Proof of Concept for dockerising the server component including work
to integrate with kubernetes, gitlab and docker hub.
Esse commit está contido em:
Gareth @ BrassHornComms 2018-10-10 22:35:45 +01:00 commit de Gogs
commit 1001dbb3fe
5 arquivos alterados com 239 adições e 0 exclusões

74
.gitlab-ci.yml Normal file
Ver arquivo

@ -0,0 +1,74 @@
image: golang:latest
#before_script:
stages:
- test
- docker-push
- deploy-staging
test-server:
stage: test
script:
- mkdir /go/src/cwtch.im
- ln -s /builds/BrassHornComms/cwtch /go/src/cwtch.im/cwtch
- cd /go/src/cwtch.im/cwtch/server/app/
- go get
- go tool vet -composites=false -shadow=true *.go
- go test
test-client:
stage: test
script:
- mkdir /go/src/cwtch.im
- ln -s /builds/BrassHornComms/cwtch /go/src/cwtch.im/cwtch
- cd /go/src/cwtch.im/cwtch/app/cli/
- go get
- go tool vet -composites=false -shadow=true *.go
- go test
# We don't really care about the client here but it's useful to know what;s
# happening on t'other side of the coin
allow_failure: true
gitlab-registry:
stage: docker-push
#only:
# - master
image: docker:latest
services:
- docker:dind
tags:
script:
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN ${CI_REGISTRY}
- docker build -t ${CI_REGISTRY_IMAGE}:latest -t ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA:0:8} .
- docker push ${CI_REGISTRY_IMAGE}:latest
- docker push ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA:0:8}
dependencies:
- test-server
docker-hub:
stage: docker-push
image: docker:latest
services:
- docker:dind
tags:
script:
- docker login -u ${DOCKER_HUB_ID} -p ${DOCKER_HUB_PASSWORD} registry.hub.docker.com
- docker build -t registry.hub.docker.com/${DOCKER_HUB_ID}/cwtch:latest -t registry.hub.docker.com/${DOCKER_HUB_ID}/cwtch:${CI_COMMIT_SHA:0:8} .
- docker push registry.hub.docker.com/${DOCKER_HUB_ID}/cwtch:latest
- docker push registry.hub.docker.com/${DOCKER_HUB_ID}/cwtch:${CI_COMMIT_SHA:0:8}
dependencies:
- test-server
push-to-staging:
stage: deploy-staging
#only:
# - master
tags:
- kube
script:
/usr/bin/sed "s/TAGNAME/${CI_COMMIT_SHA:0:8}/" k8s/cwtch.yml | /usr/bin/kubectl apply -f -
environment:
name: staging

80
Dockerfile Normal file
Ver arquivo

@ -0,0 +1,80 @@
FROM golang as server-build-stage
ENV CGO_ENABLED=0 GOOS=linux
WORKDIR /go/src/cwtch.im/cwtch
COPY . .
RUN go get -d -v ./...
#RUN go install -v ./...
WORKDIR /go/src/cwtch.im/cwtch/server/app/
RUN go build -ldflags "-extldflags '-static'"
#----------------------------------------------
FROM alpine:latest as tor-build-stage
# Install prerequisites
RUN apk --no-cache add --update \
gnupg \
build-base \
libevent \
libevent-dev \
libressl \
libressl-dev \
xz-libs \
xz-dev \
zlib \
zlib-dev \
zstd \
zstd-dev \
#&& wget -q https://www.torproject.org/dist/tor-0.3.4.8.tar.gz \
&& wget -q https://www.torproject.org/dist/tor-0.3.5.2-alpha.tar.gz \
&& tar xf tor-0.3.5.2-alpha.tar.gz \
&& cd tor-0.3.5.2-alpha \
&& ./configure \
&& make install \
&& ls -R /usr/local/
FROM alpine:latest
MAINTAINER Ablative Hosting <support@ablative.hosting>
#BSD habits die hard
ENV TOR_USER=_tor
# Installing dependencies of Tor and pwgen
RUN apk --no-cache add --update \
libevent \
libressl \
xz-libs \
zlib \
zstd \
zstd-dev \
pwgen
# Copy Tor
COPY --from=tor-build-stage /usr/local/ /usr/local/
# Create an unprivileged tor user
#RUN addgroup -g 19001 -S $TOR_USER && adduser -u 19001 -G $TOR_USER -S $TOR_USER
RUN addgroup -S $TOR_USER && adduser -G $TOR_USER -S $TOR_USER && adduser -G _tor -S cwtchd
# Copy Tor configuration file
COPY ./server/docker/torrc /etc/tor/torrc
# Copy docker-entrypoint
COPY ./server/docker/docker-entrypoint /usr/local/bin/
# Copy across cwtch
COPY --from=server-build-stage /go/src/cwtch.im/cwtch/server/app/app /usr/local/bin/cwtch_server
# Persist data
VOLUME /etc/tor /var/lib/tor
ENTRYPOINT ["docker-entrypoint"]
#cwtchd is in the _tor group so can access the socket but that's it
#USER cwtchd
#Launches the cwtchd daemon
CMD ["/usr/local/bin/cwtch_server"]

23
k8s/cwtch.yml Normal file
Ver arquivo

@ -0,0 +1,23 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: cwtch
labels:
app: cwtch
spec:
replicas: 1
selector:
matchLabels:
app: cwtch
template:
metadata:
labels:
app: cwtch
spec:
containers:
- name: cwtch
image: registry.gitlab.com/brasshorncomms/cwtch:TAGNAME
ports:
env:
imagePullSecrets:
- name: gitlab-pull-secret

33
server/docker/docker-entrypoint Executable file
Ver arquivo

@ -0,0 +1,33 @@
#!/bin/sh
set -o errexit
chmod_files() { find $2 -type f -exec chmod -v $1 {} \;
}
chmod_dirs() { find $2 -type d -exec chmod -v $1 {} \;
}
mkdir /run/tor/
chown ${TOR_USER}:${TOR_USER} /run/tor/
chmod 770 /run/tor
chown -Rv ${TOR_USER}:${TOR_USER} /var/lib/tor
chmod_dirs 700 /var/lib/tor
chmod_files 600 /var/lib/tor
echo -e "\n========================================================"
# Display OS version, Tor version & torrc in log
echo -e "Alpine Version: \c" && cat /etc/alpine-release
tor --version
#cat /etc/tor/torrc
echo -e "========================================================\n"
tor -f /etc/tor/torrc
#Cwtch will crash and burn if 9051 isn't ready
sleep 15
#Run cwtch (or whatever the user passed)
exec "$@"
#$@

29
server/docker/torrc Normal file
Ver arquivo

@ -0,0 +1,29 @@
User _tor
DataDirectory /var/lib/tor
#Nickname ContainedOnion
#ContactInfo support@ablative.hosting
ORPort 0
ExitRelay 0
IPv6Exit 0
#We need this running in the background as the server doesn't launch it itself
RunAsDaemon 1
ClientOnly 1
SocksPort 9050
ControlPort 9051
ControlSocket /run/tor/control
ControlSocketsGroupWritable 1
CookieAuthentication 1
CookieAuthFile /run/tor/control.authcookie
CookieAuthFileGroupReadable 1
#HashedControlPassword 16:B4C8EE980C085EE460AEA9094350DAA9C2B5F841400E9BBA247368400A
# Run as a relay only (change policy to enable exit node)
ExitPolicy reject *:* # no exits allowed
ExitPolicy reject6 *:*
# Additional config built by the entrypoint will go here