flywithu/kopano-docker
1
0
Fork 0
mirror of https://github.com/zokradonh/kopano-docker synced 2025-06-07 07:56:12 +00:00
Code Issues Releases Wiki Activity

split up installation for core and kapi+grapi (#293)

Browse Source 
* split up installation for core and kapi+grapi
* add some debug output in case package installation fails
* let konnect run as nobody
* add code to check writing permissions for certificates and create certificates in container if possible
* add tests to check on failed and successful certificate creation
* add certificate creation logic from the konnect binfile
* add env for custom dockerize timeout (to fail earlier in tests)
This commit is contained in:
Felix Bartels 2019-11-26 10:10:22 +01:00 committed by GitHub
parent 08a009c7ed
commit d7fb796fa3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 97 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile
View File

@ -395,6 +395,10 @@ test-startup-meet-demo: ## Test if the Meet demo setup starts up
docker-compose -f examples/meet/docker-compose.yml -f examples/meet/tests/test-container.yml stop 2>/dev/null docker-compose -f examples/meet/docker-compose.yml -f examples/meet/tests/test-container.yml stop 2>/dev/null
docker ps --filter name=kopano_test* -aq | xargs docker rm -f docker ps --filter name=kopano_test* -aq | xargs docker rm -f
.PHONY: test-startup-individual
test-startup-individual:
docker run -it --rm -e DEBUG=true -v /etc/machine-id:/etc/machine-id -v /var/lib/dbus/machine-id:/var/lib/dbus/machine-id kopano/kopano_konnect
# TODO this needs goss added to travis and dcgoss pulled from my own git repo # TODO this needs goss added to travis and dcgoss pulled from my own git repo
.PHONY: test-goss .PHONY: test-goss
test-goss: ## Test configuration of containers with goss test-goss: ## Test configuration of containers with goss

11
core/Dockerfile
View File

@ -49,16 +49,19 @@ RUN \
# install # install
apt-get update && \ apt-get update && \
set -x && \ set -x && \
apt-get install --no-install-recommends -y \ apt-get -o Debug::pkgProblemResolver=true install --no-install-recommends -y \
kopano-server-packages \ kopano-server-packages \
kopano-grapi kopano-kapid \
${ADDITIONAL_KOPANO_PACKAGES} \ ${ADDITIONAL_KOPANO_PACKAGES} \
&& \ && \
coreversion=$(dpkg-query --showformat='${Version}' --show kopano-server) && \ coreversion=$(dpkg-query --showformat='${Version}' --show kopano-server) && \
if dpkg --compare-versions "$coreversion" "gt" "8.7.0"; then \
apt-get -o Debug::pkgProblemResolver=true install --no-install-recommends -y \
kopano-grapi kopano-kapid; \
fi && \
if dpkg --compare-versions "$coreversion" "gt" "8.7.84"; then \ if dpkg --compare-versions "$coreversion" "gt" "8.7.84"; then \
apt-get install --no-install-recommends -y \ apt-get -o Debug::pkgProblemResolver=true install --no-install-recommends -y \
python3-grapi.backend.ldap; \ python3-grapi.backend.ldap; \
fi; \ fi && \
set +x && \ set +x && \
rm -rf /var/cache/apt /var/lib/apt/lists && \ rm -rf /var/cache/apt /var/lib/apt/lists && \
touch /etc/kopano/admin.cfg && \ touch /etc/kopano/admin.cfg && \

1
docker-compose.yml
View File

@ -436,6 +436,7 @@ services:
- identifier_registration_conf=/kopano/ssl/konnectd-identifier-registration.yaml - identifier_registration_conf=/kopano/ssl/konnectd-identifier-registration.yaml
- identifier_scopes_conf=/etc/kopano/konnectd-identifier-scopes.yaml - identifier_scopes_conf=/etc/kopano/konnectd-identifier-scopes.yaml
- signing_private_key=/kopano/ssl/konnectd-tokens-signing-key.pem - signing_private_key=/kopano/ssl/konnectd-tokens-signing-key.pem
- validation_keys_path=/kopano/ssl/konnectkeys
env_file: env_file:
- kopano_konnect.env - kopano_konnect.env
networks: networks:

