EntrepriseEngineImage there 🤔 It's gonna get use in docker engine init too which by default use the Community image — we should pass the image too (and thus probably, at that point, just a reference string 👼)

[vdemeester]

Also, if no registryPrefix, the reference will be /something right (looking at the default value in options), and thus an invalid reference, isn't it ?

[vdemeester]

One question on that, we don't want to allow customization of the containerdSockPath when engine init ?

[vdemeester]

Shouldn't this return an error instead ? 🤔 (this would make outer: not required anymore)

[dhiltgen]

This algorithm has been structured this way for the past year (or more) in the containerd tree, so i'm a little hesitant to start changing it significantly without understanding all the partial failure modes.

[vdemeester]

This can now be remove (https://github.com/docker/cli/pull/1260/files#diff-2349949258e8913f2e5141f6d989e2bdR144)

[vdemeester]

In addition, not a huge fan of the proposed test refactoring, and as most of the code is under internal now, I feel we can easily do some refactoring (both on tests and part of the code) in follow-up PRs 😉

[dhiltgen]

In addition, not a huge fan of the proposed test refactoring, and as most of the code is under internal now, I feel we can easily do some refactoring (both on tests and part of the code) in follow-up PRs

Sounds good. Thanks!

I'll drop the test refactoring commit, make the other requested changes, get a vendor bump of the licensing lib and add some unit test coverage on the licensing side, and get that pushed later today. Hopefully that will get us in a state where this is mergeable with only minor comments, then I'll submit a follow up clean-up PR after FC to address those.

[vdemeester]

I'm getting some weird errors :thinking:

λ sudo ./build/docker-linux-amd64 --config=/home/vincent/.docker engine rm
runtime for task io.containerd.runtime.process.v1: rpc error: code = NotFound desc = unknown runtime "io.containerd.runtime.process.v1": unknown
λ sudo ctr -n docker c ls
CONTAINER    IMAGE                                            RUNTIME
dockerd      docker.io/docker/engine-community:18.09.0-dev    io.containerd.runtime.process.v1

Also, on update, I was "waiting" for a list to choose from 😝

λ sudo ./build/docker-linux-amd64 --config=/home/vincent/.docker engine update
please pick the version you want to update to
λ sudo ./build/docker-linux-amd64 --config=/home/vincent/.docker engine update --version 18.09.0-dev
failed to lookup task: runtime for task io.containerd.runtime.process.v1: rpc error: code = NotFound desc = unknown runtime "io.containerd.runtime.process.v1": unknown

Also, the first time I did the init, it told me the daemon is responsive really quick because I already had a daemon running… didn't really check the daemon answering was the same it spawned (using version or sthg) — there is not too much log in debug mode so it's a bit tricky to know what going wrong 😓

[vdemeester]

This doesn't take the engineInitOptions into account at all — i.e. if the the engine init configuration file changes the default host the daemon listen on, … — it will try to ping the default docker daemon. This kinda force to pass -H to the docker engine init command in those cases.

[dhiltgen]

For the scenario where the daemon config is set up to listen on a non-standard sock, or only tcp, the user should also set their DOCKER_HOST to match, however I agree we should attempt to detect a misconfiguration here so we can give a good error message if they're wrong.

[vdemeester]

Alright, managed to make it work 👼 🎉
So there is still a few comments to take into account (some errors.Wrap and some more complex ones), but as said before, as this is experimental and most of the code happens in internal package, I'm fine doing those as follow-ups 😉
LGTM 🐯

[dhiltgen]

Squashed to 2 commits (vendor bump, and the impl) and rebased on master so it should be ready to merge once CI goes green.

[crosbymichael]

LGTM