From 1001dbb3feb83e540d240b6a20257796bc75625b Mon Sep 17 00:00:00 2001 From: Gareth Llewellyn Date: Wed, 10 Oct 2018 22:35:45 +0100 Subject: [PATCH] Closes #21 Proof of Concept for dockerising the server component including work to integrate with kubernetes, gitlab and docker hub. --- .gitlab-ci.yml | 74 ++++++++++++++++++++++++++++++ Dockerfile | 80 +++++++++++++++++++++++++++++++++ k8s/cwtch.yml | 23 ++++++++++ server/docker/docker-entrypoint | 33 ++++++++++++++ server/docker/torrc | 29 ++++++++++++ 5 files changed, 239 insertions(+) create mode 100644 .gitlab-ci.yml create mode 100644 Dockerfile create mode 100644 k8s/cwtch.yml create mode 100755 server/docker/docker-entrypoint create mode 100644 server/docker/torrc diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..becda7e --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,74 @@ +image: golang:latest + +#before_script: + +stages: + - test + - docker-push + - deploy-staging + +test-server: + stage: test + script: + - mkdir /go/src/cwtch.im + - ln -s /builds/BrassHornComms/cwtch /go/src/cwtch.im/cwtch + - cd /go/src/cwtch.im/cwtch/server/app/ + - go get + - go tool vet -composites=false -shadow=true *.go + - go test + +test-client: + stage: test + script: + - mkdir /go/src/cwtch.im + - ln -s /builds/BrassHornComms/cwtch /go/src/cwtch.im/cwtch + - cd /go/src/cwtch.im/cwtch/app/cli/ + - go get + - go tool vet -composites=false -shadow=true *.go + - go test + # We don't really care about the client here but it's useful to know what;s + # happening on t'other side of the coin + allow_failure: true + + +gitlab-registry: + stage: docker-push + #only: + # - master + image: docker:latest + services: + - docker:dind + tags: + script: + - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN ${CI_REGISTRY} + - docker build -t ${CI_REGISTRY_IMAGE}:latest -t ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA:0:8} . + - docker push ${CI_REGISTRY_IMAGE}:latest + - docker push ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA:0:8} + dependencies: + - test-server + +docker-hub: + stage: docker-push + image: docker:latest + services: + - docker:dind + tags: + script: + - docker login -u ${DOCKER_HUB_ID} -p ${DOCKER_HUB_PASSWORD} registry.hub.docker.com + - docker build -t registry.hub.docker.com/${DOCKER_HUB_ID}/cwtch:latest -t registry.hub.docker.com/${DOCKER_HUB_ID}/cwtch:${CI_COMMIT_SHA:0:8} . + - docker push registry.hub.docker.com/${DOCKER_HUB_ID}/cwtch:latest + - docker push registry.hub.docker.com/${DOCKER_HUB_ID}/cwtch:${CI_COMMIT_SHA:0:8} + dependencies: + - test-server + + +push-to-staging: + stage: deploy-staging + #only: + # - master + tags: + - kube + script: + /usr/bin/sed "s/TAGNAME/${CI_COMMIT_SHA:0:8}/" k8s/cwtch.yml | /usr/bin/kubectl apply -f - + environment: + name: staging diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..a8199fc --- /dev/null +++ b/Dockerfile @@ -0,0 +1,80 @@ +FROM golang as server-build-stage +ENV CGO_ENABLED=0 GOOS=linux + +WORKDIR /go/src/cwtch.im/cwtch +COPY . . + +RUN go get -d -v ./... +#RUN go install -v ./... +WORKDIR /go/src/cwtch.im/cwtch/server/app/ +RUN go build -ldflags "-extldflags '-static'" + + + +#---------------------------------------------- +FROM alpine:latest as tor-build-stage + +# Install prerequisites +RUN apk --no-cache add --update \ + gnupg \ + build-base \ + libevent \ + libevent-dev \ + libressl \ + libressl-dev \ + xz-libs \ + xz-dev \ + zlib \ + zlib-dev \ + zstd \ + zstd-dev \ + #&& wget -q https://www.torproject.org/dist/tor-0.3.4.8.tar.gz \ + && wget -q