2
konnect/Dockerfile
View File

@ -41,4 +41,6 @@ RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSI
COPY --chown=nobody:nogroup konnectd-identifier-registration.yaml konnectd-identifier-scopes.yaml /etc/kopano/ COPY --chown=nobody:nogroup konnectd-identifier-registration.yaml konnectd-identifier-scopes.yaml /etc/kopano/
COPY wrapper.sh /usr/local/bin COPY wrapper.sh /usr/local/bin
USER nobody
ENTRYPOINT ["wrapper.sh"] ENTRYPOINT ["wrapper.sh"]

22
konnect/commander.yaml
View File

@ -35,6 +35,28 @@ tests:
config: config:
env: env:
identifier_registration_conf: /etc/kopano/konnectd-identifier-registration.yaml identifier_registration_conf: /etc/kopano/konnectd-identifier-registration.yaml
no write permissions for certificates:
command: /commander/test-helper.sh && wrapper.sh
exit-code: 1
stderr:
contains:
- "can't create /root/sign.key: Permission denied"
- 'Timeout after 1s waiting on dependencies to become available: [file:///root/sign.key]'
config:
env:
signing_private_key: /root/sign.key
DOCKERIZE_TIMEOUT: 1s
certificate creation in container:
command: /commander/test-helper.sh && wrapper.sh
stderr:
contains:
- "setup: creating new RSA private key at"
not-contains:
- "Timeout after 360s waiting on dependencies to become available:"
config:
env:
signing_private_key: /tmp/sign.key
encryption_secret_key: /tmp/secret.key
config: config:
env: env:
PATH: ${PATH} PATH: ${PATH}

