Proof of Concept for dockerising the server component including work to integrate with kubernetes, gitlab and docker hub.
This commit is contained in:
부모
b58512693d
커밋
1001dbb3fe
|
@ -0,0 +1,74 @@
|
|||
image: golang:latest
|
||||
|
||||
#before_script:
|
||||
|
||||
stages:
|
||||
- test
|
||||
- docker-push
|
||||
- deploy-staging
|
||||
|
||||
test-server:
|
||||
stage: test
|
||||
script:
|
||||
- mkdir /go/src/cwtch.im
|
||||
- ln -s /builds/BrassHornComms/cwtch /go/src/cwtch.im/cwtch
|
||||
- cd /go/src/cwtch.im/cwtch/server/app/
|
||||
- go get
|
||||
- go tool vet -composites=false -shadow=true *.go
|
||||
- go test
|
||||
|
||||
test-client:
|
||||
stage: test
|
||||
script:
|
||||
- mkdir /go/src/cwtch.im
|
||||
- ln -s /builds/BrassHornComms/cwtch /go/src/cwtch.im/cwtch
|
||||
- cd /go/src/cwtch.im/cwtch/app/cli/
|
||||
- go get
|
||||
- go tool vet -composites=false -shadow=true *.go
|
||||
- go test
|
||||
# We don't really care about the client here but it's useful to know what;s
|
||||
# happening on t'other side of the coin
|
||||
allow_failure: true
|
||||
|
||||
|
||||
gitlab-registry:
|
||||
stage: docker-push
|
||||
#only:
|
||||
# - master
|
||||
image: docker:latest
|
||||
services:
|
||||
- docker:dind
|
||||
tags:
|
||||
script:
|
||||
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN ${CI_REGISTRY}
|
||||
- docker build -t ${CI_REGISTRY_IMAGE}:latest -t ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA:0:8} .
|
||||
- docker push ${CI_REGISTRY_IMAGE}:latest
|
||||
- docker push ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA:0:8}
|
||||
dependencies:
|
||||
- test-server
|
||||
|
||||
docker-hub:
|
||||
stage: docker-push
|
||||
image: docker:latest
|
||||
services:
|
||||
- docker:dind
|
||||
tags:
|
||||
script:
|
||||
- docker login -u ${DOCKER_HUB_ID} -p ${DOCKER_HUB_PASSWORD} registry.hub.docker.com
|
||||
- docker build -t registry.hub.docker.com/${DOCKER_HUB_ID}/cwtch:latest -t registry.hub.docker.com/${DOCKER_HUB_ID}/cwtch:${CI_COMMIT_SHA:0:8} .
|
||||
- docker push registry.hub.docker.com/${DOCKER_HUB_ID}/cwtch:latest
|
||||
- docker push registry.hub.docker.com/${DOCKER_HUB_ID}/cwtch:${CI_COMMIT_SHA:0:8}
|
||||
dependencies:
|
||||
- test-server
|
||||
|
||||
|
||||
push-to-staging:
|
||||
stage: deploy-staging
|
||||
#only:
|
||||
# - master
|
||||
tags:
|
||||
- kube
|
||||
script:
|
||||
/usr/bin/sed "s/TAGNAME/${CI_COMMIT_SHA:0:8}/" k8s/cwtch.yml | /usr/bin/kubectl apply -f -
|
||||
environment:
|
||||
name: staging
|
|
@ -0,0 +1,80 @@
|
|||
FROM golang as server-build-stage
|
||||
ENV CGO_ENABLED=0 GOOS=linux
|
||||
|
||||
WORKDIR /go/src/cwtch.im/cwtch
|
||||
COPY . .
|
||||
|
||||
RUN go get -d -v ./...
|
||||
#RUN go install -v ./...
