changeset 85:bcba1966e6db

docker: certificate generation + various improvments: - certificate is now auto-generated on first prosody launch is there is not already one - certificate generated on build is removed to avoid image-wide certificate - generated certificates are stored in sat_data - data image is now based on prosody which is itslef based on sat_pubsub - prosody configuration is moved to /etc/prosody/prosody_sat_cfg, and stored in sat_data - building order changed to adapt to new images hierarchy - libervia default configuration set to both without redirection (and with a security warning)
author Goffi <goffi@goffi.org>
date Thu, 18 Feb 2016 17:31:09 +0100 (2016-02-18)
parents 8dc445c967e2
children f5067e3112ba
files docker/data/Dockerfile docker/do_all.sh docker/libervia/Dockerfile docker/prosody/Dockerfile
diffstat 4 files changed, 41 insertions(+), 15 deletions(-) [+]
line wrap: on
line diff
--- a/docker/data/Dockerfile	Thu Feb 18 17:23:08 2016 +0100
+++ b/docker/data/Dockerfile	Thu Feb 18 17:31:09 2016 +0100
@@ -6,7 +6,7 @@
 #                                                             #
 ###############################################################
 
-FROM salutatoi/sat_pubsub:latest
+FROM salutatoi/prosody:latest
 
 MAINTAINER Goffi <goffi@goffi.org>
 
@@ -14,17 +14,21 @@
 # VOLUMES #
 ###########
 
+USER root
+
 # sat user home, where most of config files and databases are located
 VOLUME ["/home/sat"]
 
 # Prosody
-# we need to use number instead of name as data doesn't known prosody user
-RUN mkdir -p /var/lib/prosody && chown 105:108 /var/lib/prosody && chmod 0750 /var/lib/prosody
 VOLUME ["/var/lib/prosody"]
+VOLUME ["/etc/prosody/prosody_sat_cfg"]
 
 # Postgres database, used in SàT PubSub
 VOLUME ["/var/lib/postgresql"]
 
+# TLS certificates
+VOLUME ["/usr/share/sat/certificates"]
+
 # Logs not shown directly with docker logs
 VOLUME ["/var/log"]
 
@@ -33,10 +37,12 @@
 ##########
 
 WORKDIR /volumes
-RUN ln -s /home/sat sat
-RUN ln -s /var/lib/prosody prosody
-RUN ln -s /var/lib/postgresql postgresql
-RUN ln -s /var/log log
+RUN ln -s /home/sat sat && \
+ln -s /usr/share/sat/certificates certificates && \
+ln -s /var/lib/prosody prosody && \
+ln -s /etc/prosody/prosody_sat_cfg prosody_sat_cfg && \
+ln -s /var/lib/postgresql postgresql && \
+ln -s /var/log log
 VOLUME ["/volumes"]
 
 ENTRYPOINT ["/bin/true"]
--- a/docker/do_all.sh	Thu Feb 18 17:23:08 2016 +0100
+++ b/docker/do_all.sh	Thu Feb 18 17:31:09 2016 +0100
@@ -16,7 +16,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-DIRS="base media sat_nomedia sat jp primitivus prosody sat_pubsub salut libervia data"
+DIRS="base media sat_nomedia sat jp primitivus sat_pubsub prosody salut libervia data"
 ACCOUNT="salutatoi"
 
 ori_dir=$(pwd)
--- a/docker/libervia/Dockerfile	Thu Feb 18 17:23:08 2016 +0100
+++ b/docker/libervia/Dockerfile	Thu Feb 18 17:31:09 2016 +0100
@@ -49,6 +49,17 @@
 
