view docker/prosody/Dockerfile @ 85:bcba1966e6db

docker: certificate generation + various improvments: - certificate is now auto-generated on first prosody launch is there is not already one - certificate generated on build is removed to avoid image-wide certificate - generated certificates are stored in sat_data - data image is now based on prosody which is itslef based on sat_pubsub - prosody configuration is moved to /etc/prosody/prosody_sat_cfg, and stored in sat_data - building order changed to adapt to new images hierarchy - libervia default configuration set to both without redirection (and with a security warning)
author Goffi <goffi@goffi.org>
date Thu, 18 Feb 2016 17:31:09 +0100
parents 686a8c982c3f
children 30f3f83d6959
line wrap: on
line source

###############################################################
#                                                             #
#                     Salut à Toi/Prosody                     #
#  This Dockerfile build a Prosody version prepared for SàT   #
# Salut à Toi is a multi-frontends multi-purposes XMPP client #
#                                                             #
###############################################################

FROM salutatoi/sat_pubsub:latest

MAINTAINER Goffi <goffi@goffi.org>

########
# BASE #
########

RUN apt-get install -y --no-install-recommends lsb-release
# we add prosody repository and key
RUN echo deb http://packages.prosody.im/debian $(lsb_release -sc) main > /etc/apt/sources.list.d/prosody.list
RUN python -c 'import urllib2;import subprocess as s;s.Popen(["apt-key","add","-"], stdin=s.PIPE).communicate(urllib2.urlopen("https://prosody.im/files/prosody-debian-packages.key").read())'
RUN apt-get update
# and install prosody and apg (to generate passwords)
RUN apt-get install -y apg prosody-0.10
RUN apt-get clean
# prosody use need to access (and write) certificates
RUN adduser prosody tls-cert

###################
# PROSODY MODULES #
###################

WORKDIR /tmp
RUN hg clone https://hg.prosody.im/prosody-modules/ prosody-modules
WORKDIR prosody-modules
RUN for mod in privilege delegation ipcheck http_upload;do cp mod_$mod/mod_$mod.lua /usr/lib/prosody/modules;done
WORKDIR /tmp
RUN rm -rf prosody-modules

#################
# CONFIGURATION #
#################

WORKDIR /etc/prosody
RUN mkdir prosody_sat_cfg
# we keep up-to-date configuration for this image on the repository
RUN python -c 'import urllib2;f=open("prosody_sat_cfg/prosody.cfg.lua","w");f.write(urllib2.urlopen("https://repos.goffi.org/sat_docs/raw-file/tip/docker/prosody/prosody.cfg.lua").read())'
RUN ln -fs prosody_sat_cfg/prosody.cfg.lua prosody.cfg.lua

###############
# CERTIFICATE #
###############

# We want to use the certificates in /usr/share/sat/certificates
# and we don't want any certificate in the image,
# they'll be generated at launch or mounted in container
RUN rm -rf /etc/localhost.key /etc/prosody/certs/*

############################
# AUTOMATIC CONFIGURATION  #
############################

# this script allow to call prosodyctl and get configuration variables from linked containers
RUN echo '#!/usr/bin/env python2\n\
import subprocess, SimpleXMLRPCServer, os\n\
def prosodyctl(command, profile, pwd):\n\
    process = subprocess.Popen(["prosodyctl", command, profile], stdin=subprocess.PIPE)\n\
    if pwd:\n\
        process.communicate("%s\\n%s"%(pwd,pwd))\n\
    return process.wait()\n\
def getenv(variable):\n\
    assert variable in ("SAT_PUBSUB_SECRET","SAT_SALUT_SECRET","DOMAIN")\n\
    return os.getenv(variable)\n\
server = SimpleXMLRPCServer.SimpleXMLRPCServer(("0.0.0.0", 9999))\n\
server.register_function(prosodyctl, "prosodyctl")\n\
server.register_function(getenv, "getenv")\n\
server.serve_forever()' > /usr/local/bin/container_server && chmod 0555 /usr/local/bin/container_server

# the following script is used to automatically generate passwords for components and certificate
RUN echo '#!/bin/sh\n\
export SAT_PUBSUB_SECRET=$(apg -n 1)\n\
export SAT_SALUT_SECRET=$(apg -n 1)\n\
if [ -z $DOMAIN ]; then\n\
    export DOMAIN="libervia.int"\n\
fi\n\
container_server&\n\
echo "domain used: $DOMAIN\n"\n\
if [ ! -f "/usr/share/sat/certificates/libervia.key" -o ! -f "/usr/share/sat/certificates/libervia.crt" ]; then\n\
	echo "No certificate found, we generate one"\n\
    openssl req -new -x509 -days 1825 -nodes -out "/usr/share/sat/certificates/libervia.crt"\
            -newkey rsa:4096 -keyout "/usr/share/sat/certificates/libervia.key" -subj "/C=AU/CN=$DOMAIN"\n\
fi\n\
/usr/bin/prosody $@' > /usr/local/bin/prosody && chmod +x /usr/local/bin/prosody

#########
# PORTS #
#########

# client to server (C2S)
EXPOSE 5222

# server to server (S2S)
EXPOSE 5269

##########
# LAUNCH #
##########

# prosody need to access /var/run to write it's pid
RUN mkdir -p /var/run/prosody; chown prosody:adm /var/run/prosody

USER prosody

ENTRYPOINT ["prosody"]