github-personal/labca
1
0
Fork 0
mirror of https://github.com/outbackdingo/labca.git synced 2026-01-27 02:19:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

Build and use local docker images for docker-only setup (#41)

Browse Source 
For now, the images are still built on the target machine for testing,
in the end they need to be built in a GitHub action.
This commit is contained in:
Arjan H
2023-04-15 09:19:17 +02:00
parent b5db9b857d
commit 0ed9d8eac2
33 changed files with 985 additions and 181 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -27,3 +27,4 @@ debian/.debhelper/
debian/files
debian/labca-gui.substvars
debian/labca-gui/
build/tmp/

2
Makefile
View File

@@ -5,7 +5,7 @@ BINNAME?=labca-gui
Q=$(if $V,,@)
PREFIX?=
TAG=$(shell git rev-list --tags --max-count=1)
VERSION=$(shell git describe --tags $(TAG))
VERSION=$(shell git describe --always --tags $(TAG))
DEB_VERSION=$(shell echo $(VERSION) | sed 's/^v//' | sed 's/-/./g')
RELEASE=./release

12
backup
View File

@@ -12,23 +12,23 @@ fi
BASE=${NOW}_${HOSTNAME}${CRON}
TMPDIR=/tmp/$BASE
mkdir -p $TMPDIR
mkdir -p /backup
mkdir -p /opt/backup
cd /boulder
cd /opt/boulder
docker-compose exec -T bmysql mysqldump boulder_sa_integration >$TMPDIR/boulder_sa_integration.sql
cp -p /etc/nginx/ssl/*key* /etc/nginx/ssl/*cert.pem /etc/nginx/ssl/*.csr $TMPDIR/
cp -rp /admin/data $TMPDIR/
cp -rp /opt/labca/data $TMPDIR/
cd /tmp
tar czf /backup/$BASE.tgz $BASE
tar czf /opt/backup/$BASE.tgz $BASE
rm -rf $TMPDIR
# housekeeping
find /backup -name "*_cron_*.tgz" -mtime +31 -exec rm -rf {} \;
find /opt/backup -name "*_cron_*.tgz" -mtime +31 -exec rm -rf {} \;
if [ "$1" != "cron" ]; then
echo /backup/$BASE.tgz
echo /opt/backup/$BASE.tgz
fi

25
build/Dockerfile-boulder Normal file
View File

@@ -0,0 +1,25 @@
FROM letsencrypt/boulder-tools:go1.20.1_2023-02-22 AS boulder-tools
FROM ubuntu:focal
RUN apt-get update && \
apt-get install -y --no-install-recommends \
ca-certificates \
mariadb-client-core-10.3 \
python3-pip \
rsyslog \
softhsm2 \
&& rm -rf /var/lib/apt/lists/* \
&& pip3 install requests
COPY --from=boulder-tools /usr/local/bin/sql-migrate /usr/local/bin/sql-migrate
COPY --from=boulder-tools /usr/local/bin/pebble-challtestsrv /usr/local/bin/pebble-challtestsrv
COPY tmp/bin /opt/boulder/bin
COPY tmp/src/start.py /opt/boulder
RUN sed -i -e "s|./test|./labca|" /opt/boulder/start.py
COPY tmp/src/sa/db /opt/boulder/sa/db
COPY tmp/src/sa/db-users /opt/boulder/sa/db-users
COPY tmp/src/test/boulder-tools/boulder.rsyslog.conf /etc/rsyslog.d/
RUN sed -i '/imklog/s/^/#/' /etc/rsyslog.conf
RUN sed -i '/$ActionFileDefaultTemplate/s/^/#/' /etc/rsyslog.conf
RUN sed -i '/$RepeatedMsgReduction on/s/^/#/' /etc/rsyslog.conf

62
build/Dockerfile-control Normal file
View File

@@ -0,0 +1,62 @@
FROM ubuntu:focal as builder
RUN export DEBIAN_FRONTEND=noninteractive \
&& apt-get update \
&& apt-get install -y --no-install-recommends \
ca-certificates \
cron \
curl \
&& curl -fsSL https://get.docker.com -o get-docker.sh \
&& sh get-docker.sh \
&& curl -SL https://github.com/docker/compose/releases/download/v2.16.0/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose \
&& chmod +x /usr/local/bin/docker-compose \
&& rm -rf /var/lib/apt/lists/*
FROM ubuntu:focal
RUN export DEBIAN_FRONTEND=noninteractive \
&& apt-get update \
&& apt-get install -y --no-install-recommends \
ca-certificates \
cron \
curl \
python3 \
tzdata \
ucspi-tcp \
&& rm -rf /var/lib/apt/lists/*
COPY --from=builder /usr/bin/docker /usr/bin/docker
COPY --from=builder /lib/x86_64-linux-gnu/libpthread.so.0 /lib/x86_64-linux-gnu/libpthread.so.0
COPY --from=builder /lib/x86_64-linux-gnu/libdl.so.2 /lib/x86_64-linux-gnu/libdl.so.2
COPY --from=builder /lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/libc.so.6
COPY --from=builder /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
COPY --from=builder /usr/local/bin/docker-compose /usr/local/bin/docker-compose
COPY tmp/acme_tiny.py /opt/labca/
COPY tmp/backup /opt/labca/
COPY tmp/checkcrl /opt/labca/
COPY tmp/checkrenew /opt/labca/
COPY tmp/commander /opt/labca/
COPY tmp/control.sh /opt/labca/
COPY tmp/cron_d /opt/labca/
COPY tmp/mailer /opt/labca/
COPY tmp/nameidtool /opt/labca/
COPY tmp/renew /opt/labca/
COPY tmp/restore /opt/labca/
COPY tmp/utils.sh /opt/labca/
COPY tmp/src/labca /opt/staging/boulder_labca
COPY tmp/admin/apply-boulder /opt/labca/
COPY tmp/admin/static /opt/staging/static
COPY tmp/admin/data /opt/staging/data
COPY tmp/nginx.conf /opt/staging/
COPY tmp/proxy.conf /opt/staging/
COPY tmp/admin/apply-nginx /opt/labca/
COPY tmp/bin/boulder /opt/boulder/bin/
RUN cd /opt/boulder/bin/ \
&& ln -s boulder admin-revoker \
&& ln -s boulder mail-tester \
&& mkdir /opt/logs

15
build/Dockerfile-gui Normal file
View File

@@ -0,0 +1,15 @@
FROM ubuntu:focal
RUN apt-get update && \
apt-get install -y --no-install-recommends \
ca-certificates \
tzdata \
&& rm -rf /var/lib/apt/lists/*
COPY tmp/labca-gui /opt/labca/bin/
COPY tmp/nameidtool /opt/labca/
COPY tmp/admin/setup.sh /opt/labca/
COPY tmp/admin/apply /opt/labca/
COPY tmp/admin/apply-boulder /opt/labca/
COPY tmp/admin/apply-nginx /opt/labca/
COPY tmp/admin/templates /opt/labca/templates/

