flywithu/kopano-docker
1
0
Fork 0
mirror of https://github.com/zokradonh/kopano-docker synced 2025-06-06 23:46:24 +00:00
Code Issues Releases Wiki Activity

split up installation for core and kapi+grapi (#293)

Browse Source 
* split up installation for core and kapi+grapi
* add some debug output in case package installation fails
* let konnect run as nobody
* add code to check writing permissions for certificates and create certificates in container if possible
* add tests to check on failed and successful certificate creation
* add certificate creation logic from the konnect binfile
* add env for custom dockerize timeout (to fail earlier in tests)
This commit is contained in:
Felix Bartels 2019-11-26 10:10:22 +01:00 committed by GitHub
parent 08a009c7ed
commit d7fb796fa3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 97 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile
View File

@ -395,6 +395,10 @@ test-startup-meet-demo: ## Test if the Meet demo setup starts up
docker-compose -f examples/meet/docker-compose.yml -f examples/meet/tests/test-container.yml stop 2>/dev/null
docker ps --filter name=kopano_test* -aq | xargs docker rm -f
.PHONY: test-startup-individual
test-startup-individual:
docker run -it --rm -e DEBUG=true -v /etc/machine-id:/etc/machine-id -v /var/lib/dbus/machine-id:/var/lib/dbus/machine-id kopano/kopano_konnect
# TODO this needs goss added to travis and dcgoss pulled from my own git repo
.PHONY: test-goss
test-goss: ## Test configuration of containers with goss

11
core/Dockerfile
View File

@ -49,16 +49,19 @@ RUN \
# install
apt-get update && \
set -x && \
apt-get install --no-install-recommends -y \
apt-get -o Debug::pkgProblemResolver=true install --no-install-recommends -y \
kopano-server-packages \
kopano-grapi kopano-kapid \
${ADDITIONAL_KOPANO_PACKAGES} \
&& \
coreversion=$(dpkg-query --showformat='${Version}' --show kopano-server) && \
if dpkg --compare-versions "$coreversion" "gt" "8.7.0"; then \
apt-get -o Debug::pkgProblemResolver=true install --no-install-recommends -y \
kopano-grapi kopano-kapid; \
fi && \
if dpkg --compare-versions "$coreversion" "gt" "8.7.84"; then \
apt-get install --no-install-recommends -y \
apt-get -o Debug::pkgProblemResolver=true install --no-install-recommends -y \
python3-grapi.backend.ldap; \
fi; \
fi && \
set +x && \
rm -rf /var/cache/apt /var/lib/apt/lists && \
touch /etc/kopano/admin.cfg && \

1
docker-compose.yml
View File

@ -436,6 +436,7 @@ services:
- identifier_registration_conf=/kopano/ssl/konnectd-identifier-registration.yaml
- identifier_scopes_conf=/etc/kopano/konnectd-identifier-scopes.yaml
- signing_private_key=/kopano/ssl/konnectd-tokens-signing-key.pem
- validation_keys_path=/kopano/ssl/konnectkeys
env_file:
- kopano_konnect.env
networks:

2
konnect/Dockerfile
View File

@ -41,4 +41,6 @@ RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSI
COPY --chown=nobody:nogroup konnectd-identifier-registration.yaml konnectd-identifier-scopes.yaml /etc/kopano/
COPY wrapper.sh /usr/local/bin
USER nobody
ENTRYPOINT ["wrapper.sh"]

22
konnect/commander.yaml
View File

@ -35,6 +35,28 @@ tests:
config:
env:
identifier_registration_conf: /etc/kopano/konnectd-identifier-registration.yaml
no write permissions for certificates:
command: /commander/test-helper.sh && wrapper.sh
exit-code: 1
stderr:
contains:
- "can't create /root/sign.key: Permission denied"
- 'Timeout after 1s waiting on dependencies to become available: [file:///root/sign.key]'
config:
env:
signing_private_key: /root/sign.key
DOCKERIZE_TIMEOUT: 1s
certificate creation in container:
command: /commander/test-helper.sh && wrapper.sh
stderr:
contains:
- "setup: creating new RSA private key at"
not-contains:
- "Timeout after 360s waiting on dependencies to become available:"
config:
env:
signing_private_key: /tmp/sign.key
encryption_secret_key: /tmp/secret.key
config:
env:
PATH: ${PATH}