|
||||
WORKDIR /go/src/cwtch.im/cwtch/server/app/
|
||||
RUN go build -ldflags "-extldflags '-static'"
|
||||
|
||||
|
||||
|
||||
#----------------------------------------------
|
||||
FROM alpine:latest as tor-build-stage
|
||||
|
||||
# Install prerequisites
|
||||
RUN apk --no-cache add --update \
|
||||
gnupg \
|
||||
build-base \
|
||||
libevent \
|
||||
libevent-dev \
|
||||
libressl \
|
||||
libressl-dev \
|
||||
xz-libs \
|
||||
xz-dev \
|
||||
zlib \
|
||||
zlib-dev \
|
||||
zstd \
|
||||
zstd-dev \
|
||||
#&& wget -q https://www.torproject.org/dist/tor-0.3.4.8.tar.gz \
|
||||
&& wget -q https://www.torproject.org/dist/tor-0.3.5.2-alpha.tar.gz \
|
||||
&& tar xf tor-0.3.5.2-alpha.tar.gz \
|
||||
&& cd tor-0.3.5.2-alpha \
|
||||
&& ./configure \
|
||||
&& make install \
|
||||
&& ls -R /usr/local/
|
||||
|
||||
FROM alpine:latest
|
||||
MAINTAINER Ablative Hosting <support@ablative.hosting>
|
||||
|
||||
#BSD habits die hard
|
||||
ENV TOR_USER=_tor
|
||||
|
||||
# Installing dependencies of Tor and pwgen
|
||||
RUN apk --no-cache add --update \
|
||||
libevent \
|
||||
libressl \
|
||||
xz-libs \
|
||||
zlib \
|
||||
zstd \
|
||||
zstd-dev \
|
||||
pwgen
|
||||
|
||||
# Copy Tor
|
||||
COPY --from=tor-build-stage /usr/local/ /usr/local/
|
||||
|
||||
# Create an unprivileged tor user
|
||||
#RUN addgroup -g 19001 -S $TOR_USER && adduser -u 19001 -G $TOR_USER -S $TOR_USER
|
||||
RUN addgroup -S $TOR_USER && adduser -G $TOR_USER -S $TOR_USER && adduser -G _tor -S cwtchd
|
||||
|
||||
# Copy Tor configuration file
|
||||
COPY ./server/docker/torrc /etc/tor/torrc
|
||||
|
||||
# Copy docker-entrypoint
|
||||
COPY ./server/docker/docker-entrypoint /usr/local/bin/
|
||||
|
||||
# Copy across cwtch
|
||||
COPY --from=server-build-stage /go/src/cwtch.im/cwtch/server/app/app /usr/local/bin/cwtch_server
|
||||
|
||||
# Persist data
|
||||
VOLUME /etc/tor /var/lib/tor
|
||||
|
||||
ENTRYPOINT ["docker-entrypoint"]
|
||||
|
||||
#cwtchd is in the _tor group so can access the socket but that's it
|
||||
#USER cwtchd
|
||||
|
||||
#Launches the cwtchd daemon
|
||||
CMD ["/usr/local/bin/cwtch_server"]
|
|
@ -0,0 +1,23 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: cwtch
|
||||
labels:
|
||||
app: cwtch
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: cwtch
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: cwtch
|
||||
spec:
|
||||
containers:
|
||||
- name: cwtch
|
||||
image: registry.gitlab.com/brasshorncomms/cwtch:TAGNAME
|
||||
ports:
|
||||
env:
|
||||
imagePullSecrets:
|
||||
- name: gitlab-pull-secret
|
|
@ -0,0 +1,33 @@
|
|||
#!/bin/sh
|
||||
set -o errexit
|
||||
|
||||
chmod_files() { find $2 -type f -exec chmod -v $1 {} \;
|
||||
}
|
||||
chmod_dirs() { find $2 -type d -exec chmod -v $1 {} \;
|
||||
}
|
||||
|
||||
mkdir /run/tor/
|
||||
chown ${TOR_USER}:${TOR_USER} /run/tor/
|
||||
chmod 770 /run/tor
|
||||
|
||||
chown -Rv ${TOR_USER}:${TOR_USER} /var/lib/tor
|
||||
chmod_dirs 700 /var/lib/tor
|
||||
chmod_files 600 /var/lib/tor
|
||||
|
||||
echo -e "\n========================================================"
|
||||
# Display OS version, Tor version & torrc in log
|
||||
echo -e "Alpine Version: \c" && cat /etc/alpine-release
|
||||
tor --version
|
||||
#cat /etc/tor/torrc
|
||||
echo -e "========================================================\n"
|
||||
|
||||
tor -f /etc/tor/torrc
|
||||
|
||||
#Cwtch will crash and burn if 9051 isn't ready
|
||||
sleep 15
|
||||
|
||||
#Run cwtch (or whatever the user passed)
|
||||
exec "$@"
|
||||
#$@
|
||||
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
User _tor
|
||||
DataDirectory /var/lib/tor
|
||||
|
||||
#Nickname ContainedOnion
|
||||
#ContactInfo support@ablative.hosting
|
||||
ORPort 0
|
||||
ExitRelay 0
|
||||
IPv6Exit 0
|
||||
|
||||
#We need this running in the background as the server doesn't launch it itself
|
||||
RunAsDaemon 1
|
||||
|
||||
ClientOnly 1
|
||||
SocksPort 9050
|
||||
|
||||
ControlPort 9051
|
||||
ControlSocket /run/tor/control
|
||||
ControlSocketsGroupWritable 1
|
||||
CookieAuthentication 1
|
||||
CookieAuthFile /run/tor/control.authcookie
|
||||
CookieAuthFileGroupReadable 1
|
||||
#HashedControlPassword 16:B4C8EE980C085EE460AEA9094350DAA9C2B5F841400E9BBA247368400A
|
||||
|
||||
# Run as a relay only (change policy to enable exit node)
|
||||
ExitPolicy reject *:* # no exits allowed
|
||||
ExitPolicy reject6 *:*
|
||||
|
||||
# Additional config built by the entrypoint will go here
|
||||
|
불러오는 중...
Reference in New Issue