53
build/build.sh Executable file
View File

@@ -0,0 +1,53 @@
#!/bin/bash -e
set -euo pipefail
cd $(dirname $0)
TMP_DIR=$(pwd)/tmp
rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}
boulderDir=$TMP_DIR/src
boulderTag="release-2023-04-04"
boulderUrl="https://github.com/letsencrypt/boulder/"
cloneDir=$(pwd)/..
GIT_VERSION=$(git describe --always --tags 2>/dev/null)
BUILD_HOST=labca-$GIT_VERSION
BUILD_IMAGE=$(eval echo $(grep boulder-tools ../patches/docker-compose.patch | head -1 | sed -e "s/image://" | sed -e "s/&boulder_image//"))
git clone --branch $boulderTag --depth 1 $boulderUrl $boulderDir 2>/dev/null
cd $boulderDir
git checkout $boulderTag -b $boulderTag 2>/dev/null
if [ "$BUILD_IMAGE" == "" ]; then
BUILD_IMAGE=$(eval echo $(grep boulder-tools $TMP_DIR/src/docker-compose.yml | grep "image:" | head -1 | sed -e "s/image://" | sed -e "s/&boulder_image//"))
fi
echo
$cloneDir/patch.sh
cp -r test labca
$cloneDir/patch-cfg.sh " " "$boulderDir/labca"
sed -i "s/BUILD_ID = .*/BUILD_ID = \$(shell git describe --always HEAD 2>\/dev\/null) +\$(COMMIT_ID)/" $boulderDir/Makefile
sed -i "s/BUILD_HOST = .*/BUILD_HOST ?= labca-develop/" $boulderDir/Makefile
sed -i "s/-ldflags \"-X/-ldflags \"-s -w -X/" $boulderDir/Makefile
cp -p docker-compose.yml $cloneDir/build/
echo
BASEDIR=/go/src/github.com/letsencrypt/boulder
docker run -it -v $boulderDir:$BASEDIR:cached -v $TMP_DIR/bin:$BASEDIR/bin -w $BASEDIR -e BUILD_HOST=$BUILD_HOST $BUILD_IMAGE sh -c "git config --global --add safe.directory $BASEDIR && make build"
cp $cloneDir/nginx.conf $TMP_DIR/
cp $cloneDir/proxy.conf $TMP_DIR/
cp $cloneDir/utils/nameidtool.go $TMP_DIR/
cp -rp $cloneDir/gui/* $TMP_DIR/admin/
sed -i -e "s/^bin\/labca-gui//" $TMP_DIR/admin/setup.sh
sed -i -e "s/.*apt update.*//" $TMP_DIR/admin/setup.sh
sed -i '/^$/d' $TMP_DIR/admin/setup.sh
echo
BASEDIR=/go/src/labca
docker run -it -v $TMP_DIR/admin:$BASEDIR:cached -v $TMP_DIR:$BASEDIR/bin -w $BASEDIR -e GIT_VERSION=$GIT_VERSION $BUILD_IMAGE ./setup.sh
docker run -it -v $TMP_DIR:/utils -w /utils $BUILD_IMAGE go build nameidtool.go
echo

178
build/docker-compose.yml Normal file
View File

@@ -0,0 +1,178 @@
version: '3'
name: labca
services:
boulder:
# Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh.
image: hakwerk/labca-boulder:dockeronly
environment:
# To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS
# to the IP address where your ACME client's solver is listening.
# FAKE_DNS: 172.17.0.1
FAKE_DNS: 10.77.77.77
BOULDER_CONFIG_DIR: &boulder_config_dir labca/config
GOFLAGS: -mod=vendor
volumes:
- boulder_data:/opt/boulder/labca
- nginx_html:/opt/wwwstatic
#- ./.hierarchy:/hierarchy/:cached
- softhsm:/var/lib/softhsm/tokens:cached
networks:
bluenet:
ipv4_address: 10.77.77.77
rednet:
ipv4_address: 10.88.88.88
consulnet:
ipv4_address: 10.55.55.55
# Use consul as a backup to Docker's embedded DNS server. If there's a name
# Docker's DNS server doesn't know about, it will forward the query to this
# IP (running consul).
# (https://docs.docker.com/config/containers/container-networking/#dns-services).
# This is used to look up service names via A records (like ra.service.consul) that
# are configured via the ServerAddress field of cmd.GRPCClientConfig.
# TODO: Remove this when ServerAddress is deprecated in favor of SRV records
# and DNSAuthority.
dns: 10.55.55.10
expose:
- 4001 # ACMEv2
- 4002 # OCSP
- 4003 # OCSP
depends_on:
- bmysql
- bconsul
- control
entrypoint: labca/entrypoint.sh
working_dir: &boulder_working_dir /opt/boulder
logging:
driver: "json-file"
options:
max-size: "500k"
max-file: "5"
restart: always
bmysql:
image: mariadb:10.5
volumes:
- dbdata:/var/lib/mysql
networks:
bluenet:
aliases:
- boulder-mysql
environment:
MYSQL_ALLOW_EMPTY_PASSWORD: "yes"
# Send slow queries to a table so we can check for them in the
# integration tests. For now we ignore queries not using indexes,
# because that seems to trigger based on the optimizer's choice to not
# use an index for certain queries, particularly when tables are still
# small.
command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
logging:
driver: "json-file"
options:
max-size: "500k"
max-file: "5"
restart: always
bconsul:
image: hashicorp/consul:1.13.1
depends_on:
- control
volumes:
- boulder_data:/opt/boulder/labca
networks:
consulnet:
ipv4_address: 10.55.55.10
command: "consul agent -dev -config-format=hcl -config-file=/opt/boulder/labca/consul/config.hcl"
gui:
image: hakwerk/labca-gui:dockeronly
networks:
- bluenet
volumes:
- ldata:/opt/labca/data
- nginx_html:/opt/wwwstatic
- backup:/opt/backup
#- .:/boulder
- boulder_data:/opt/boulder/labca
expose:
- 3000
depends_on:
- bmysql
- control
working_dir: /opt/labca
command: bin/labca-gui
logging:
driver: "json-file"
options:
max-size: "500k"
max-file: "5"
restart: always
nginx:
image: nginx:1.21.6
restart: always
networks:
- bluenet
ports:
- 80:80
- 443:443
volumes:
- nginx_conf:/etc/nginx/conf.d
- nginx_ssl:/etc/nginx/ssl
- nginx_html:/var/www/html
depends_on:
- control
control:
image: hakwerk/labca-control:dockeronly
networks:
- bluenet
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./docker-compose.yml:/opt/boulder/docker-compose.yml
- ldata:/opt/labca/data
- backup:/opt/backup
- logs:/opt/logs
- boulder_data:/opt/boulder/labca
- nginx_conf:/etc/nginx/conf.d
- nginx_ssl:/etc/nginx/ssl
- nginx_html:/var/www/html
expose:
- 3030
environment:
LABCA_FQDN: ${LABCA_FQDN:-notset}
#privileged: true
working_dir: /opt/labca
command: ./control.sh
restart: always
volumes:
dbdata:
nginx_conf:
nginx_ssl:
nginx_html:
boulder_data:
ldata:
backup:
logs:
softhsm:
networks:
bluenet:
driver: bridge
ipam:
driver: default
config:
- subnet: 10.77.77.0/24
rednet:
driver: bridge
ipam:
driver: default
config:
- subnet: 10.88.88.0/24
consulnet:
driver: bridge
ipam:
driver: default
config:
- subnet: 10.55.55.0/24

