From f0610dfd7537c878dbcab1c98cb41ed578fb09f3 Mon Sep 17 00:00:00 2001 From: "Daniel, Dao Quang Minh" Date: Fri, 7 Oct 2016 18:14:46 +0100 Subject: [PATCH] make docker: build a docker image for redoctober (#159) * make docker: build a docker image for redoctober * add a convenient entrypoint to generate certificates out of the box * add detection based on RO_CERTS and RO_KEYS instead of detection based on the presence of RO_DATA, add RO_CERTS and RO_KEYS which are paths to the ceritificates and keys so we can generate them more effectively. Signed-off-by: Daniel Dao * dockerfile: bump golang to 1.7.1 --- .dockerignore | 3 +++ Dockerfile | 24 ++++++++++++++++++++++++ Makefile | 4 ++++ scripts/docker-entrypoint.sh | 35 +++++++++++++++++++++++++++++++++++ 4 files changed, 66 insertions(+) create mode 100644 .dockerignore create mode 100644 Dockerfile create mode 100644 Makefile create mode 100755 scripts/docker-entrypoint.sh diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..63e7a8d --- /dev/null +++ b/.dockerignore @@ -0,0 +1,3 @@ +Dockerfile +.gitignore +.travis.yml diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..78c0588 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,24 @@ +FROM golang:1.7.1 + +RUN groupadd -r redoctober --gid=999 && useradd -r -g redoctober --uid=999 redoctober + +# grab openssl for generating certs and runit for chpst +RUN apt-get update && \ + apt-get install -y openssl runit + +COPY . /go/src/github.com/cloudflare/redoctober +RUN go install github.com/cloudflare/redoctober + +EXPOSE 8080 8081 +ENV RO_CERTS=/var/lib/redoctober/data/server.crt \ + RO_KEYS=/var/lib/redoctober/data/server.pem \ + RO_DATA=/var/lib/redoctober/data \ + RO_CERTPASSWD=password \ + RO_COMMONNAME=localhost + +ENTRYPOINT ["/go/src/github.com/cloudflare/redoctober/scripts/docker-entrypoint.sh"] +CMD ["redoctober", \ + "-addr=:8080", \ + "-vaultpath=/var/lib/redoctober/data/diskrecord.json", \ + "-certs=/var/lib/redoctober/data/server.crt", \ + "-keys=/var/lib/redoctober/data/server.pem"] diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..ec136cc --- /dev/null +++ b/Makefile @@ -0,0 +1,4 @@ +.PHONY: docker +docker: + @docker build -t cloudflare/redoctober:$(shell git rev-parse --short HEAD) . + @docker tag cloudflare/redoctober:$(shell git rev-parse --short HEAD) cloudflare/redoctober:latest diff --git a/scripts/docker-entrypoint.sh b/scripts/docker-entrypoint.sh new file mode 100755 index 0000000..68de57b --- /dev/null +++ b/scripts/docker-entrypoint.sh @@ -0,0 +1,35 @@ +#!/bin/sh +set -e + +# if we are not bind mounting in certs or the user has not already generated certs +# create self-signed certs +if [ ! -f $RO_CERTS ] || [ ! -f $RO_KEYS ]; then + mkdir -p $RO_DATA + chmod 700 $RO_DATA + chown -R redoctober:redoctober $RO_DATA + + # Generate private key with password "$RO_CERTPASSWD" + openssl genrsa -aes128 -passout pass:$RO_CERTPASSWD -out $RO_KEYS 2048 + # Remove password from private key + openssl rsa -passin pass:$RO_CERTPASSWD -in $RO_KEYS -out $RO_KEYS + # Generate CSR (make sure the common name CN field matches your server + # address. It's set to "RO_COMMONNAME" environment variable here.) + openssl req -new -key $RO_KEYS -out $RO_DATA/server.csr -subj "/C=US/ST=California/L=Everywhere/CN=${RO_COMMONNAME}" + # Sign the CSR and create certificate + openssl x509 -req -days 365 -in $RO_DATA/server.csr -signkey $RO_KEYS -out $RO_CERTS + + # Clean up + rm $RO_DATA/server.csr + chmod 600 $RO_CERTS $RO_KEYS + chown -R redoctober $RO_CERTS $RO_KEYS + + echo + echo "Generated default certificates for RedOctobeer at $RO_CERTS and $RO_KEYS" + echo +fi + +if [ "$1" = 'redoctober' ]; then + exec chpst -u redoctober "$@" +fi + +exec "$@"