From b280c136a4279d9b3c46936f4737c47d83dae2fd Mon Sep 17 00:00:00 2001 From: Linus Nordberg Date: Fri, 27 Mar 2015 13:28:33 +0100 Subject: Docker packaging. --- Makefile | 92 ++++++++++++++------------ makerelease.erl | 4 +- packaging/docker/README | 23 +++++-- packaging/docker/base-debian:jessie/Dockerfile | 3 +- packaging/docker/build-from-source.sh | 5 ++ packaging/docker/build.sh | 5 -- packaging/docker/catlfish-dev/Dockerfile | 51 +++++++++++--- packaging/docker/catlfish-dev/supervisord.conf | 2 +- packaging/docker/erlang/Dockerfile | 2 +- tools/compileconfig.py | 2 +- 10 files changed, 120 insertions(+), 69 deletions(-) create mode 100755 packaging/docker/build-from-source.sh delete mode 100755 packaging/docker/build.sh diff --git a/Makefile b/Makefile index 51fd786..e188e95 100644 --- a/Makefile +++ b/Makefile @@ -1,49 +1,53 @@ -PREFIX=rel +# Makefile for catlfish + +PREFIX=. +INSTDIR=$(PREFIX)/catlfish build all: ./make.erl + clean: -rm ebin/*.beam + release: all - rm -rf $(PREFIX) - mkdir $(PREFIX) - ./makerelease.erl - mkdir $(PREFIX)/catlfish + rm -rf $(INSTDIR) + mkdir $(INSTDIR) + ./makerelease.erl $(INSTDIR) -include test/test.mk tests-prepare: - rm -r $(PREFIX)/tests || true - mkdir $(PREFIX)/tests + rm -r $(INSTDIR)/tests || true + mkdir $(INSTDIR)/tests make tests-createca make tests-createcert - mkdir $(PREFIX)/tests/keys - (cd $(PREFIX)/tests/keys ; ../../../tools/create-key.sh logkey) - mkdir $(PREFIX)/tests/mergedb - mkdir $(PREFIX)/tests/mergedb/chains - touch $(PREFIX)/tests/mergedb/logorder - mkdir $(PREFIX)/tests/known_roots - cp tools/testcerts/roots/* $(PREFIX)/tests/known_roots + mkdir $(INSTDIR)/tests/keys + (cd $(INSTDIR)/tests/keys ; ../../../tools/create-key.sh logkey) + mkdir $(INSTDIR)/tests/mergedb + mkdir $(INSTDIR)/tests/mergedb/chains + touch $(INSTDIR)/tests/mergedb/logorder + mkdir $(INSTDIR)/tests/known_roots + cp tools/testcerts/roots/* $(INSTDIR)/tests/known_roots @for machine in $(MACHINES); do \ - (cd $(PREFIX); ../tools/compileconfig.py --config=../test/catlfish-test.cfg --localconfig ../test/catlfish-test-local-$$machine.cfg) ; \ - mkdir -p $(PREFIX)/tests/machine/machine-$$machine/db ; \ - touch $(PREFIX)/tests/machine/machine-$$machine/db/index ; \ - touch $(PREFIX)/tests/machine/machine-$$machine/db/newentries ; \ + tools/compileconfig.py --config=test/catlfish-test.cfg --localconfig test/catlfish-test-local-$$machine.cfg ; \ + mkdir -p $(INSTDIR)/tests/machine/machine-$$machine/db ; \ + touch $(INSTDIR)/tests/machine/machine-$$machine/db/index ; \ + touch $(INSTDIR)/tests/machine/machine-$$machine/db/newentries ; \ done - (cd $(PREFIX); ../tools/compileconfig.py --config=../test/catlfish-test.cfg --localconfig ../test/catlfish-test-local-signing.cfg) - mkdir $(PREFIX)/tests/privatekeys - mkdir $(PREFIX)/tests/publickeys + tools/compileconfig.py --config test/catlfish-test.cfg --localconfig test/catlfish-test-local-signing.cfg + mkdir $(INSTDIR)/tests/privatekeys + mkdir $(INSTDIR)/tests/publickeys @for node in $(NODES); do \ - (cd $(PREFIX)/tests/privatekeys ; ../../../tools/create-key.sh $$node) ; \ - mv $(PREFIX)/tests/privatekeys/$$node.pem $(PREFIX)/tests/publickeys/ ; \ + (cd $(INSTDIR)/tests/privatekeys ; ../../../tools/create-key.sh $$node) ; \ + mv $(INSTDIR)/tests/privatekeys/$$node.pem $(INSTDIR)/tests/publickeys/ ; \ mkdir -p test/nodes/$$node/log ; \ done - (cd $(PREFIX)/tests/privatekeys ; ../../../tools/create-key.sh merge-1) - mv $(PREFIX)/tests/privatekeys/merge-1.pem $(PREFIX)/tests/publickeys/ + (cd $(INSTDIR)/tests/privatekeys ; ../../../tools/create-key.sh merge-1) + mv $(INSTDIR)/tests/privatekeys/merge-1.pem $(INSTDIR)/tests/publickeys/ tests-start: @for node in $(NODES); do \ - (cd $(PREFIX) ; bin/run_erl -daemon ../test/nodes/$$node/ ../test/nodes/$$node/log/ "exec bin/erl -config $$node") \ + (cd $(INSTDIR) ; bin/run_erl -daemon ../test/nodes/$$node/ ../test/nodes/$$node/log/ "exec bin/erl -config $$node") \ done @for i in 1 2 3 4 5 6 7 8 9 10; do \ echo "waiting for system to start" ; \ @@ -59,20 +63,20 @@ tests-start: done tests-run: - @(cd $(PREFIX) && python ../tools/testcase1.py https://localhost:8080/ tests/keys/logkey.pem) || (echo "Tests failed" ; false) - @(cd $(PREFIX) && python ../tools/fetchallcerts.py $(BASEURL) --publickey=tests/keys/logkey.pem) || (echo "Verification failed" ; false) - @(cd $(PREFIX) && rm -f submittedcerts) - @(cd $(PREFIX) && python ../tools/submitcert.py --parallel=1 --store ../tools/testcerts/cert1.txt --check-sct --sct-file=submittedcerts $(BASEURL) --publickey=tests/keys/logkey.pem) || (echo "Submission failed" ; false) - @(cd $(PREFIX) && python ../tools/submitcert.py --parallel=1 --store ../tools/testcerts/cert2.txt --check-sct --sct-file=submittedcerts $(BASEURL) --publickey=tests/keys/logkey.pem) || (echo "Submission failed" ; false) - @(cd $(PREFIX) && python ../tools/submitcert.py --parallel=1 --store ../tools/testcerts/cert3.txt --check-sct --sct-file=submittedcerts $(BASEURL) --publickey=tests/keys/logkey.pem) || (echo "Submission failed" ; false) - @(cd $(PREFIX) && python ../tools/submitcert.py --parallel=1 --store ../tools/testcerts/cert4.txt --check-sct --sct-file=submittedcerts $(BASEURL) --publickey=tests/keys/logkey.pem) || (echo "Submission failed" ; false) - @(cd $(PREFIX) && python ../tools/submitcert.py --parallel=1 --store ../tools/testcerts/cert5.txt --check-sct --sct-file=submittedcerts $(BASEURL) --publickey=tests/keys/logkey.pem) || (echo "Submission failed" ; false) - @(cd $(PREFIX) && python ../tools/submitcert.py --parallel=1 --store ../tools/testcerts/pre1.txt --check-sct --sct-file=submittedcerts $(BASEURL) --publickey=tests/keys/logkey.pem) || (echo "Submission failed" ; false) - @(cd $(PREFIX) && python ../tools/submitcert.py --parallel=1 --store ../tools/testcerts/pre2.txt --check-sct --sct-file=submittedcerts $(BASEURL) --publickey=tests/keys/logkey.pem) || (echo "Submission failed" ; false) - @(cd $(PREFIX) && python ../tools/merge.py --config ../test/catlfish-test.cfg --localconfig ../test/catlfish-test-local-merge.cfg) || (echo "Merge failed" ; false) + @(cd $(INSTDIR) && python ../tools/testcase1.py https://localhost:8080/ tests/keys/logkey.pem) || (echo "Tests failed" ; false) + @(cd $(INSTDIR) && python ../tools/fetchallcerts.py $(BASEURL) --publickey=tests/keys/logkey.pem) || (echo "Verification failed" ; false) + @(cd $(INSTDIR) && rm -f submittedcerts) + @(cd $(INSTDIR) && python ../tools/submitcert.py --parallel=1 --store ../tools/testcerts/cert1.txt --check-sct --sct-file=submittedcerts $(BASEURL) --publickey=tests/keys/logkey.pem) || (echo "Submission failed" ; false) + @(cd $(INSTDIR) && python ../tools/submitcert.py --parallel=1 --store ../tools/testcerts/cert2.txt --check-sct --sct-file=submittedcerts $(BASEURL) --publickey=tests/keys/logkey.pem) || (echo "Submission failed" ; false) + @(cd $(INSTDIR) && python ../tools/submitcert.py --parallel=1 --store ../tools/testcerts/cert3.txt --check-sct --sct-file=submittedcerts $(BASEURL) --publickey=tests/keys/logkey.pem) || (echo "Submission failed" ; false) + @(cd $(INSTDIR) && python ../tools/submitcert.py --parallel=1 --store ../tools/testcerts/cert4.txt --check-sct --sct-file=submittedcerts $(BASEURL) --publickey=tests/keys/logkey.pem) || (echo "Submission failed" ; false) + @(cd $(INSTDIR) && python ../tools/submitcert.py --parallel=1 --store ../tools/testcerts/cert5.txt --check-sct --sct-file=submittedcerts $(BASEURL) --publickey=tests/keys/logkey.pem) || (echo "Submission failed" ; false) + @(cd $(INSTDIR) && python ../tools/submitcert.py --parallel=1 --store ../tools/testcerts/pre1.txt --check-sct --sct-file=submittedcerts $(BASEURL) --publickey=tests/keys/logkey.pem) || (echo "Submission failed" ; false) + @(cd $(INSTDIR) && python ../tools/submitcert.py --parallel=1 --store ../tools/testcerts/pre2.txt --check-sct --sct-file=submittedcerts $(BASEURL) --publickey=tests/keys/logkey.pem) || (echo "Submission failed" ; false) + @(cd $(INSTDIR) && python ../tools/merge.py --config ../test/catlfish-test.cfg --localconfig ../test/catlfish-test-local-merge.cfg) || (echo "Merge failed" ; false) tests-run2: - @(cd $(PREFIX) ; python ../tools/verifysct.py --sct-file=submittedcerts --parallel 1 $(BASEURL) --publickey=tests/keys/logkey.pem) || echo "Verification of SCT:s failed" + @(cd $(INSTDIR) ; python ../tools/verifysct.py --sct-file=submittedcerts --parallel 1 $(BASEURL) --publickey=tests/keys/logkey.pem) || echo "Verification of SCT:s failed" tests-stop: @for node in $(NODES); do \ @@ -96,8 +100,8 @@ tests: @make tests-stop tests-createca: - mkdir $(PREFIX)/tests/httpsca - ( cd $(PREFIX)/tests/httpsca ; \ + mkdir $(INSTDIR)/tests/httpsca + ( cd $(INSTDIR)/tests/httpsca ; \ mkdir -p demoCA/newcerts ; \ touch demoCA/index.txt ; \ echo 00 > demoCA/serial ; \ @@ -112,12 +116,12 @@ tests-createca: ) tests-createcert: - mkdir $(PREFIX)/tests/httpscert - openssl req -new -newkey rsa:2048 -keyout $(PREFIX)/tests/httpscert/httpskey-1.pem -out $(PREFIX)/tests/httpsca/httpscert-1.csr -nodes -subj '/countryName=SE/stateOrProvinceName=Stockholm/organizationName=Test/CN=localhost' - ( cd $(PREFIX)/tests/httpsca ; \ + mkdir $(INSTDIR)/tests/httpscert + openssl req -new -newkey rsa:2048 -keyout $(INSTDIR)/tests/httpscert/httpskey-1.pem -out $(INSTDIR)/tests/httpsca/httpscert-1.csr -nodes -subj '/countryName=SE/stateOrProvinceName=Stockholm/organizationName=Test/CN=localhost' + ( cd $(INSTDIR)/tests/httpsca ; \ openssl ca -in httpscert-1.csr -keyfile key.pem -out httpscert-1.pem -batch \ ) - cp $(PREFIX)/tests/httpsca/httpscert-1.pem $(PREFIX)/tests/httpscert/ + cp $(INSTDIR)/tests/httpsca/httpscert-1.pem $(INSTDIR)/tests/httpscert/ # Unit testing. diff --git a/makerelease.erl b/makerelease.erl index f72fdb6..16e5f7f 100755 --- a/makerelease.erl +++ b/makerelease.erl @@ -1,7 +1,7 @@ #!