Merge pull request rsyslog#6656 from rgerhards/codex-container-dockerhub-helper

packaging/docker: add Docker Hub metadata helper

Author: rgerhards

packaging/docker/rsyslog/README.md

@@ -9,6 +9,12 @@ container image family:
 - `rsyslog/rsyslog-dockerlogs`
 - `rsyslog/rsyslog-etl`
 
+Docker Hub descriptions for these repos can be maintained from this
+subtree with `sync_dockerhub_metadata.py` and `dockerhub_metadata.json`.
+The script reads credentials from `DOCKERHUB_USERNAME` /
+`DOCKERHUB_PASSWORD` or the local `~/.docker/config.json` and defaults
+to a dry run.
+
 ## Version and tag contract
 
 Local builds default to a non-release tag on purpose:

packaging/docker/rsyslog/dockerhub_metadata.json

@@ -0,0 +1,22 @@
+{
+  "rsyslog-minimal": {
+    "description": "Lean Ubuntu-based rsyslog image with core modules and stdout output for custom configurations.",
+    "full_description": "# rsyslog/rsyslog-minimal\n\n`rsyslog/rsyslog-minimal` is a lean Ubuntu-based image that provides the rsyslog core with a very small default configuration.\n\n## What it is for\n\nUse this image when you want to:\n\n- run rsyslog in a container with minimal defaults\n- provide your own configuration under `/etc/rsyslog.d/`\n- build your own downstream rsyslog-based image\n\n## Default behavior\n\nThe image:\n\n- starts `rsyslogd` in the foreground\n- validates the configuration with `rsyslogd -N1` before startup\n- writes logs to standard output by default\n- includes configuration snippets from `/etc/rsyslog.d/*.conf`\n\n## Useful environment variables\n\n- `RSYSLOG_HOSTNAME`: sets the hostname used inside rsyslog\n- `PERMIT_UNCLEAN_START`: skips startup config validation when set\n- `RSYSLOG_ROLE`: entrypoint role selector, normally left as `minimal`\n\n## Notes\n\nThis image is the foundation for the other user-facing rsyslog container images.\n\nDocumentation:\nhttps://www.rsyslog.com/doc/containers/minimal.html\n"
+  },
+  "rsyslog": {
+    "description": "General-purpose rsyslog image with common HTTP-capable modules for containerized log processing.",
+    "full_description": "# rsyslog/rsyslog\n\n`rsyslog/rsyslog` is the general-purpose image in the rsyslog container family.\n\n## What it is for\n\nUse this image when you want to:\n\n- run rsyslog in a container with broader defaults than the minimal image\n- use HTTP-capable rsyslog modules out of the box\n- build your own downstream rsyslog image on a more featureful base\n\n## Default behavior\n\nThe image:\n\n- builds on `rsyslog/rsyslog-minimal`\n- includes the `imhttp` and `omhttp` modules\n- keeps the same entrypoint and config-validation behavior as the minimal image\n- writes logs to standard output unless you mount additional rules\n\n## Useful environment variables\n\n- `RSYSLOG_HOSTNAME`: sets the hostname used inside rsyslog\n- `PERMIT_UNCLEAN_START`: skips startup config validation when set\n- `RSYSLOG_ROLE`: entrypoint role selector, normally left as `standard`\n\n## Notes\n\nThis image is the common base for the collector and other specialized rsyslog container roles.\n\nDocumentation:\nhttps://www.rsyslog.com/doc/containers/standard.html\n"
+  },
+  "rsyslog-collector": {
+    "description": "Central rsyslog collector image with UDP/TCP inputs, optional RELP/TLS, and file-based defaults.",