89
build/tag_and_upload.sh Executable file
View File

@@ -0,0 +1,89 @@
#!/bin/bash -e
set -euo pipefail
cd $(dirname $0)
REPO_BASE="hakwerk/labca"
BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null)
if [ "$BRANCH" == "master" ] || [ "$BRANCH" == "main" ]; then
TAG=$(git describe --always --tags 2>/dev/null)
[[ $TAG == v* ]] && TAG="${TAG:1}" || /bin/true
else
TAG=$BRANCH
fi
LABCA_GUI_TAG="${REPO_BASE}-gui:$TAG"
LABCA_GUI_LATEST="${REPO_BASE}-gui:latest"
LABCA_BOULDER_TAG="${REPO_BASE}-boulder:$TAG"
LABCA_BOULDER_LATEST="${REPO_BASE}-boulder:latest"
LABCA_CONTROL_TAG="${REPO_BASE}-control:$TAG"
LABCA_CONTROL_LATEST="${REPO_BASE}-control:latest"
die() {
echo $1
exit 1
}
cp -rp ../gui/setup.sh tmp/admin/
[ -f "tmp/labca-gui" ] || die "LabCA binary does not exist!"
docker build -f Dockerfile-gui -t $LABCA_GUI_TAG .
if [ "$BRANCH" == "master" ] || [ "$BRANCH" == "main" ]; then
ID="$(docker images | grep "${REPO_BASE}-gui" | grep -v latest | head -n 1 | awk '{print $3}')"
docker tag "$ID" $LABCA_GUI_LATEST
fi
cnt=$(ls -1 tmp/bin | wc -l)
[ $cnt -gt 20 ] || die "Only found $cnt boulder binaries!" # ?? still correct??
docker build -f Dockerfile-boulder -t $LABCA_BOULDER_TAG .
if [ "$BRANCH" == "master" ] || [ "$BRANCH" == "main" ]; then
ID="$(docker images | grep "${REPO_BASE}-boulder" | grep -v latest | head -n 1 | awk '{print $3}')"
docker tag "$ID" $LABCA_BOULDER_LATEST
fi
cp -rp ../acme_tiny.py tmp/
cp -rp ../backup tmp/
cp -rp ../checkcrl tmp/
cp -rp ../checkrenew tmp/
cp -rp ../commander tmp/
cp -rp ../control_do.sh tmp/control.sh
cp -rp ../cron_d tmp/
cp -rp ../mailer tmp/
cp -rp ../renew tmp/
cp -rp ../restore tmp/
cp -rp ../utils.sh tmp/
docker build -f Dockerfile-control -t $LABCA_CONTROL_TAG .
if [ "$BRANCH" == "master" ] || [ "$BRANCH" == "main" ]; then
ID="$(docker images | grep "${REPO_BASE}-control" | grep -v latest | head -n 1 | awk '{print $3}')"
docker tag "$ID" $LABCA_CONTROL_LATEST
fi
echo
if [ "$BRANCH" != "master" ] || [ "$BRANCH" == "main" ]; then
echo "Not pushing to Dockerhub..."
exit
fi
echo "Image ready, please login to allow Dockerhub push"
echo TODO docker login
echo
echo "Pushing ${LABCA_GUI_TAG} to Dockerhub"
echo TODO docker push ${LABCA_GUI_TAG}
echo "Pushing ${LABCA_BOULDER_TAG} to Dockerhub"
echo TODO docker push ${LABCA_BOULDER_TAG}
echo "Pushing ${LABCA_CONTROL_TAG} to Dockerhub"
echo TODO docker push ${LABCA_CONTROL_TAG}
if [ "$BRANCH" == "master" ] || [ "$BRANCH" == "main" ]; then
echo "Pushing ${LABCA_GUI_LATEST} to Dockerhub"
echo TODO docker push ${LABCA_GUI_LATEST}
echo "Pushing ${LABCA_BOULDER_LATEST} to Dockerhub"
echo TODO docker push ${LABCA_BOULDER_LATEST}
echo "Pushing ${LABCA_CONTROL_LATEST} to Dockerhub"
echo TODO docker push ${LABCA_CONTROL_LATEST}
fi