72
konnect/wrapper.sh
View File

@ -3,28 +3,76 @@
set -eu set -eu
[ "$DEBUG" ] && set -x [ "$DEBUG" ] && set -x
DOCKERIZE_TIMEOUT=${DOCKERIZE_TIMEOUT:-360s}
# allow helper commands given by "docker-compose run" # allow helper commands given by "docker-compose run"
if [ $# -gt 0 ]; then if [ $# -gt 0 ]; then
exec "$@" exec "$@"
exit exit
fi fi
if [ "${allow_client_guests:-}" = "yes" ]; then signing_private_key=${signing_private_key:-"/etc/kopano/konnectd-signing-private-key.pem"}
# TODO try to create the file if it does not yet exist, how to combine with the below dockerize check? validation_keys_path=${validation_keys_path:-"/etc/kopano/konnectkeys"}
# TODO this should be simplified so that ecparam and eckey are only required if there is no jwk-meet.json yet
if ! true >> "$signing_private_key"; then
# file can not be created in this container, wait for external creation
dockerize \ dockerize \
-wait file://"${ecparam:?}" \ -wait file://"$signing_private_key" \
-wait file://"${eckey:?}" \ -timeout "$DOCKERIZE_TIMEOUT"
-timeout 360s fi
if [ -f "${signing_private_key}" ] && [ ! -s "${signing_private_key}" ]; then
mkdir -p "${validation_keys_path}"
rnd=$(RANDFILE=/tmp/.rnd openssl rand -hex 2)
key="${validation_keys_path}/konnect-$(date +%Y%m%d)-${rnd}.pem"
>&2 echo "setup: creating new RSA private key at ${key} ..."
RANDFILE=/tmp/.rnd openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:4096 -pkeyopt rsa_keygen_pubexp:65537
if [ -f "${key}" ]; then
rm "$signing_private_key"
ln -sn "${key}" "${signing_private_key}"
fi
fi
encryption_secret_key=${encryption_secret_key:-"/etc/kopano/konnectd-encryption-secret.key"}
if ! true >> "$encryption_secret_key"; then
# file can not be created in this container, wait for external creation
dockerize \
-wait file://"$encryption_secret_key" \
-timeout "$DOCKERIZE_TIMEOUT"
fi
if [ -f "${encryption_secret_key}" ] && [ ! -s "${encryption_secret_key}" ]; then
>&2 echo "setup: creating new secret key at ${encryption_secret_key} ..."
RANDFILE=/tmp/.rnd openssl rand -out "${encryption_secret_key}" 32
fi
if [ "${allow_client_guests:-}" = "yes" ]; then
# TODO this could be simplified so that ecparam and eckey are only required if there is no jwk-meet.json yet
ecparam=${ecparam:-/etc/kopano/ecparam.pem}
if ! true >> "$ecparam"; then
# ecparam can not be created in this container, wait for external creation
dockerize \
-wait file://"$ecparam" \
-timeout "$DOCKERIZE_TIMEOUT"
fi
eckey=${eckey:-/etc/kopano/meet-kwmserver.pem}
if ! true >> "$eckey"; then
# eckey can not be created in this container, wait for external creation
dockerize \
-wait file://"$eckey" \
-timeout "$DOCKERIZE_TIMEOUT"
fi
# Key generation for Meet guest mode # Key generation for Meet guest mode
if [ ! -s "$ecparam" ]; then if [ ! -s "$ecparam" ]; then
echo "Creating ec param key for Meet..." echo "Creating ec param key for Meet guest mode ..."
openssl ecparam -name prime256v1 -genkey -noout -out "$ecparam" >/dev/null 2>&1 openssl ecparam -name prime256v1 -genkey -noout -out "$ecparam" >/dev/null 2>&1
fi fi
if [ ! -s "$eckey" ]; then if [ ! -s "$eckey" ]; then
echo "Creating ec private key for Meet..." echo "Creating ec private key for Meet guest mode..."
openssl ec -in "$ecparam" -out "$eckey" >/dev/null 2>&1 openssl ec -in "$ecparam" -out "$eckey" >/dev/null 2>&1
fi fi
@ -92,14 +140,12 @@ fi
# services need to be aware of the machine-id # services need to be aware of the machine-id
dockerize \ dockerize \
-wait file://"${signing_private_key:?}" \
-wait file://"${encryption_secret_key:?}" \
-wait file:///etc/machine-id \ -wait file:///etc/machine-id \
-wait file:///var/lib/dbus/machine-id \ -wait file:///var/lib/dbus/machine-id \
-timeout 360s -timeout "$DOCKERIZE_TIMEOUT"
exec konnectd serve \ exec konnectd serve \
--signing-private-key="${signing_private_key:?}" \ --signing-private-key="$signing_private_key" \
--encryption-secret="${encryption_secret_key:?}" \ --encryption-secret="$encryption_secret_key" \
--identifier-registration-conf "${identifier_registration_conf:?}" \ --identifier-registration-conf "${identifier_registration_conf:?}" \
--identifier-scopes-conf "${identifier_scopes_conf:?}" \ --identifier-scopes-conf "${identifier_scopes_conf:?}" \
"$@" "$KONNECT_BACKEND" "$@" "$KONNECT_BACKEND"

4
ssl/start.sh
View File

@ -42,9 +42,9 @@ if [ ! -f $enckey ]; then
mv $enckey.tmp $enckey mv $enckey.tmp $enckey
fi fi
# Konnect - create token signing key if not already present # Konnect - create token signing key if not already present
signkey="/kopano/ssl/konnectd-tokens-signing-key.pem" signkey="/kopano/ssl/konnectd-tokens-signing-key.pem"
if [ ! -f $signkey ]; then if [ ! -L $signkey ] && [ ! -f $signkey ]; then
echo "Creating Konnect token signing key..." echo "Creating Konnect token signing key..."
openssl genpkey -algorithm RSA -out $signkey.tmp -pkeyopt rsa_keygen_bits:4096 >/dev/null 2>&1 openssl genpkey -algorithm RSA -out $signkey.tmp -pkeyopt rsa_keygen_bits:4096 >/dev/null 2>&1
chmod go+r $signkey.tmp chmod go+r $signkey.tmp