Browse Source

Closes #21

Proof of Concept for dockerising the server component including work
to integrate with kubernetes, gitlab and docker hub.
bugfix
Gareth @ BrassHornComms Gogs 1 year ago
parent
commit
1001dbb3fe
5 changed files with 239 additions and 0 deletions
  1. +74
    -0
      .gitlab-ci.yml
  2. +80
    -0
      Dockerfile
  3. +23
    -0
      k8s/cwtch.yml
  4. +33
    -0
      server/docker/docker-entrypoint
  5. +29
    -0
      server/docker/torrc

+ 74
- 0
.gitlab-ci.yml View File

@@ -0,0 +1,74 @@
image: golang:latest

#before_script:

stages:
- test
- docker-push
- deploy-staging

test-server:
stage: test
script:
- mkdir /go/src/cwtch.im
- ln -s /builds/BrassHornComms/cwtch /go/src/cwtch.im/cwtch
- cd /go/src/cwtch.im/cwtch/server/app/
- go get
- go tool vet -composites=false -shadow=true *.go
- go test

test-client:
stage: test
script:
- mkdir /go/src/cwtch.im
- ln -s /builds/BrassHornComms/cwtch /go/src/cwtch.im/cwtch
- cd /go/src/cwtch.im/cwtch/app/cli/
- go get
- go tool vet -composites=false -shadow=true *.go
- go test
# We don't really care about the client here but it's useful to know what;s
# happening on t'other side of the coin
allow_failure: true


gitlab-registry:
stage: docker-push
#only:
# - master
image: docker:latest
services:
- docker:dind
tags:
script:
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN ${CI_REGISTRY}
- docker build -t ${CI_REGISTRY_IMAGE}:latest -t ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA:0:8} .
- docker push ${CI_REGISTRY_IMAGE}:latest
- docker push ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA:0:8}
dependencies:
- test-server

docker-hub:
stage: docker-push
image: docker:latest
services:
- docker:dind
tags:
script:
- docker login -u ${DOCKER_HUB_ID} -p ${DOCKER_HUB_PASSWORD} registry.hub.docker.com
- docker build -t registry.hub.docker.com/${DOCKER_HUB_ID}/cwtch:latest -t registry.hub.docker.com/${DOCKER_HUB_ID}/cwtch:${CI_COMMIT_SHA:0:8} .
- docker push registry.hub.docker.com/${DOCKER_HUB_ID}/cwtch:latest
- docker push registry.hub.docker.com/${DOCKER_HUB_ID}/cwtch:${CI_COMMIT_SHA:0:8}
dependencies:
- test-server


push-to-staging:
stage: deploy-staging
#only:
# - master
tags:
- kube
script:
/usr/bin/sed "s/TAGNAME/${CI_COMMIT_SHA:0:8}/" k8s/cwtch.yml | /usr/bin/kubectl apply -f -
environment:
name: staging

+ 80
- 0
Dockerfile View File

@@ -0,0 +1,80 @@
FROM golang as server-build-stage
ENV CGO_ENABLED=0 GOOS=linux

WORKDIR /go/src/cwtch.im/cwtch
COPY . .

RUN go get -d -v ./...
#RUN go install -v ./...
WORKDIR /go/src/cwtch.im/cwtch/server/app/
RUN go build -ldflags "-extldflags '-static'"



#----------------------------------------------
FROM alpine:latest as tor-build-stage

# Install prerequisites
RUN apk --no-cache add --update \
gnupg \
build-base \
libevent \
libevent-dev \
libressl \
libressl-dev \
xz-libs \
xz-dev \
zlib \
zlib-dev \
zstd \
zstd-dev \
#&& wget -q https://www.torproject.org/dist/tor-0.3.4.8.tar.gz \
&& wget -q https://www.torproject.org/dist/tor-0.3.5.2-alpha.tar.gz \
&& tar xf tor-0.3.5.2-alpha.tar.gz \
&& cd tor-0.3.5.2-alpha \
&& ./configure \
&& make install \
&& ls -R /usr/local/