145
build/tmp.patch Normal file
View File

@@ -0,0 +1,145 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index cfdcc784a..b50c8b18d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,8 +1,9 @@
version: '3'
+name: labca
services:
boulder:
# Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh.
- image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.20.3_2023-04-04}
+ image: hakwerk/labca-boulder:dockeronly
environment:
# To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS
# to the IP address where your ACME client's solver is listening.
@@ -11,12 +12,10 @@ services:
BOULDER_CONFIG_DIR: &boulder_config_dir labca/config
GOFLAGS: -mod=vendor
volumes:
- - .:/opt/boulder:cached
- - /home/labca/boulder_labca:/opt/boulder/labca
- - /home/labca/nginx_data/static:/opt/wwwstatic
- - ./.gocache:/root/.cache/go-build:cached
- - ./.hierarchy:/hierarchy/:cached
- - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
+ - boulder_data:/opt/boulder/labca
+ - nginx_html:/opt/wwwstatic
+ #- ./.hierarchy:/hierarchy/:cached
+ - softhsm:/var/lib/softhsm/tokens:cached
networks:
bluenet:
ipv4_address: 10.77.77.77
@@ -40,6 +39,7 @@ services:
depends_on:
- bmysql
- bconsul
+ - control
entrypoint: labca/entrypoint.sh
working_dir: &boulder_working_dir /opt/boulder
logging:
@@ -74,30 +74,32 @@ services:
bconsul:
image: hashicorp/consul:1.13.1
+ depends_on:
+ - control
volumes:
- - ./test/:/test/:cached
+ - boulder_data:/opt/boulder/labca
networks:
consulnet:
ipv4_address: 10.55.55.10
- command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
+ command: "consul agent -dev -config-format=hcl -config-file=/opt/boulder/labca/consul/config.hcl"
gui:
- image: *boulder_image
+ image: hakwerk/labca-gui:dockeronly
networks:
- bluenet
volumes:
- - /home/labca/admin:/go/src/labca
- - ./.gocache:/root/.cache/go-build
- - /home/labca/nginx_data/static:/opt/wwwstatic
- - /home/labca/backup:/opt/backup
- - .:/opt/boulder
- - /home/labca/boulder_labca:/opt/boulder/labca
+ - ldata:/opt/labca/data
+ - nginx_html:/opt/wwwstatic
+ - backup:/opt/backup
+ #- .:/boulder
+ - boulder_data:/opt/boulder/labca
expose:
- 3000
depends_on:
- bmysql
- working_dir: /go/src/labca
- command: ./setup.sh
+ - control
+ working_dir: /opt/labca
+ command: bin/labca-gui
logging:
driver: "json-file"
options:
@@ -114,37 +116,45 @@ services:
- 80:80
- 443:443
volumes:
- - /home/labca/nginx_data/conf.d:/etc/nginx/conf.d
- - /home/labca/nginx_data/ssl:/etc/nginx/ssl
- - /home/labca/nginx_data/static:/var/www/html
+ - nginx_conf:/etc/nginx/conf.d
+ - nginx_ssl:/etc/nginx/ssl
+ - nginx_html:/var/www/html
+ depends_on:
+ - control
control:
- image: *boulder_image
+ image: hakwerk/labca-control:dockeronly
networks:
- bluenet
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- - /home/labca/admin/data:/opt/labca/data
- - /home/labca/admin/data:/opt/labca/gui/data
- - /home/labca/admin/bin:/opt/labca/bin
- - /home/labca/labca:/opt/labca
- - /home/labca/backup:/opt/backup
- - /home/labca/control_logs:/opt/logs
- - .:/opt/boulder
- - /home/labca/boulder_labca:/opt/boulder/labca
- - /home/labca/nginx_data/conf.d:/etc/nginx/conf.d
- - /home/labca/nginx_data/ssl:/etc/nginx/ssl
- - /home/labca/nginx_data/static:/var/www/html
+ - ./docker-compose.yml:/opt/boulder/docker-compose.yml
+ - ldata:/opt/labca/data
+ - backup:/opt/backup
+ - logs:/opt/logs
+ - boulder_data:/opt/boulder/labca
+ - nginx_conf:/etc/nginx/conf.d
+ - nginx_ssl:/etc/nginx/ssl
+ - nginx_html:/var/www/html
expose:
- 3030
environment:
LABCA_FQDN: ${LABCA_FQDN:-notset}
+ #privileged: true
working_dir: /opt/labca
command: ./control.sh
restart: always
volumes:
dbdata:
+ nginx_conf:
+ nginx_ssl:
+ nginx_html:
+ boulder_data:
+ ldata:
+ backup:
+ logs:
+ softhsm:
networks:
bluenet:

14
build/tmp2.patch Normal file
View File

@@ -0,0 +1,14 @@
diff --git a/test/startservers.py b/test/startservers.py
index 6aa2f9a..7d17d7f 100644
--- a/test/startservers.py
+++ b/test/startservers.py
@@ -159,6 +159,9 @@ def setupHierarchyOriginal():
def install(race_detection):
+ return True
+
+def installOriginal(race_detection):
# Pass empty BUILD_TIME and BUILD_ID flags to avoid constantly invalidating the
# build cache with new BUILD_TIMEs, or invalidating it on merges with a new
# BUILD_ID.

2
checkcrl
View File

@@ -7,7 +7,7 @@ if [ crl/ -nt certs/index.html ]; then
echo "Updating certs/index.html with latest CRL info..."
PKI_ROOT_CERT_BASE="crl/root-ca"
PKI_ISSUER_NAME_ID=$(grep issuer_name_id /admin/data/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/,//g' | sed -e 's/\"//g')
PKI_ISSUER_NAME_ID=$(grep issuer_name_id /opt/labca/data/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/,//g' | sed -e 's/\"//g')
PKI_ROOT_CRL_VALIDITY=""
if [ -e "$PKI_ROOT_CERT_BASE.crl" ]; then

2
checkrenew
View File

@@ -10,5 +10,5 @@ echo "Running cron-$(basename $0) for ${TODAY}..."
if ! expires=`openssl x509 -checkend $[ 86400 * $RENEW ] -noout -in /etc/nginx/ssl/labca_cert.pem`; then
echo " renewing!"
cp -p /etc/nginx/ssl/labca_cert.pem /etc/nginx/ssl/labca_cert_$TODAY.pem
/labca/renew
/opt/labca/renew
fi