72
konnect/wrapper.sh
View File

@ -3,28 +3,76 @@
set -eu
[ "$DEBUG" ] && set -x
DOCKERIZE_TIMEOUT=${DOCKERIZE_TIMEOUT:-360s}
# allow helper commands given by "docker-compose run"
if [ $# -gt 0 ]; then
exec "$@"
exit
fi
if [ "${allow_client_guests:-}" = "yes" ]; then
# TODO try to create the file if it does not yet exist, how to combine with the below dockerize check?
# TODO this should be simplified so that ecparam and eckey are only required if there is no jwk-meet.json yet
signing_private_key=${signing_private_key:-"/etc/kopano/konnectd-signing-private-key.pem"}
validation_keys_path=${validation_keys_path:-"/etc/kopano/konnectkeys"}
if ! true >> "$signing_private_key"; then
# file can not be created in this container, wait for external creation
dockerize \
-wait file://"${ecparam:?}" \
-wait file://"${eckey:?}" \
-timeout 360s
-wait file://"$signing_private_key" \
-timeout "$DOCKERIZE_TIMEOUT"
fi
if [ -f "${signing_private_key}" ] && [ ! -s "${signing_private_key}" ]; then
mkdir -p "${validation_keys_path}"
rnd=$(RANDFILE=/tmp/.rnd openssl rand -hex 2)
key="${validation_keys_path}/konnect-$(date +%Y%m%d)-${rnd}.pem"
>&2 echo "setup: creating new RSA private key at ${key} ..."
RANDFILE=/tmp/.rnd openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:4096 -pkeyopt rsa_keygen_pubexp:65537
if [ -f "${key}" ]; then
rm "$signing_private_key"
ln -sn "${key}" "${signing_private_key}"
fi
fi
encryption_secret_key=${encryption_secret_key:-"/etc/kopano/konnectd-encryption-secret.key"}
if ! true >> "$encryption_secret_key"; then
# file can not be created in this container, wait for external creation
dockerize \
-wait file://"$encryption_secret_key" \
-timeout "$DOCKERIZE_TIMEOUT"
fi
if [ -f "${encryption_secret_key}" ] && [ ! -s "${encryption_secret_key}" ]; then
>&2 echo "setup: creating new secret key at ${encryption_secret_key} ..."
RANDFILE=/tmp/.rnd openssl rand -out "${encryption_secret_key}" 32
fi
if [ "${allow_client_guests:-}" = "yes" ]; then
# TODO this could be simplified so that ecparam and eckey are only required if there is no jwk-meet.json yet
ecparam=${ecparam:-/etc/kopano/ecparam.pem}
if ! true >> "$ecparam"; then
# ecparam can not be created in this container, wait for external creation
dockerize \
-wait file://"$ecparam" \
-timeout "$DOCKERIZE_TIMEOUT"
fi
eckey=${eckey:-/etc/kopano/meet-kwmserver.pem}
if ! true >> "$eckey"; then
# eckey can not be created in this container, wait for external creation
dockerize \
-wait file://"$eckey" \
-timeout "$DOCKERIZE_TIMEOUT"
fi
# Key generation for Meet guest mode
if [ ! -s "$ecparam" ]; then
echo "Creating ec param key for Meet..."
echo "Creating ec param key for Meet guest mode ..."
openssl ecparam -name prime256v1 -genkey -noout -out "$ecparam" >/dev/null 2>&1
fi
if [ ! -s "$eckey" ]; then
echo "Creating ec private key for Meet..."
echo "Creating ec private key for Meet guest mode..."
openssl ec -in "$ecparam" -out "$eckey" >/dev/null 2>&1
fi
@ -92,14 +140,12 @@ fi
# services need to be aware of the machine-id
dockerize \
-wait file://"${signing_private_key:?}" \
-wait file://"${encryption_secret_key:?}" \
-wait file:///etc/machine-id \
-wait file:///var/lib/dbus/machine-id \
-timeout 360s
-timeout "$DOCKERIZE_TIMEOUT"
exec konnectd serve \
--signing-private-key="${signing_private_key:?}" \
--encryption-secret="${encryption_secret_key:?}" \
--signing-private-key="$signing_private_key" \
--encryption-secret="$encryption_secret_key" \
--identifier-registration-conf "${identifier_registration_conf:?}" \
--identifier-scopes-conf "${identifier_scopes_conf:?}" \
"$@" "$KONNECT_BACKEND"

4
ssl/start.sh
View File

@ -42,9 +42,9 @@ if [ ! -f $enckey ]; then
mv $enckey.tmp $enckey
fi
# Konnect - create token signing key if not already present
# Konnect - create token signing key if not already present
signkey="/kopano/ssl/konnectd-tokens-signing-key.pem"
if [ ! -f $signkey ]; then
if [ ! -L $signkey ] && [ ! -f $signkey ]; then
echo "Creating Konnect token signing key..."
openssl genpkey -algorithm RSA -out $signkey.tmp -pkeyopt rsa_keygen_bits:4096 >/dev/null 2>&1
chmod go+r $signkey.tmp