Mercurial > sat_docs
view docker/prosody/Dockerfile @ 43:4c5bd7ddaaca
xep: updated XEP-0356 (privileged entity):
Several updates according to feedbacks + review:
- added links to PEP and namespace delegation XEPs
- removed MUST for default values in configuration
- <forwarded/> element is now a child of a <privilege/> element
- <perm/> "namespace" attribute has been renamed to "access"
- "headline" type restriction for "message" privilege has been removed
- "message" permission violation now result in a "forbidden" message error
- for "presence" permission, only <presence/> stanza with no type or with a "unavailable" type are sent to privileged entity
- added specifitation for "presence" if a managed entity is unavailable and if a privileged entity is available after first <presence/> stanzas have been received
- added Business Rules section
- Updated namespace to reflect incompatible changes
author | Goffi <goffi@goffi.org> |
---|---|
date | Mon, 23 Mar 2015 18:41:01 +0100 |
parents | 0e78c8a4626e |
children | 686a8c982c3f |
line wrap: on
line source
############################################################### # # # Salut à Toi/Prosody # # This Dockerfile build a Prosody version prepared for SàT # # Salut à Toi is a multi-frontends multi-purposes XMPP client # # # ############################################################### FROM salutatoi/base:latest MAINTAINER Goffi <goffi@goffi.org> ######## # BASE # ######## RUN apt-get install -y apg prosody RUN apt-get clean ###################### # REMOTE ROSTER HACK # ###################### # This dirty hack is used temporarily in SàT to have nice features like fine permissions tuning # see http://www.goffi.org/post/2012/06/24/Fine-access-tuning-for-PubSub # A proper way is being working on, with new XEPs WORKDIR /usr/lib/prosody/modules # wget/curl are not installed, so we use python RUN python -c 'import urllib2;f=open("mod_remote_roster.lua","w");f.write(urllib2.urlopen("http://paste.debian.net/download/121248").read())' WORKDIR /etc/prosody # the hacked module must be activated RUN sed -i 's/modules_enabled = {/\0\n\t-- SàT specific\n\t\t"remote_roster";/' prosody.cfg.lua ###################### # MISC CONFIGURATION # ###################### # we want to run foreground RUN sed -i 's/daemonize = true;/daemonize = false;/' prosody.cfg.lua # we listen the world for components (but we do *NOT* expose the port ! It's just for linked containers) RUN sed -i 's/^----------- Virtual hosts -----------/component_interface="0.0.0.0"\n\n\0/' prosody.cfg.lua # we don't want to allow self registering, this is managed by a SàT plugin RUN sed -i 's/"register"/--\0/' prosody.cfg.lua # announce is usefull on a Libervia instance RUN sed -i 's/--"announce"/"announce"/' prosody.cfg.lua # we use environment variable to get the domain RUN sed -i 's/^admins =.*$/\nlocal domain = os.getenv("DOMAIN") or "libervia.int"\n\0/' prosody.cfg.lua # default admin is admin@DOMAIN RUN sed -i 's/admins = { }/admins = { "admin@"..(domain) }/' prosody.cfg.lua # we can now set our virtualhost RUN sed -i 's/^------ Components ------/VirtualHost (domain)\n\n\0/' prosody.cfg.lua # we want default, unsplitted logs RUN python -c 'import re;f=open("prosody.cfg.lua","r+");buf=re.sub(r"^log =.*^}","",f.read(),1,re.DOTALL | re.MULTILINE);f.seek(0);f.write(buf);f.truncate()' ############### # CERTIFICATE # ############### # We want to use the certificat in /usr/share/sat RUN sed -i 's%key = "/etc/prosody/certs/localhost.key";%key = "/usr/share/sat/libervia.key";%; s%certificate = "/etc/prosody/certs/localhost.crt";%certificate = "/usr/share/sat/libervia.crt";%' prosody.cfg.lua # but we do a link to be sure that there is a certificate RUN ln -s /etc/prosody/certs/localhost.key /usr/share/sat/libervia.key; ln -s /etc/prosody/certs/localhost.cert /usr/share/sat/libervia.crt ############## # COMPONENTS # ############## # we activate the MUC component on chat.DOMAIN RUN sed -i 's/--Component "conference.example.com" "muc"/Component ("chat."..domain) "muc"/' prosody.cfg.lua # and the SOCKS5 bytestream proxy on proxy.DOMAIN RUN sed -i 's/--Component "proxy.example.com" "proxy65"/Component ("proxy."..domain) "proxy65"/' prosody.cfg.lua # SàT PubSub RUN sed -i 's/^------ Additional/Component ("sat-pubsub."..domain)\n\tcomponent_secret = os.getenv("SAT_PUBSUB_SECRET")\n\n\0/' prosody.cfg.lua # Salut, SàT's directory component RUN sed -i 's/^------ Additional/Component ("salut."..domain)\n\tcomponent_secret = os.getenv("SAT_SALUT_SECRET")\n\n\0/' prosody.cfg.lua ############################ # AUTOMATIC CONFIGURATION # ############################ # this script allow to call prosodyctl and get configuration variables from linked containers RUN echo '#!/usr/bin/env python2\n\ import subprocess, SimpleXMLRPCServer, os\n\ def prosodyctl(command, profile, pwd):\n\ process = subprocess.Popen(["prosodyctl", command, profile], stdin=subprocess.PIPE)\n\ if pwd:\n\ process.communicate("%s\\n%s"%(pwd,pwd))\n\ return process.wait()\n\ def getenv(variable):\n\ assert variable in ("SAT_PUBSUB_SECRET","SAT_SALUT_SECRET","DOMAIN")\n\ return os.getenv(variable)\n\ server = SimpleXMLRPCServer.SimpleXMLRPCServer(("0.0.0.0", 9999))\n\ server.register_function(prosodyctl, "prosodyctl")\n\ server.register_function(getenv, "getenv")\n\ server.serve_forever()' > /usr/local/bin/container_server && chmod 0555 /usr/local/bin/container_server # the following script is used to automatically generate passwords for components RUN echo '#!/bin/sh\n\ export SAT_PUBSUB_SECRET=$(apg -n 1)\n\ export SAT_SALUT_SECRET=$(apg -n 1)\n\ if [ -z $DOMAIN ]; then\n\ export DOMAIN="libervia.int"\n\ fi\n\ container_server&\n\ echo "domain used: $DOMAIN\n"\n\ /usr/bin/prosody $@' > /usr/local/bin/prosody && chmod +x /usr/local/bin/prosody ######### # PORTS # ######### # client to server (C2S) EXPOSE 5222 # server to server (S2S) EXPOSE 5269 ########## # LAUNCH # ########## # prosody need to access /var/run to write it's pid RUN mkdir -p /var/run/prosody; chown prosody:adm /var/run/prosody USER prosody ENTRYPOINT ["prosody"]