86
commander
View File

@@ -2,7 +2,7 @@
set -euo pipefail
LOGFILE=/logs/commander.log
LOGFILE=/opt/logs/commander.log
err_report() {
echo "ERROR! On line $1 in commander script"
@@ -38,8 +38,8 @@ function wait_server() {
read txt
case $txt in
"docker-restart")
cd /boulder
COMPOSE_HTTP_TIMEOUT=120 docker-compose restart boulder bmysql bconsul labca nginx &>>$LOGFILE
cd /opt/boulder
COMPOSE_HTTP_TIMEOUT=120 docker-compose restart boulder bmysql bconsul gui nginx &>>$LOGFILE
sleep 45
wait_up $PS_MYSQL &>>$LOGFILE
wait_up $PS_CONSUL 2 &>>$LOGFILE
@@ -53,32 +53,32 @@ case $txt in
[ -e labca_key.pem ] || openssl genrsa 4096 > labca_key.pem
san=$(openssl x509 -noout -text -in labca_cert.pem | grep DNS:)
openssl req -new -utf8 -sha256 -key labca_key.pem -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=$san")) > domain.csr
url=$(grep 'DEFAULT_DIRECTORY_URL =' /labca/acme_tiny.py | sed -e 's/.*=[ ]*//' | sed -e 's/\"//g')
url=$(grep 'DEFAULT_DIRECTORY_URL =' /opt/labca/acme_tiny.py | sed -e 's/.*=[ ]*//' | sed -e 's/\"//g')
wait_server $url
sleep 10
/labca/renew
ln -sf /labca/cron_d /etc/cron.d/labca
ln -sf /labca/logrotate_d /etc/logrotate.d/labca
/opt/labca/renew
ln -sf /opt/labca/cron_d /etc/cron.d/labca
ln -sf /opt/labca/logrotate_d /etc/logrotate.d/labca
;;
"acme-change")
read fqdn
cd /etc/nginx/ssl
openssl genrsa 4096 > labca_key.pem
openssl req -new -utf8 -sha256 -key labca_key.pem -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$fqdn")) > domain.csr
url=$(grep 'DEFAULT_DIRECTORY_URL =' /labca/acme_tiny.py | sed -e 's/.*=[ ]*//' | sed -e 's/\"//g')
url=$(grep 'DEFAULT_DIRECTORY_URL =' /opt/labca/acme_tiny.py | sed -e 's/.*=[ ]*//' | sed -e 's/\"//g')
wait_server $url
sleep 10
/labca/renew
/opt/labca/renew
;;
"nginx-remove-redirect")
perl -i -p0e 's/\n # BEGIN temporary redirect\n location = \/ \{\n return 302 \/admin\/;\n }\n # END temporary redirect\n//igs' /etc/nginx/conf.d/labca.conf
;;
"nginx-reload")
cd /boulder
cd /opt/boulder
docker-compose exec -T nginx nginx -s reload &>>$LOGFILE
;;
"nginx-restart")
cd /boulder
cd /opt/boulder
docker-compose restart nginx &>>$LOGFILE
;;
"log-cert")
@@ -90,51 +90,51 @@ case $txt in
exit 0
;;
"log-control-notail")
cd /boulder
cd /opt/boulder
docker-compose logs --no-color --tail=50 control
;;
"log-cron")
[ -f /logs/cron.log ] && tail -n200 -f /logs/cron.log || /bin/true
[ -f /opt/logs/cron.log ] && tail -n200 -f /opt/logs/cron.log || /bin/true
exit 0
;;
"log-boulder")
cd /boulder
cd /opt/boulder
docker-compose logs -f --no-color --tail=50 boulder
;;
"log-boulder-notail")
cd /boulder
cd /opt/boulder
docker-compose logs --no-color --tail=50 boulder
;;
"log-audit")
cd /boulder
cd /opt/boulder
docker-compose logs --no-color boulder | grep "\[AUDIT\]" | grep -v "grpc: parseServiceConfig error unmarshaling due to unexpected end of JSON input" | tail -50
docker-compose logs -f --no-color --tail=0 boulder | grep "\[AUDIT\]"
;;
"log-activity")
cd /boulder
cd /opt/boulder
echo "GMT"
docker-compose logs --no-color boulder | grep "\[AUDIT\]" | grep -v "grpc: parseServiceConfig error unmarshaling due to unexpected end of JSON input" | tail -15
exit 0
;;
"log-labca")
cd /boulder
docker-compose logs -f --no-color --tail=50 labca
cd /opt/boulder
docker-compose logs -f --no-color --tail=50 gui
;;
"log-labca-notail")
cd /boulder
docker-compose logs --no-color --tail=50 labca
cd /opt/boulder
docker-compose logs --no-color --tail=50 gui
;;
"log-web")
cd /boulder
cd /opt/boulder
docker-compose logs -f --no-color --tail=50 nginx
;;
"log-components")
nginx=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -nginx-) | grep -i started | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
svc=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -control-) | grep -i started | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
nginx=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -nginx-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
svc=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -control-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
boulder=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -boulder-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
labca=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -labca-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
labca=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- labca-gui) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
mysql=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -bmysql-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
consul=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -bconsul-) | grep -i started | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
consul=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -bconsul-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
echo "$nginx|$svc|$boulder|$labca|$mysql|$consul"
exit 0
;;
@@ -145,21 +145,21 @@ case $txt in
exit 0
;;
"log-stats")
docker stats --no-stream -a | grep " boulder-"
docker stats --no-stream -a | grep " labca-"
;;
"revoke-cert")
read serial
read reasonCode
cd /boulder
cd /opt/boulder
docker-compose exec -T boulder bin/admin-revoker serial-revoke --config labca/config/admin-revoker.json $serial $reasonCode 2>&1
;;
"test-email")
read recipient
cd /boulder
cd /opt/boulder
docker-compose exec -T boulder bin/mail-tester --config labca/config/expiration-mailer.json $recipient 2>&1
;;
"boulder-start")
cd /boulder
cd /opt/boulder
COMPOSE_HTTP_TIMEOUT=120 docker-compose up -d bmysql bconsul
wait_up $PS_MYSQL &>>$LOGFILE
wait_up $PS_CONSUL 2 &>>$LOGFILE
@@ -167,7 +167,7 @@ case $txt in
wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE
;;
"boulder-stop")
cd /boulder
cd /opt/boulder
docker-compose stop boulder
docker-compose stop bmysql bconsul
wait_down $PS_MYSQL &>>$LOGFILE
@@ -175,7 +175,7 @@ case $txt in
wait_down $PS_BOULDER &>>$LOGFILE
;;
"boulder-restart")
cd /boulder
cd /opt/boulder
COMPOSE_HTTP_TIMEOUT=120 docker-compose restart boulder bmysql bconsul &>>$LOGFILE
sleep 30
wait_up $PS_MYSQL &>>$LOGFILE
@@ -183,48 +183,48 @@ case $txt in
wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE
;;
"labca-restart")
cd /boulder
COMPOSE_HTTP_TIMEOUT=120 docker-compose restart labca
cd /opt/boulder
COMPOSE_HTTP_TIMEOUT=120 docker-compose restart gui
sleep 15
wait_up $PS_LABCA &>>$LOGFILE
;;
"mysql-restart")
cd /boulder
cd /opt/boulder
set +e
COMPOSE_HTTP_TIMEOUT=120 docker-compose restart bmysql
set -e
;;
"consul-restart")
cd /boulder
cd /opt/boulder
set +e
COMPOSE_HTTP_TIMEOUT=120 docker-compose restart bconsul
set -e
;;
"svc-restart")
cd /boulder
cd /opt/boulder
set +e
COMPOSE_HTTP_TIMEOUT=120 docker-compose restart control
set -e
;;
"log-backups")
ls -1tr /backup || /bin/true
ls -1tr /opt/backup || /bin/true
exit 0
;;
"log-server-backup")
/labca/backup
/opt/labca/backup
exit 0
;;
"backup-delete")
read backup
rm -f /backup/$backup
rm -f /opt/backup/$backup
;;
"backup-restore")
read backup
/labca/restore "$backup"
/opt/labca/restore "$backup"
;;
"server-restart")
cd /boulder
nohup docker-compose restart labca & >/dev/null
cd /opt/boulder
nohup docker-compose restart gui & >/dev/null
nohup docker-compose restart nginx & >/dev/null
set +e
nohup docker-compose restart control & >/dev/null

