Set working directory for faasd / faas-containerd

* faasd writes secrets to wd + /secrets/*
* faas-containerd is passed a custom path to use to load the
secrets

Both services gain their work /run/ folders for temporary and
working files. Tested on RPi3 e2e with faasd install.

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>

cmd/install.go

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"fmt"
+	"io"
 	"os"
 	"path"
 
@@ -17,14 +18,28 @@ var installCmd = &cobra.Command{
 	RunE:  runInstall,
 }
 
+const faasdwd = "/run/faasd"
+const faasContainerdwd = "/run/faas-containerd"
+
 func runInstall(_ *cobra.Command, _ []string) error {
 
-	if basicAuthErr := makeBasicAuthFiles(); basicAuthErr != nil {
+	if err := ensureWorkingDir(path.Join(faasdwd, "secrets")); err != nil {
+		return err
+	}
+
+	if err := ensureWorkingDir(faasContainerdwd); err != nil {
+		return err
+	}
+
+	if basicAuthErr := makeBasicAuthFiles(path.Join(faasdwd, "secrets")); basicAuthErr != nil {
 		return errors.Wrap(basicAuthErr, "cannot create basic-auth-* files")
 	}
 
-	wd := "/run/faasd"
+	if err := cp("prometheus.yml", faasdwd); err != nil {
-	if err := ensureWorkingDir(wd); err != nil {
+		return err
+	}
+
+	if err := cp("resolv.conf", faasdwd); err != nil {
 		return err
 	}
 
@@ -43,12 +58,15 @@ func runInstall(_ *cobra.Command, _ []string) error {
 		return err
 	}
 
-	err = systemd.InstallUnit("faas-containerd", wd)
+	err = systemd.InstallUnit("faas-containerd", map[string]string{
+		"Cwd":             faasContainerdwd,
+		"SecretMountPath": path.Join(faasdwd, "secrets")})
+
 	if err != nil {
 		return err
 	}
 
-	err = systemd.InstallUnit("faasd", wd)
+	err = systemd.InstallUnit("faasd", map[string]string{"Cwd": faasdwd})
 	if err != nil {
 		return err
 	}
@@ -91,7 +109,7 @@ func binExists(folder, name string) error {
 
 func ensureWorkingDir(folder string) error {
 	if _, err := os.Stat(folder); err != nil {
-		err = os.MkdirAll("/run/faasd", 0600)
+		err = os.MkdirAll(folder, 0600)
 		if err != nil {
 			return err
 		}
@@ -99,3 +117,22 @@ func ensureWorkingDir(folder string) error {
 
 	return nil
 }
+
+func cp(source, destFolder string) error {
+	file, err := os.Open(source)
+	if err != nil {
+		return err
+
+	}
+	defer file.Close()
+
+	out, err := os.Create(path.Join(destFolder, source))
+	if err != nil {
+		return err
+	}
+	defer out.Close()
+
+	_, err = io.Copy(out, file)
+
+	return err
+}

cmd/up.go

@@ -49,7 +49,7 @@ func runUp(_ *cobra.Command, _ []string) error {
 		clientSuffix = "-arm64"
 	}
 
-	if basicAuthErr := makeBasicAuthFiles(); basicAuthErr != nil {
+	if basicAuthErr := makeBasicAuthFiles(path.Join(path.Join(faasdwd, "secrets"))); basicAuthErr != nil {
 		return errors.Wrap(basicAuthErr, "cannot create basic-auth-* files")
 	}
 
@@ -132,8 +132,8 @@ func runUp(_ *cobra.Command, _ []string) error {
 	return nil
 }
 
-func makeBasicAuthFiles() error {
+func makeBasicAuthFiles(wd string) error {
-	wd, _ := os.Getwd()
+
 	pwdFile := wd + "/basic-auth-password"
 	authPassword, err := password.Generate(63, 10, 0, false, true)
 
@@ -183,11 +183,11 @@ func makeServiceDefinitions(archSuffix string) []pkg.Service {
 			},
 			Mounts: []pkg.Mount{
 				pkg.Mount{
-					Src:  path.Join(wd, "basic-auth-password"),
+					Src:  path.Join(path.Join(wd, "secrets"), "basic-auth-password"),
 					Dest: path.Join(secretMountDir, "basic-auth-password"),
 				},
 				pkg.Mount{
-					Src:  path.Join(wd, "basic-auth-user"),
+					Src:  path.Join(path.Join(wd, "secrets"), "basic-auth-user"),
 					Dest: path.Join(secretMountDir, "basic-auth-user"),
 				},
 			},
@@ -231,11 +231,11 @@ func makeServiceDefinitions(archSuffix string) []pkg.Service {
 			Image: "docker.io/openfaas/gateway:0.18.8" + archSuffix,
 			Mounts: []pkg.Mount{
 				pkg.Mount{
-					Src:  path.Join(wd, "basic-auth-password"),
+					Src:  path.Join(path.Join(wd, "secrets"), "basic-auth-password"),
 					Dest: path.Join(secretMountDir, "basic-auth-password"),
 				},
 				pkg.Mount{
-					Src:  path.Join(wd, "basic-auth-user"),
+					Src:  path.Join(path.Join(wd, "secrets"), "basic-auth-user"),
 					Dest: path.Join(secretMountDir, "basic-auth-user"),
 				},
 			},
@@ -257,11 +257,11 @@ func makeServiceDefinitions(archSuffix string) []pkg.Service {
 			Image: "docker.io/openfaas/queue-worker:0.9.0",
 			Mounts: []pkg.Mount{
 				pkg.Mount{
-					Src:  path.Join(wd, "basic-auth-password"),
+					Src:  path.Join(path.Join(wd, "secrets"), "basic-auth-password"),
 					Dest: path.Join(secretMountDir, "basic-auth-password"),
 				},
 				pkg.Mount{
-					Src:  path.Join(wd, "basic-auth-user"),
+					Src:  path.Join(path.Join(wd, "secrets"), "basic-auth-user"),
 					Dest: path.Join(secretMountDir, "basic-auth-user"),
 				},
 			},

hack/faas-containerd.service

@@ -3,7 +3,7 @@ Description=faasd-containerd
 
 [Service]
 MemoryLimit=500M
-# Environment="basic_auth=true" # Not tested properly in PR #13, causes runtime error
+Environment="secret_mount_path={{.SecretMountPath}}"
 ExecStart=/usr/local/bin/faas-containerd
 Restart=on-failure
 RestartSec=10s

pkg/systemd/systemd.go

@@ -64,10 +64,9 @@ func DaemonReload() error {
 	return nil
 }
 
-func InstallUnit(name, folder string) error {
+func InstallUnit(name string, tokens map[string]string) error {
-	if len(folder) == 0 {
+	if len(tokens["Cwd"]) == 0 {
-		wd, _ := os.Getwd()
+		return fmt.Errorf("key Cwd expected in tokens parameter")
-		folder = wd
 	}
 
 	tmplName := "./hack/" + name + ".service"
@@ -78,13 +77,8 @@ func InstallUnit(name, folder string) error {
 	}
 
 	var tpl bytes.Buffer
-	userData := struct {
-		Cwd string
-	}{
-		Cwd: folder,
-	}
 
-	err = tmpl.Execute(&tpl, userData)
+	err = tmpl.Execute(&tpl, tokens)
 	if err != nil {
 		return err
 	}