# HG changeset patch # User Goffi # Date 1455813069 -3600 # Node ID bcba1966e6db2d7e6446814189f95ddcbe15f932 # Parent 8dc445c967e24d71184c35aeab07aef7c4724793 docker: certificate generation + various improvments: - certificate is now auto-generated on first prosody launch is there is not already one - certificate generated on build is removed to avoid image-wide certificate - generated certificates are stored in sat_data - data image is now based on prosody which is itslef based on sat_pubsub - prosody configuration is moved to /etc/prosody/prosody_sat_cfg, and stored in sat_data - building order changed to adapt to new images hierarchy - libervia default configuration set to both without redirection (and with a security warning) diff -r 8dc445c967e2 -r bcba1966e6db docker/data/Dockerfile --- a/docker/data/Dockerfile Thu Feb 18 17:23:08 2016 +0100 +++ b/docker/data/Dockerfile Thu Feb 18 17:31:09 2016 +0100 @@ -6,7 +6,7 @@ # # ############################################################### -FROM salutatoi/sat_pubsub:latest +FROM salutatoi/prosody:latest MAINTAINER Goffi @@ -14,17 +14,21 @@ # VOLUMES # ########### +USER root + # sat user home, where most of config files and databases are located VOLUME ["/home/sat"] # Prosody -# we need to use number instead of name as data doesn't known prosody user -RUN mkdir -p /var/lib/prosody && chown 105:108 /var/lib/prosody && chmod 0750 /var/lib/prosody VOLUME ["/var/lib/prosody"] +VOLUME ["/etc/prosody/prosody_sat_cfg"] # Postgres database, used in SàT PubSub VOLUME ["/var/lib/postgresql"] +# TLS certificates +VOLUME ["/usr/share/sat/certificates"] + # Logs not shown directly with docker logs VOLUME ["/var/log"] @@ -33,10 +37,12 @@ ########## WORKDIR /volumes -RUN ln -s /home/sat sat -RUN ln -s /var/lib/prosody prosody -RUN ln -s /var/lib/postgresql postgresql -RUN ln -s /var/log log +RUN ln -s /home/sat sat && \ +ln -s /usr/share/sat/certificates certificates && \ +ln -s /var/lib/prosody prosody && \ +ln -s /etc/prosody/prosody_sat_cfg prosody_sat_cfg && \ +ln -s /var/lib/postgresql postgresql && \ +ln -s /var/log log VOLUME ["/volumes"] ENTRYPOINT ["/bin/true"] diff -r 8dc445c967e2 -r bcba1966e6db docker/do_all.sh --- a/docker/do_all.sh Thu Feb 18 17:23:08 2016 +0100 +++ b/docker/do_all.sh Thu Feb 18 17:31:09 2016 +0100 @@ -16,7 +16,7 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . -DIRS="base media sat_nomedia sat jp primitivus prosody sat_pubsub salut libervia data" +DIRS="base media sat_nomedia sat jp primitivus sat_pubsub prosody salut libervia data" ACCOUNT="salutatoi" ori_dir=$(pwd) diff -r 8dc445c967e2 -r bcba1966e6db docker/libervia/Dockerfile --- a/docker/libervia/Dockerfile Thu Feb 18 17:23:08 2016 +0100 +++ b/docker/libervia/Dockerfile Thu Feb 18 17:31:09 2016 +0100 @@ -49,6 +49,17 @@ RUN rm -rf libervia +################# +# CONFIGURATION # +################# + +# we want to use certificates in /usr/share/sat/certificates +RUN echo "\n[libervia]\n\ +tls_private_key = /usr/share/sat/certificates/libervia.key\n\ +tls_certificate = /usr/share/sat/certificates/libervia.crt\n\ +connection_type = both\n\ +redirect_to_https = 0" >> /etc/sat.conf + ##################### # FIRST LAUNCH TEST # ##################### @@ -106,4 +117,3 @@ USER sat ENTRYPOINT ["libervia_cont_launch", "fg"] -CMD ["-t", "http"] diff -r 8dc445c967e2 -r bcba1966e6db docker/prosody/Dockerfile --- a/docker/prosody/Dockerfile Thu Feb 18 17:23:08 2016 +0100 +++ b/docker/prosody/Dockerfile Thu Feb 18 17:31:09 2016 +0100 @@ -6,7 +6,7 @@ # # ############################################################### -FROM salutatoi/base:latest +FROM salutatoi/sat_pubsub:latest MAINTAINER Goffi @@ -22,6 +22,8 @@ # and install prosody and apg (to generate passwords) RUN apt-get install -y apg prosody-0.10 RUN apt-get clean +# prosody use need to access (and write) certificates +RUN adduser prosody tls-cert ################### # PROSODY MODULES # @@ -39,16 +41,19 @@ ################# WORKDIR /etc/prosody +RUN mkdir prosody_sat_cfg # we keep up-to-date configuration for this image on the repository -RUN python -c 'import urllib2;f=open("prosody.cfg.lua","w");f.write(urllib2.urlopen("https://repos.goffi.org/sat_docs/raw-file/tip/docker/prosody/prosody.cfg.lua").read())' +RUN python -c 'import urllib2;f=open("prosody_sat_cfg/prosody.cfg.lua","w");f.write(urllib2.urlopen("https://repos.goffi.org/sat_docs/raw-file/tip/docker/prosody/prosody.cfg.lua").read())' +RUN ln -fs prosody_sat_cfg/prosody.cfg.lua prosody.cfg.lua ############### # CERTIFICATE # ############### -# We want to use the certificat in /usr/share/sat -# but we do a link to be sure that there is a certificate -RUN ln -s /etc/prosody/certs/localhost.key /usr/share/sat/libervia.key; ln -s /etc/prosody/certs/localhost.crt /usr/share/sat/libervia.crt +# We want to use the certificates in /usr/share/sat/certificates +# and we don't want any certificate in the image, +# they'll be generated at launch or mounted in container +RUN rm -rf /etc/localhost.key /etc/prosody/certs/* ############################ # AUTOMATIC CONFIGURATION # @@ -70,7 +75,7 @@ server.register_function(getenv, "getenv")\n\ server.serve_forever()' > /usr/local/bin/container_server && chmod 0555 /usr/local/bin/container_server -# the following script is used to automatically generate passwords for components +# the following script is used to automatically generate passwords for components and certificate RUN echo '#!/bin/sh\n\ export SAT_PUBSUB_SECRET=$(apg -n 1)\n\ export SAT_SALUT_SECRET=$(apg -n 1)\n\ @@ -79,6 +84,11 @@ fi\n\ container_server&\n\ echo "domain used: $DOMAIN\n"\n\ +if [ ! -f "/usr/share/sat/certificates/libervia.key" -o ! -f "/usr/share/sat/certificates/libervia.crt" ]; then\n\ + echo "No certificate found, we generate one"\n\ + openssl req -new -x509 -days 1825 -nodes -out "/usr/share/sat/certificates/libervia.crt"\ + -newkey rsa:4096 -keyout "/usr/share/sat/certificates/libervia.key" -subj "/C=AU/CN=$DOMAIN"\n\ +fi\n\ /usr/bin/prosody $@' > /usr/local/bin/prosody && chmod +x /usr/local/bin/prosody #########