23
control.sh
View File

@@ -4,15 +4,15 @@ set -e
get_fqdn() {
local file_fqdn=""
if [ -e /admin/data/config.json ]; then
file_fqdn=$(grep fqdn /admin/data/config.json 2>/dev/null | cut -d ":" -f 2- | tr -d " \",")
if [ -e /opt/labca/data/config.json ]; then
file_fqdn=$(grep fqdn /opt/labca/data/config.json 2>/dev/null | cut -d ":" -f 2- | tr -d " \",")
fi
if [ "$file_fqdn" == "" ]; then
if [ "$LABCA_FQDN" == "notset" ]; then
echo "ERROR: environment variable LABCA_FQDN is not set!"
exit 1
else
echo -e "{\n \"config\": {\n \"complete\": false\n },\n \"labca\": {\n \"fqdn\": \"$LABCA_FQDN\"\n },\n \"version\": \"\"\n}" > /admin/data/config.json
echo -e "{\n \"config\": {\n \"complete\": false\n },\n \"labca\": {\n \"fqdn\": \"$LABCA_FQDN\"\n },\n \"version\": \"\"\n}" > /opt/labca/data/config.json
fi
elif [ "$LABCA_FQDN" != "notset" ] && [ "$LABCA_FQDN" != "$file_fqdn" ]; then
echo "WARNING: environment variable LABCA_FQDN ('$LABCA_FQDN') does not match config file. Using '$file_fqdn'..."
@@ -65,7 +65,7 @@ renew_near_expiry() {
if [ "$hash" == "$issuer_hash" ]; then
selfsigned_cert
else
echo "acme-request" | /labca/commander
echo "acme-request" | /opt/labca/commander
fi
fi
popd >/dev/null
@@ -75,10 +75,10 @@ renew_near_expiry() {
start_cron() {
apt update
apt install -y cron
[ -e /boulder/labca/setup_complete ] && [ ! -e /etc/cron.d/labca ] && ln -sf /labca/cron_d /etc/cron.d/labca || true
chmod g-w /labca/cron_d
[ -e /logs/cron.log ] || touch /logs/cron.log
tail -f -n0 /logs/cron.log &
[ -e /opt/boulder/labca/setup_complete ] && [ ! -e /etc/cron.d/labca ] && ln -sf /opt/labca/cron_d /etc/cron.d/labca || true
chmod g-w /opt/labca/cron_d
[ -e /opt/logs/cron.log ] || touch /opt/logs/cron.log
tail -f -n0 /opt/logs/cron.log &
service cron start
}
@@ -86,12 +86,15 @@ start_cron() {
serve_commander() {
apt update
apt install -y ucspi-tcp
cd /opt/boulder/labca
/opt/labca/gui/apply-boulder
cd -
echo "Start serving commander script..."
tcpserver 0.0.0.0 3030 /labca/commander
tcpserver 0.0.0.0 3030 /opt/labca/commander
}
main() {
mkdir -p /logs
mkdir -p /opt/logs
get_fqdn

115
control_do.sh Executable file
View File

@@ -0,0 +1,115 @@
#!/bin/bash
set -e
get_fqdn() {
local file_fqdn=""
if [ -e /opt/labca/data/config.json ]; then
file_fqdn=$(grep fqdn /opt/labca/data/config.json 2>/dev/null | cut -d ":" -f 2- | tr -d " \",")
fi
if [ "$file_fqdn" == "" ]; then
if [ "$LABCA_FQDN" == "notset" ]; then
echo "ERROR: environment variable LABCA_FQDN is not set!"
exit 1
else
echo -e "{\n \"config\": {\n \"complete\": false\n },\n \"labca\": {\n \"fqdn\": \"$LABCA_FQDN\"\n },\n \"version\": \"\"\n}" > /opt/labca/data/config.json
fi
elif [ "$LABCA_FQDN" != "notset" ] && [ "$LABCA_FQDN" != "$file_fqdn" ]; then
echo "WARNING: environment variable LABCA_FQDN ('$LABCA_FQDN') does not match config file. Using '$file_fqdn'..."
export LABCA_FQDN=$file_fqdn
fi
}
setup_boulder_data() {
cp -rp /opt/staging/boulder_labca/* /opt/boulder/labca/
cd /opt/boulder/labca
/opt/labca/apply-boulder
}
setup_nginx_data() {
rm -f /etc/nginx/conf.d/default.conf
cp -p /opt/staging/nginx.conf /etc/nginx/conf.d/labca.conf
cp -p /opt/staging/proxy.conf /etc/nginx/conf.d/proxy.conf
[ -e /opt/boulder/labca/setup_complete ] && perl -i -p0e 's/\n # BEGIN temporary redirect\n location = \/ \{\n return 302 \/admin\/;\n }\n # END temporary redirect\n//igs' /etc/nginx/conf.d/labca.conf || true
cd /var/www/html
mkdir -p .well-known/acme-challenge
find .well-known/acme-challenge/ -type f -mtime +10 -exec rm {} \; # Clean up files older than 10 days
mkdir -p crl
[ -e cert ] || ln -s certs cert
cp -rp /opt/staging/static/* .
[ -e /opt/labca/data/root-ca.crl ] && cp /opt/labca/data/root-ca.crl crl/ || true
[ -e /opt/labca/data/root-ca.pem ] && cp /opt/labca/data/root-ca.pem certs/ || true
[ -e /opt/labca/data/root-ca.der ] && cp /opt/labca/data/root-ca.der certs/ || true
[ -e /opt/labca/data/issuer/ca-int.pem ] && cp /opt/labca/data/issuer/ca-int.pem certs/ || true
[ -e /opt/labca/data/issuer/ca-int.pem ] && cp /opt/labca/data/issuer/ca-int.der certs/ || true
if [ ! -e /etc/nginx/ssl/labca_cert.pem ]; then
pushd /etc/nginx/ssl >/dev/null
openssl req -x509 -nodes -sha256 -newkey rsa:2048 -keyout labca_key.pem -out labca_cert.pem -days 7 \
-subj "/O=LabCA/CN=$LABCA_FQDN" -reqexts SAN -extensions SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nbasicConstraints=CA:FALSE\nnsCertType=server\nsubjectAltName=DNS:$LABCA_FQDN"))
popd >/dev/null
fi
/opt/labca/apply-nginx
}
setup_labca_data() {
cd /opt/labca/data
cp -rp /opt/staging/data/* .
}
selfsigned_cert() {
pushd /etc/nginx/ssl >/dev/null
openssl req -x509 -nodes -sha256 -newkey rsa:2048 -keyout labca_key.pem -out labca_cert.pem -days 7 \
-subj "/O=LabCA/CN=$LABCA_FQDN" -reqexts SAN -extensions SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nbasicConstraints=CA:FALSE\nnsCertType=server\nsubjectAltName=DNS:$LABCA_FQDN"))
popd >/dev/null
}
renew_near_expiry() {
pushd /etc/nginx/ssl >/dev/null
if ! expires=$(openssl x509 -checkend 86400 -noout -in /etc/nginx/ssl/labca_cert.pem); then
hash=$(openssl x509 -hash -noout -in /etc/nginx/ssl/labca_cert.pem)
issuer_hash=$(openssl x509 -issuer_hash -noout -in /etc/nginx/ssl/labca_cert.pem)
if [ "$hash" == "$issuer_hash" ]; then
selfsigned_cert
else
echo "acme-request" | /opt/labca/commander
fi
fi
popd >/dev/null
}
start_cron() {
[ -e /opt/boulder/labca/setup_complete ] && [ ! -e /etc/cron.d/labca ] && ln -sf /opt/labca/cron_d /etc/cron.d/labca || true
chmod g-w /opt/labca/cron_d
[ -e /opt/logs/cron.log ] || touch /opt/logs/cron.log
tail -f -n0 /opt/logs/cron.log &
service cron start
}
serve_commander() {
echo "Start serving commander script..."
tcpserver 0.0.0.0 3030 /opt/labca/commander
}
main() {
get_fqdn
setup_boulder_data
setup_nginx_data
setup_labca_data
[ -e /etc/nginx/ssl/labca_cert.pem ] || selfsigned_cert
renew_near_expiry
start_cron
serve_commander
}
main "$@"