/usr/bin/env escript %% -*- erlang -*- -main(_) -> +main([DestDir]) -> {ok, Conf} = file:consult("reltool.config"), {ok, Spec} = reltool:get_target_spec(Conf), - ok = reltool:eval_target_spec(Spec, code:root_dir(), "rel"). + ok = reltool:eval_target_spec(Spec, code:root_dir(), DestDir). diff --git a/packaging/docker/README b/packaging/docker/README index 0a75c10..147fa41 100644 --- a/packaging/docker/README +++ b/packaging/docker/README @@ -1,14 +1,27 @@ -Requirements: +Information about creating a docker image for running catlfish from a +binary release or with catlfish built from source. + + +Requirements +------------ + - lack of expectations regarding security -- docker doesn't verify downloaded images - a 64-bit Linux system - lxc-docker version 1.3 or later -Build a docker image with catlfish. Note that you will have to cd into -this directory, catlfish/packaging/docker, in order for docker to find -the appropriate docker files. - $ ./build.sh +Building an image +----------------- + +Run build-from-release.sh or build-from-source.sh to build a docker +image with catlfish. Note that you will have to cd into this +directory, catlfish/packaging/docker, in order for docker to find the +appropriate docker files. + + +Running it +---------- Run the resulting image in interactive mode. diff --git a/packaging/docker/base-debian:jessie/Dockerfile b/packaging/docker/base-debian:jessie/Dockerfile index 6a30a45..dbd5d37 100644 --- a/packaging/docker/base-debian:jessie/Dockerfile +++ b/packaging/docker/base-debian:jessie/Dockerfile @@ -1,5 +1,6 @@ FROM debian:jessie RUN apt-get update RUN echo 'debconf debconf/frontend select noninteractive' | debconf-set-selections -RUN apt-get install -y -q supervisor +RUN apt-get -y -q upgrade +RUN apt-get -y -q install supervisor RUN mkdir -p /var/log/supervisor diff --git a/packaging/docker/build-from-source.sh b/packaging/docker/build-from-source.sh new file mode 100755 index 0000000..2b47222 --- /dev/null +++ b/packaging/docker/build-from-source.sh @@ -0,0 +1,5 @@ +#! /bin/sh + +docker build -t base base-debian:jessie +docker build -t erlang erlang +docker build -t catlfish catlfish-dev diff --git a/packaging/docker/build.sh b/packaging/docker/build.sh deleted file mode 100755 index 2b47222..0000000 --- a/packaging/docker/build.sh +++ /dev/null @@ -1,5 +0,0 @@ -#! /bin/sh - -docker build -t base base-debian:jessie -docker build -t erlang erlang -docker build -t catlfish catlfish-dev diff --git a/packaging/docker/catlfish-dev/Dockerfile b/packaging/docker/catlfish-dev/Dockerfile index cbfc285..b1192cf 100644 --- a/packaging/docker/catlfish-dev/Dockerfile +++ b/packaging/docker/catlfish-dev/Dockerfile @@ -1,26 +1,59 @@ +# Catlfish expects to find its configuration in +# /usr/local/etc/catlfish/catlfish.config so mounting +# /usr/local/etc/catlfish is recommended. This can be done using the +# `-v' flag to `docker run'. Example: + +# $ docker run -v /etc/catlfish:/usr/local/etc/catlfish catlfish + FROM erlang RUN apt-get update RUN echo 'debconf debconf/frontend select noninteractive' | debconf-set-selections -RUN apt-get install -y -q \ - gcc \ - git \ - make +RUN apt-get -y -q install gcc git make curl -WORKDIR /opt +# Build dependencies in /usr/local/src. +WORKDIR /usr/local/src -RUN git clone -b v2.12.2 https://github.com/mochi/mochiweb +RUN curl