+    "full_description": "# rsyslog/rsyslog-collector\n\n`rsyslog/rsyslog-collector` is the central receiver role in the rsyslog container image family.\n\n## What it is for\n\nUse this image when you want to:\n\n- receive syslog traffic in a container\n- build a central log collector or relay service\n- start from a reusable rsyslog receiver image and add your own routing rules\n\n## Default behavior\n\nThe image:\n\n- listens on UDP syslog (`514/udp`) by default\n- listens on TCP syslog (`514/tcp`) by default\n- can enable RELP on `2514/tcp`\n- can enable TLS syslog on `6514/tcp`\n- writes received messages to local files by default\n\n## Useful environment variables\n\n- `ENABLE_UDP`: enable UDP syslog reception, default `on`\n- `ENABLE_TCP`: enable TCP syslog reception, default `on`\n- `ENABLE_RELP`: enable RELP reception, default `off`\n- `ENABLE_TLS`: enable TLS syslog reception, default `off`\n- `WRITE_ALL_FILE`: write `/var/log/all.log`, default `on`\n- `WRITE_JSON_FILE`: write `/var/log/all-json.log`, default `on`\n- `TLS_CA_FILE`, `TLS_CERT_FILE`, `TLS_KEY_FILE`, `TLS_AUTH_MODE`: TLS listener settings\n\n## Notes\n\nThe packaged configuration writes to local files. You can mount additional rules into `/etc/rsyslog.d/` to forward to other backends or reshape the pipeline.\n\nDocumentation:\nhttps://www.rsyslog.com/doc/containers/collector.html\n"
+  },
+  "rsyslog-dockerlogs": {
+    "description": "Rsyslog image for reading Docker daemon logs and forwarding them to a central collector over TCP.",
+    "full_description": "# rsyslog/rsyslog-dockerlogs\n\n`rsyslog/rsyslog-dockerlogs` is a forwarding role in the rsyslog container image family that reads Docker log events and ships them to a central collector.\n\n## What it is for\n\nUse this image when you want to:\n\n- collect logs from the Docker daemon with `imdocker`\n- forward container log events to a central rsyslog receiver\n- run an edge-side log forwarder in Docker environments\n\n## Default behavior\n\nThe image:\n\n- reads Docker log events with `imdocker`\n- forwards everything to a remote rsyslog collector over TCP\n- uses an in-memory action queue with infinite retry\n- does not store logs locally as its primary role\n\n## Useful environment variables\n\n- `REMOTE_SERVER_NAME`: required hostname or IP of the destination collector\n- `REMOTE_SERVER_PORT`: TCP port on the collector, default `514`\n- `RSYSLOG_HOSTNAME`: sets the hostname used inside rsyslog\n- `PERMIT_UNCLEAN_START`: skips startup config validation when set\n- `RSYSLOG_ROLE`: entrypoint role selector, normally left as `docker`\n\n## Notes\n\nThis image is designed to feed a central rsyslog collector, not to act as a standalone storage endpoint.\n\nDocumentation:\nhttps://www.rsyslog.com/doc/containers/dockerlogs.html\n"
+  },
+  "rsyslog-etl": {
+    "description": "Specialized rsyslog ETL image that receives syslog and forwards events to a Vespa HTTP endpoint.",
+    "full_description": "# rsyslog/rsyslog-etl\n\n`rsyslog/rsyslog-etl` is a specialized ingestion role that accepts syslog over the network and forwards events to a Vespa HTTP API.\n\n## What it is for\n\nUse this image when you want to:\n\n- receive syslog over UDP, TCP, or RELP\n- forward events to a Vespa document API with `omhttp`\n- use rsyslog as a transport and delivery component in a Vespa-oriented ETL pipeline\n\n## Default behavior\n\nThe image:\n\n- listens on UDP syslog (`514/udp`) by default\n- listens on TCP syslog (`514/tcp`) by default\n- enables RELP on `2514/tcp` by default\n- forwards events to Vespa over HTTP\n- is specialized for Vespa-oriented pipelines rather than generic all-destinations ETL use\n\n## Useful environment variables\n\n- `ENABLE_UDP`, `ENABLE_TCP`, `ENABLE_RELP`: control network listeners\n- `ENABLE_VESPA`: enables the packaged Vespa HTTP action\n- `VESPA_NAMESPACE`, `VESPA_DOCTYPE`: define the generated Vespa document path\n- `VESPA_SERVER`, `VESPA_PORT`: define the Vespa HTTP endpoint\n- `RSYSLOG_HOSTNAME`: sets the hostname used inside rsyslog\n- `PERMIT_UNCLEAN_START`: skips startup config validation when set\n\n## Notes\n\nThe packaged ETL output is HTTP to Vespa. The repository also includes a sample Docker Compose deployment for this image.\n\nDocumentation:\nhttps://www.rsyslog.com/doc/containers/etl.html\n"
+  }
+}