8
cron_d
View File

@@ -2,7 +2,7 @@
SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
1 6 * * Mon root /labca/backup cron &>>/logs/cron.log
1 7 * * * root /labca/mailer &>>/logs/cron.log
5 7 * * * root /labca/checkrenew &>>/logs/cron.log
*/5 * * * * root /labca/checkcrl &>>/logs/cron.log
1 6 * * Mon root /opt/labca/backup cron &>>/opt/logs/cron.log
1 7 * * * root /opt/labca/mailer &>>/opt/logs/cron.log
5 7 * * * root /opt/labca/checkrenew &>>/opt/logs/cron.log
*/5 * * * * root /opt/labca/checkcrl &>>/opt/logs/cron.log

4
gui/apply
View File

@@ -8,7 +8,7 @@ dataDir="$baseDir/data"
export PKI_ROOT_CERT_BASE="$dataDir/root-ca"
export PKI_INT_CERT_BASE="$dataDir/issuer/ca-int"
cd /wwwstatic
cd /opt/wwwstatic
$baseDir/apply-nginx
@@ -19,5 +19,5 @@ cp $PKI_INT_CERT_BASE.pem certs/
cp $PKI_INT_CERT_BASE.der certs/
cd /boulder/labca
cd /opt/boulder/labca
$baseDir/apply-boulder

2
gui/dashboard.go
View File

@@ -454,7 +454,7 @@ func parseDockerStats(data string) []AjaxStat {
if strings.Contains(docker.Name, "-bconsul-") {
stat.Name = "Consul (Boulder)"
}
if strings.Contains(docker.Name, "-labca-") {
if strings.Contains(docker.Name, "labca-gui-") {
stat.Name = "LabCA Application"
}
if strings.Contains(docker.Name, "-control-") {

7
gui/main.go
View File

@@ -1866,7 +1866,7 @@ func _setupAdminUser(w http.ResponseWriter, r *http.Request) bool {
}
defer file.Close()
out, err := os.Create("/backup/" + header.Filename)
out, err := os.Create("/opt/backup/" + header.Filename)
if err != nil {
fmt.Println(err)
reg.Errors["File"] = "Could not create local file"
@@ -2861,6 +2861,9 @@ func init() {
version = standaloneVersion
} else {
version = viper.GetString("version")
if version == "" {
version = standaloneVersion
}
}
webTitle = viper.GetString("labca.web_title")
@@ -2927,7 +2930,7 @@ func main() {
r.HandleFunc("/certificates/{id}", certificateHandler).Methods("GET")
r.HandleFunc("/certificates/{id}", certRevokeHandler).Methods("POST")
r.PathPrefix("/backup/").Handler(http.StripPrefix("/backup/", http.FileServer(http.Dir("/backup"))))
r.PathPrefix("/backup/").Handler(http.StripPrefix("/backup/", http.FileServer(http.Dir("/opt/backup"))))
r.NotFoundHandler = http.HandlerFunc(notFoundHandler)
if viper.GetBool("standalone") || isDev {

2
gui/setup.sh
View File

@@ -8,7 +8,7 @@ set -e
if [ ! -e bin/labca-gui ]; then
go mod download
go build -buildvcs=false -o bin/labca-gui
go build -buildvcs=false -o bin/labca-gui -ldflags="-X 'main.standaloneVersion=$GIT_VERSION'"
fi
export DEBIAN_FRONTEND=noninteractive