https://www.ct.nordu.net/dist/mochiweb-v2.12.2.tar.gz | tar xzf - +RUN ln -s mochiweb-2.12.2 mochiweb RUN make -C mochiweb -RUN git clone -b 2.1.1 https://github.com/basho/lager +RUN curl https://www.ct.nordu.net/dist/lager-2.1.1.tar.gz | tar xzf - +RUN ln -s lager-2.1.1 lager +RUN mkdir lager/deps +RUN curl https://www.ct.nordu.net/dist/goldrush-0.1.6.tar.gz | tar xzf - -C lager/deps && ln -s goldrush-0.1.6 lager/deps/goldrush RUN make -C lager -RUN git clone -b 1.1.0 https://github.com/benoitc/hackney.git +RUN curl https://www.ct.nordu.net/dist/hackney-1.1.0.tar.gz | tar xzf - +RUN ln -s hackney-1.1.0 hackney +RUN mkdir hackney/deps +RUN curl https://www.ct.nordu.net/dist/erlang-idna-1.0.2.tar.gz | tar xzf - -C hackney/deps && ln -s erlang-idna-1.0.2 hackney/deps/idna +RUN curl https://www.ct.nordu.net/dist/ssl_verify_hostname-1.0.4.tar.gz | tar xzf - -C hackney/deps && ln -s ssl_verify_hostname-1.0.4 hackney/deps/ssl_verify_hostname RUN make -C hackney REBAR=../lager/rebar +# Build plop and catlfish. RUN git clone https://git.nordu.net/plop.git RUN make -C plop RUN git clone https://git.nordu.net/catlfish.git -RUN make -C catlfish all release +RUN make -C catlfish all +RUN make -C catlfish PREFIX=/usr/local release + +# Config dir and database dir are mounted from host using `-v' to +# 'docker run'. +VOLUME /usr/local/catlfish +VOLUME /var/local/db/catlfish + +# Working directory is where catlfish.config is. We want to run in +# /var/run/catlfish and not in /usr/local/etc/catlfish, so symlink. +RUN mkdir -p /var/run/catlfish/erlang_log /var/run/catlfish/sasl_log +RUN chgrp -R daemon /var/run/catlfish +RUN chmod -R 775 /var/run/catlfish +RUN ln -s /usr/local/etc/catlfish/catlfish.config /var/run/catlfish/ +WORKDIR /var/run/catlfish + +# Don't run as root. +USER daemon +# Run supervisord. ADD supervisord.conf /etc/supervisor/ +CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"] diff --git a/packaging/docker/catlfish-dev/supervisord.conf b/packaging/docker/catlfish-dev/supervisord.conf index c973bff..8b317e0 100644 --- a/packaging/docker/catlfish-dev/supervisord.conf +++ b/packaging/docker/catlfish-dev/supervisord.conf @@ -2,4 +2,4 @@ nodaemon=true [program:catlfish] -command=/opt/catlfish/rel/bin/erl -config catlfish +command=/usr/local/catlfish/bin/run_erl /var/run/catlfish/ /var/run/catlfish/erlang_log/ "exec /usr/local/catlfish/bin/erl -config catlfish" diff --git a/packaging/docker/erlang/Dockerfile b/packaging/docker/erlang/Dockerfile index c33a22b..531064d 100644 --- a/packaging/docker/erlang/Dockerfile +++ b/packaging/docker/erlang/Dockerfile @@ -1,7 +1,7 @@ FROM base RUN apt-get update RUN echo 'debconf debconf/frontend select noninteractive' | debconf-set-selections -RUN apt-get install -y -q \ +RUN apt-get -y -q install \ erlang-base \ erlang-crypto \ erlang-dev \ diff --git a/tools/compileconfig.py b/tools/compileconfig.py index c239bd0..8b7524d 100755 --- a/tools/compileconfig.py +++ b/tools/compileconfig.py @@ -52,7 +52,7 @@ def gen_erlang(term, level=1): saslconfig = [(Symbol("sasl_error_logger"), Symbol("false")), (Symbol("errlog_type"), Symbol("error")), - (Symbol("error_logger_mf_dir"), "log"), + (Symbol("error_logger_mf_dir"), "sasl_log"), (Symbol("error_logger_mf_maxbytes"), 10485760), (Symbol("error_logger_mf_maxfiles"), 10), ] -- cgit v1.1