packaging/docker/rsyslog/sync_dockerhub_metadata.py

@@ -0,0 +1,150 @@
+#!/usr/bin/env python3
+"""Sync Docker Hub repository descriptions for the rsyslog image family.
+
+By default the script runs in dry-run mode and prints the intended updates.
+Use --apply to write metadata to Docker Hub.
+"""
+
+from __future__ import annotations
+
+import argparse
+import base64
+import binascii
+import json
+import os
+from pathlib import Path
+import sys
+import urllib.error
+import urllib.request
+
+
+HUB_LOGIN_URL = "https://hub.docker.com/v2/users/login/"
+HUB_REPO_URL = "https://hub.docker.com/v2/repositories/{namespace}/{repo}/"
+DEFAULT_NAMESPACE = "rsyslog"
+DEFAULT_METADATA_FILE = Path(__file__).with_name("dockerhub_metadata.json")
+
+
+def load_metadata(path: Path) -> dict[str, dict[str, str]]:
+    return json.loads(path.read_text())
+
+
+def load_credentials() -> tuple[str, str]:
+    username = os.getenv("DOCKERHUB_USERNAME")
+    password = os.getenv("DOCKERHUB_PASSWORD")
+    if username and password:
+        return username, password
+
+    cfg_path = Path.home() / ".docker" / "config.json"
+    if not cfg_path.exists():
+        raise RuntimeError(
+            "No Docker Hub credentials found. Set DOCKERHUB_USERNAME and "
+            "DOCKERHUB_PASSWORD or login with docker first."
+        )
+
+    cfg = json.loads(cfg_path.read_text())
+    auths = cfg.get("auths", {})
+    auth = auths.get("https://index.docker.io/v1/", {}).get("auth")
+    if not auth:
+        raise RuntimeError(
+            "Docker config does not contain https://index.docker.io/v1/ auth."
+        )
+
+    try:
+        decoded = base64.b64decode(auth).decode()
+    except (binascii.Error, UnicodeDecodeError) as err:
+        raise RuntimeError("Docker config auth for Docker Hub is malformed.") from err
+
+    if ":" not in decoded:
+        raise RuntimeError("Docker config auth for Docker Hub is malformed.")
+
+    return tuple(decoded.split(":", 1))
+
+
+def hub_request(
+    url: str, token: str | None = None, method: str = "GET", payload: dict | None = None
+) -> dict:
+    data = None if payload is None else json.dumps(payload).encode()
+    req = urllib.request.Request(url, data=data, method=method)
+    req.add_header("Content-Type", "application/json")
+    if token:
+        req.add_header("Authorization", f"JWT {token}")
+    with urllib.request.urlopen(req, timeout=30) as resp:
+        return json.loads(resp.read().decode())
+
+
+def login() -> str:
+    username, password = load_credentials()
+    resp = hub_request(HUB_LOGIN_URL, method="POST", payload={"username": username, "password": password})
+    token = resp.get("token")
+    if not token:
+        raise RuntimeError("Docker Hub login succeeded but no token was returned.")
+    return token
+
+
+def normalize_repo_selection(selected: list[str] | None, metadata: dict[str, dict[str, str]]) -> list[str]:
+    if not selected:
+        return sorted(metadata.keys())
+    missing = [name for name in selected if name not in metadata]
+    if missing:
+        raise RuntimeError(f"Metadata file does not define repos: {', '.join(missing)}")
+    return selected
+
+
+def main() -> int:
+    parser = argparse.ArgumentParser(description=__doc__)
+    parser.add_argument("--apply", action="store_true", help="Write metadata to Docker Hub.")
+    parser.add_argument("--namespace", default=DEFAULT_NAMESPACE, help="Docker Hub namespace. Default: rsyslog")
+    parser.add_argument(
+        "--metadata-file",
+        default=str(DEFAULT_METADATA_FILE),
+        help="Path to the JSON metadata file.",
+    )
+    parser.add_argument(
+        "--repo",
+        action="append",
+        help="Limit sync to one or more repos defined in the metadata file.",
+    )
+    args = parser.parse_args()
+
+    metadata_file = Path(args.metadata_file)
+    metadata = load_metadata(metadata_file)
+    repos = normalize_repo_selection(args.repo, metadata)
+
+    token = login()
+
+    for repo in repos:
+        payload = metadata[repo]
+        url = HUB_REPO_URL.format(namespace=args.namespace, repo=repo)
+        current = hub_request(url, token=token)
+        summary = {
+            "repo": f"{args.namespace}/{repo}",
+            "current_description": current.get("description") or "",
+            "new_description": payload["description"],
+            "apply": args.apply,
+        }
+        print(json.dumps(summary, ensure_ascii=True))
+        if args.apply:
+            updated = hub_request(url, token=token, method="PATCH", payload=payload)
+            print(
+                json.dumps(
+                    {
+                        "repo": f"{args.namespace}/{repo}",
+                        "updated_description": updated.get("description") or "",
+                        "has_full_description": updated.get("full_description") is not None,
+                    },
+                    ensure_ascii=True,
+                )
+            )
+
+    return 0
+
+
+if __name__ == "__main__":
+    try:
+        raise SystemExit(main())
+    except urllib.error.HTTPError as err:
+        print(f"HTTP error from Docker Hub: {err.code} {err.reason}", file=sys.stderr)
+        raise
+    except Exception as err:  # pragma: no cover - CLI path
+        print(f"ERROR: {err}", file=sys.stderr)
+        raise SystemExit(1)