 RUN rm -rf libervia
 
+#################
+# CONFIGURATION #
+#################
+
+# we want to use certificates in /usr/share/sat/certificates
+RUN echo "\n[libervia]\n\
+tls_private_key = /usr/share/sat/certificates/libervia.key\n\
+tls_certificate = /usr/share/sat/certificates/libervia.crt\n\
+connection_type = both\n\
+redirect_to_https = 0" >> /etc/sat.conf
+
 #####################
 # FIRST LAUNCH TEST #
 #####################
@@ -106,4 +117,3 @@
 USER sat
 
 ENTRYPOINT ["libervia_cont_launch", "fg"]
-CMD ["-t", "http"]
--- a/docker/prosody/Dockerfile	Thu Feb 18 17:23:08 2016 +0100
+++ b/docker/prosody/Dockerfile	Thu Feb 18 17:31:09 2016 +0100
@@ -6,7 +6,7 @@
 #                                                             #
 ###############################################################
 
-FROM salutatoi/base:latest
+FROM salutatoi/sat_pubsub:latest
 
 MAINTAINER Goffi <goffi@goffi.org>
 
@@ -22,6 +22,8 @@
 # and install prosody and apg (to generate passwords)
 RUN apt-get install -y apg prosody-0.10
 RUN apt-get clean
+# prosody use need to access (and write) certificates
+RUN adduser prosody tls-cert
 
 ###################
 # PROSODY MODULES #
@@ -39,16 +41,19 @@
 #################
 
 WORKDIR /etc/prosody
+RUN mkdir prosody_sat_cfg
 # we keep up-to-date configuration for this image on the repository
-RUN python -c 'import urllib2;f=open("prosody.cfg.lua","w");f.write(urllib2.urlopen("https://repos.goffi.org/sat_docs/raw-file/tip/docker/prosody/prosody.cfg.lua").read())'
+RUN python -c 'import urllib2;f=open("prosody_sat_cfg/prosody.cfg.lua","w");f.write(urllib2.urlopen("https://repos.goffi.org/sat_docs/raw-file/tip/docker/prosody/prosody.cfg.lua").read())'
+RUN ln -fs prosody_sat_cfg/prosody.cfg.lua prosody.cfg.lua
 
 ###############
 # CERTIFICATE #
 ###############
 
-# We want to use the certificat in /usr/share/sat
-# but we do a link to be sure that there is a certificate
-RUN ln -s /etc/prosody/certs/localhost.key /usr/share/sat/libervia.key; ln -s /etc/prosody/certs/localhost.crt /usr/share/sat/libervia.crt
+# We want to use the certificates in /usr/share/sat/certificates
+# and we don't want any certificate in the image,
+# they'll be generated at launch or mounted in container
+RUN rm -rf /etc/localhost.key /etc/prosody/certs/*
 
 ############################
 # AUTOMATIC CONFIGURATION  #
@@ -70,7 +75,7 @@
 server.register_function(getenv, "getenv")\n\
 server.serve_forever()' > /usr/local/bin/container_server && chmod 0555 /usr/local/bin/container_server
 
-# the following script is used to automatically generate passwords for components
+# the following script is used to automatically generate passwords for components and certificate
 RUN echo '#!/bin/sh\n\
 export SAT_PUBSUB_SECRET=$(apg -n 1)\n\
 export SAT_SALUT_SECRET=$(apg -n 1)\n\
@@ -79,6 +84,11 @@
 fi\n\
 container_server&\n\
 echo "domain used: $DOMAIN\n"\n\
+if [ ! -f "/usr/share/sat/certificates/libervia.key" -o ! -f "/usr/share/sat/certificates/libervia.crt" ]; then\n\
+	echo "No certificate found, we generate one"\n\
+    openssl req -new -x509 -days 1825 -nodes -out "/usr/share/sat/certificates/libervia.crt"\
+            -newkey rsa:4096 -keyout "/usr/share/sat/certificates/libervia.key" -subj "/C=AU/CN=$DOMAIN"\n\
+fi\n\
 /usr/bin/prosody $@' > /usr/local/bin/prosody && chmod +x /usr/local/bin/prosody
 
 #########