FROM alpine:latest
MAINTAINER Ablative Hosting <support@ablative.hosting>

#BSD habits die hard
ENV TOR_USER=_tor

# Installing dependencies of Tor and pwgen
RUN apk --no-cache add --update \
libevent \
libressl \
xz-libs \
zlib \
zstd \
zstd-dev \
pwgen

# Copy Tor
COPY --from=tor-build-stage /usr/local/ /usr/local/

# Create an unprivileged tor user
#RUN addgroup -g 19001 -S $TOR_USER && adduser -u 19001 -G $TOR_USER -S $TOR_USER
RUN addgroup -S $TOR_USER && adduser -G $TOR_USER -S $TOR_USER && adduser -G _tor -S cwtchd

# Copy Tor configuration file
COPY ./server/docker/torrc /etc/tor/torrc

# Copy docker-entrypoint
COPY ./server/docker/docker-entrypoint /usr/local/bin/

# Copy across cwtch
COPY --from=server-build-stage /go/src/cwtch.im/cwtch/server/app/app /usr/local/bin/cwtch_server

# Persist data
VOLUME /etc/tor /var/lib/tor

ENTRYPOINT ["docker-entrypoint"]

#cwtchd is in the _tor group so can access the socket but that's it
#USER cwtchd

#Launches the cwtchd daemon
CMD ["/usr/local/bin/cwtch_server"]

+ 23
- 0
k8s/cwtch.yml View File

@@ -0,0 +1,23 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: cwtch
labels:
app: cwtch
spec:
replicas: 1
selector:
matchLabels:
app: cwtch
template:
metadata:
labels:
app: cwtch
spec:
containers:
- name: cwtch
image: registry.gitlab.com/brasshorncomms/cwtch:TAGNAME
ports:
env:
imagePullSecrets:
- name: gitlab-pull-secret

+ 33
- 0
server/docker/docker-entrypoint View File

@@ -0,0 +1,33 @@
#!/bin/sh
set -o errexit

chmod_files() { find $2 -type f -exec chmod -v $1 {} \;
}
chmod_dirs() { find $2 -type d -exec chmod -v $1 {} \;
}

mkdir /run/tor/
chown ${TOR_USER}:${TOR_USER} /run/tor/
chmod 770 /run/tor

chown -Rv ${TOR_USER}:${TOR_USER} /var/lib/tor
chmod_dirs 700 /var/lib/tor
chmod_files 600 /var/lib/tor

echo -e "\n========================================================"
# Display OS version, Tor version & torrc in log
echo -e "Alpine Version: \c" && cat /etc/alpine-release
tor --version
#cat /etc/tor/torrc
echo -e "========================================================\n"

tor -f /etc/tor/torrc

#Cwtch will crash and burn if 9051 isn't ready
sleep 15

#Run cwtch (or whatever the user passed)
exec "$@"
#$@



+ 29
- 0
server/docker/torrc View File

@@ -0,0 +1,29 @@
User _tor
DataDirectory /var/lib/tor

#Nickname ContainedOnion
#ContactInfo support@ablative.hosting
ORPort 0
ExitRelay 0
IPv6Exit 0

#We need this running in the background as the server doesn't launch it itself
RunAsDaemon 1

ClientOnly 1
SocksPort 9050

ControlPort 9051
ControlSocket /run/tor/control
ControlSocketsGroupWritable 1
CookieAuthentication 1
CookieAuthFile /run/tor/control.authcookie
CookieAuthFileGroupReadable 1
#HashedControlPassword 16:B4C8EE980C085EE460AEA9094350DAA9C2B5F841400E9BBA247368400A

# Run as a relay only (change policy to enable exit node)
ExitPolicy reject *:* # no exits allowed
ExitPolicy reject6 *:*

# Additional config built by the entrypoint will go here


Loading…
Cancel
Save