https://www.torproject.org/dist/tor-0.3.5.2-alpha.tar.gz \ + && tar xf tor-0.3.5.2-alpha.tar.gz \ + && cd tor-0.3.5.2-alpha \ + && ./configure \ + && make install \ + && ls -R /usr/local/ + +FROM alpine:latest +MAINTAINER Ablative Hosting + +#BSD habits die hard +ENV TOR_USER=_tor + +# Installing dependencies of Tor and pwgen +RUN apk --no-cache add --update \ + libevent \ + libressl \ + xz-libs \ + zlib \ + zstd \ + zstd-dev \ + pwgen + +# Copy Tor +COPY --from=tor-build-stage /usr/local/ /usr/local/ + +# Create an unprivileged tor user +#RUN addgroup -g 19001 -S $TOR_USER && adduser -u 19001 -G $TOR_USER -S $TOR_USER +RUN addgroup -S $TOR_USER && adduser -G $TOR_USER -S $TOR_USER && adduser -G _tor -S cwtchd + +# Copy Tor configuration file +COPY ./server/docker/torrc /etc/tor/torrc + +# Copy docker-entrypoint +COPY ./server/docker/docker-entrypoint /usr/local/bin/ + +# Copy across cwtch +COPY --from=server-build-stage /go/src/cwtch.im/cwtch/server/app/app /usr/local/bin/cwtch_server + +# Persist data +VOLUME /etc/tor /var/lib/tor + +ENTRYPOINT ["docker-entrypoint"] + +#cwtchd is in the _tor group so can access the socket but that's it +#USER cwtchd + +#Launches the cwtchd daemon +CMD ["/usr/local/bin/cwtch_server"] diff --git a/k8s/cwtch.yml b/k8s/cwtch.yml new file mode 100644 index 0000000..12af255 --- /dev/null +++ b/k8s/cwtch.yml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cwtch + labels: + app: cwtch +spec: + replicas: 1 + selector: + matchLabels: + app: cwtch + template: + metadata: + labels: + app: cwtch + spec: + containers: + - name: cwtch + image: registry.gitlab.com/brasshorncomms/cwtch:TAGNAME + ports: + env: + imagePullSecrets: + - name: gitlab-pull-secret diff --git a/server/docker/docker-entrypoint b/server/docker/docker-entrypoint new file mode 100755 index 0000000..8972011 --- /dev/null +++ b/server/docker/docker-entrypoint @@ -0,0 +1,33 @@ +#!/bin/sh +set -o errexit + +chmod_files() { find $2 -type f -exec chmod -v $1 {} \; +} +chmod_dirs() { find $2 -type d -exec chmod -v $1 {} \; +} + +mkdir /run/tor/ +chown ${TOR_USER}:${TOR_USER} /run/tor/ +chmod 770 /run/tor + +chown -Rv ${TOR_USER}:${TOR_USER} /var/lib/tor +chmod_dirs 700 /var/lib/tor +chmod_files 600 /var/lib/tor + +echo -e "\n========================================================" +# Display OS version, Tor version & torrc in log +echo -e "Alpine Version: \c" && cat /etc/alpine-release +tor --version +#cat /etc/tor/torrc +echo -e "========================================================\n" + +tor -f /etc/tor/torrc + +#Cwtch will crash and burn if 9051 isn't ready +sleep 15 + +#Run cwtch (or whatever the user passed) +exec "$@" +#$@ + + diff --git a/server/docker/torrc b/server/docker/torrc new file mode 100644 index 0000000..ccc03bb --- /dev/null +++ b/server/docker/torrc @@ -0,0 +1,29 @@ +User _tor +DataDirectory /var/lib/tor + +#Nickname ContainedOnion +#ContactInfo support@ablative.hosting +ORPort 0 +ExitRelay 0 +IPv6Exit 0 + +#We need this running in the background as the server doesn't launch it itself +RunAsDaemon 1 + +ClientOnly 1 +SocksPort 9050 + +ControlPort 9051 +ControlSocket /run/tor/control +ControlSocketsGroupWritable 1 +CookieAuthentication 1 +CookieAuthFile /run/tor/control.authcookie +CookieAuthFileGroupReadable 1 +#HashedControlPassword 16:B4C8EE980C085EE460AEA9094350DAA9C2B5F841400E9BBA247368400A + +# Run as a relay only (change policy to enable exit node) +ExitPolicy reject *:* # no exits allowed +ExitPolicy reject6 *:* + +# Additional config built by the entrypoint will go here +