187
install
View File

@@ -16,15 +16,16 @@ err_report() {
#
# Variables / Constants
#
baseDir=/home/labca
logDir="$baseDir/logs"
installMode=${installMode:-normal}
baseDir=${baseDir:-/home/labca}
logDir=${logDir:-"$baseDir/logs"}
runId="`date +%y%m%d-%H%M%S`"
installLog="$logDir/install-${runId}.log"
logTimeFormat="+%Y-%m-%d %T.%3N"
cloneDir="$baseDir/labca"
adminDir="$baseDir/admin"
boulderDir="$baseDir/boulder"
boulderLabCADir="${boulderDir}_labca"
cloneDir=${cloneDir:-"$baseDir/labca"}
adminDir=${adminDir:-"$baseDir/admin"}
boulderDir=${boulderDir:-"$baseDir/boulder"}
boulderLabCADir=${boulderLabCADir:-"${boulderDir}_labca"}
dockerComposeVersion="v2.5.0"
labcaUrl="https://github.com/hakwerk/labca/"
@@ -64,6 +65,7 @@ cmdlineFqdn=""
cmdlineBranch=""
fullCmdline=""
keepLocal=0
alphaTest=0
#
# Helper functions for informing the user and logging to file
@@ -175,7 +177,14 @@ pull_repo() {
msg_info "$msg"
sudo -u labca -H git stash --all --quiet &>>$installLog || true
sudo -u labca -H git clean --quiet --force -d &>>$installLog || true
sudo -u labca -H git pull --quiet &>>$installLog && msg_ok "$msg" || msg_fatal "Could not update local repository"
sudo -u labca -H git pull --quiet &>>$installLog && msg_ok "$msg" || (
if [ "$dir" == "$GOPATH/src/github.com/letsencrypt/boulder" ]; then
sudo -u labca -H git reset --hard $boulderTag &>>$installLog && msg_ok "$msg" || msg_fatal "Could not reset local repository"
sudo -u labca -H git pull --quiet &>>$installLog && msg_ok "$msg" || msg_fatal "Could not update local repository (after reset)"
else
msg_fatal "Could not update local repository"
fi
)
if [ "$branch" != "" ]; then
cd "$dir"
@@ -265,7 +274,7 @@ prompt_and_export() {
# Parse the command line options, if any
parse_cmdline() {
fullCmdline="$@"
local parsed=$(getopt --options=n:,b:,k --longoptions=name:,fqdn:,branch:,keep --name "$0" -- "$@" 2>>$installLog) || msg_fatal "Could not process commandline parameters"
local parsed=$(getopt --options=n:,b:,k,t --longoptions=name:,fqdn:,branch:,keep,test --name "$0" -- "$@" 2>>$installLog) || msg_fatal "Could not process commandline parameters"
eval set -- "$parsed"
while true; do
case "$1" in
@@ -284,6 +293,11 @@ parse_cmdline() {
shift 1
msg_ok "option: keeping local version as is"
;;
-t|--test)
alphaTest=1
shift 1
msg_ok "option: INCLUDING ALPHA TEST STEPS"
;;
--)
shift
break
@@ -496,7 +510,7 @@ static_web() {
[ -e $adminDir/data/root-ca.pem ] && cp $adminDir/data/root-ca.pem certs/ || true
[ -e $adminDir/data/root-ca.der ] && cp $adminDir/data/root-ca.der certs/ || true
[ -e $adminDir/data/issuer/ca-int.pem ] && cp $adminDir/data/issuer/ca-int.pem certs/ || true
[ -e $adminDir/data/issuer/ca-int.pem ] && cp $adminDir/data/issuer/ca-int.der certs/ || true
[ -e $adminDir/data/issuer/ca-int.der ] && cp $adminDir/data/issuer/ca-int.der certs/ || true
local have_config=$(grep restarted $adminDir/data/config.json | grep true)
if [ "$have_config" != "" ]; then
@@ -566,12 +580,12 @@ config_boulder() {
[ -d ".backup" ] || mkdir -p ".backup"
git add --all &>/dev/null || true
git commit --all --quiet -m "LabCA before update $runId" &>>$installLog && { msg_ok "Commit existing modifications of $boulderLabCADir"; msg_info "$msg"; } || true
[ "$installMode" == "normal" ] && git commit --all --quiet -m "LabCA before update $runId" &>>$installLog && { msg_ok "Commit existing modifications of $boulderLabCADir"; msg_info "$msg"; } || true
[ ! -e "$boulderLabCADir/secrets/smtp_password" ] || mv "$boulderLabCADir/secrets/smtp_password" "$boulderLabCADir/secrets/smtp_password_PRESERVE"
cp -r "$boulderDir/test" -T "$boulderLabCADir" &>>$installLog
[ ! -e "$boulderLabCADir/secrets/smtp_password_PRESERVE" ] || mv "$boulderLabCADir/secrets/smtp_password_PRESERVE" "$boulderLabCADir/secrets/smtp_password"
chown -R labca:labca "$boulderLabCADir"
[ "$installMode" == "normal" ] && chown -R labca:labca "$boulderLabCADir" || /bin/true
rm -rf authz-filler challtestsrv gsb-test-srv
@@ -580,7 +594,14 @@ config_boulder() {
msg_info "$msg"
cd "$boulderDir"
$cloneDir/patch.sh "sudo -u labca -H" &>>$installLog
if [ "$installMode" == "normal" ]; then
$cloneDir/patch.sh "sudo -u labca -H" &>>$installLog
sed -i -e "s/LABCA_FQDN: .*/LABCA_FQDN: $LABCA_FQDN/" docker-compose.yml
else
$cloneDir/patch.sh &>>$installLog
fi
git config --global --add safe.directory /home/labca/boulder_labca
cp docker-compose.yml "$boulderLabCADir/.backup/"
cp cmd/shell.go "$boulderLabCADir/.backup/"
@@ -602,7 +623,11 @@ config_boulder() {
cp sa/db/boulder_sa/20210223140000_CombinedSchema.sql "$boulderLabCADir/.backup/"
cp Makefile "$boulderLabCADir/.backup/"
$cloneDir/patch-cfg.sh "sudo -u labca -H" "$boulderLabCADir" &>>$installLog
if [ "$installMode" == "normal" ]; then
$cloneDir/patch-cfg.sh "sudo -u labca -H" "$boulderLabCADir" &>>$installLog
else
$cloneDir/patch-cfg.sh " " "$boulderLabCADir" &>>$installLog
fi
mkdir -p $baseDir/backup
[ -z "$(docker ps | grep boulder-bmysql-1)" ] || docker exec -i boulder-bmysql-1 mysqldump boulder_sa_integration >$baseDir/backup/dbdata-${runId}.sql
@@ -611,75 +636,32 @@ config_boulder() {
rm $file
done
cd "$boulderLabCADir"
sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ocsp-responder.json
sed -i -e "s/test-ca2.pem/test-ca.pem/" config/publisher.json
sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ra.json
sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe2.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/akamai-purger.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-responder.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/publisher.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/orphan-finder.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-storer.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-updater.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" issuer-ocsp-responder.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" cert-ceremonies/intermediate-ocsp-rsa.yaml
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" v2_integration.py
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/root-ceremony-rsa.yaml
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/intermediate-ocsp-rsa.yaml
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/intermediate-ceremony-rsa.yaml
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" config/publisher.json
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" config/wfe2.json
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" integration-test.py
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" helpers.py
sed -i -e "s/5001/443/g" config/va.json
sed -i -e "s/5002/80/g" config/va.json
sed -i -e "s/5001/443/g" config/va-remote-a.json
sed -i -e "s/5002/80/g" config/va-remote-a.json
sed -i -e "s/5001/443/g" config/va-remote-b.json
sed -i -e "s/5002/80/g" config/va-remote-b.json
sed -i -e "s|https://boulder:4431/terms/v7|https://$LABCA_FQDN/terms/v1|" config/wfe2.json
sed -i -e "s|http://boulder:4430/acme/issuer-cert|http://$LABCA_FQDN/acme/issuer-cert|" config/wfe2.json
sed -i -e "s|http://127.0.0.1:4000/acme/issuer-cert|https://$LABCA_FQDN/acme/issuer-cert|" config/wfe2.json
sed -i -e "s|letsencrypt/boulder|hakwerk/labca|" config/wfe2.json
sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca-a.json
sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca-b.json
sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca-a.json
sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca-b.json
sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca-a.json
sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca-b.json
sed -i -e "s/ocspURL.Path = encodedReq/ocspURL.Path += encodedReq/" ocsp/helper/helper.go
sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/ra.json
sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va.json
sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-a.json
sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-b.json
if [ "$flag_skip_redis" == true ]; then
sed -i -e "s/^\(.*wait-for-it.sh.*4218\)/#\1/" entrypoint.sh
if [ "$installMode" == "normal" ]; then
cd "$boulderLabCADir"
sed -i -e "s|https://boulder:4431/terms/v7|https://$LABCA_FQDN/terms/v1|" config/wfe2.json
sed -i -e "s|http://boulder:4430/acme/issuer-cert|http://$LABCA_FQDN/acme/issuer-cert|" config/wfe2.json
sed -i -e "s|http://127.0.0.1:4000/acme/issuer-cert|https://$LABCA_FQDN/acme/issuer-cert|" config/wfe2.json
sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca-a.json
sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca-b.json
sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca-a.json
sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca-b.json
cd "$boulderDir"
fi
for file in `find . -type f | grep -v .git`; do
sed -i -e "s|test/|labca/|g" $file
done
sed -i -e "s/names/name\(s\)/" config/expiration-mailer.gotmpl
rm test-ca2.pem
([ -e mock-vendor.go ] && rm mock-vendor.go) || /bin/true
([ -e test-tools.go ] && rm test-tools.go) || /bin/true
local have_config=$(grep restarted $adminDir/data/config.json | grep true)
if [ "$have_config" != "" ]; then
$adminDir/apply-boulder &>>$installLog
else
chown -R labca:labca "$boulderLabCADir"
if [ "$installMode" == "normal" ]; then
local have_config=$(grep restarted $adminDir/data/config.json 2>/dev/null | grep true)
if [ "$have_config" != "" ]; then
$adminDir/apply-boulder &>>$installLog
else
chown -R labca:labca "$boulderLabCADir" || /bin/true
fi
fi
git add --all &>/dev/null || true
git commit --all --quiet -m "LabCA after update $runId" &>>$installLog || true
[ "$installMode" == "normal" ] && git commit --all --quiet -m "LabCA after update $runId" &>>$installLog || true
msg_ok "$msg"
}
@@ -723,6 +705,10 @@ startup() {
local msg="Restart docker containers and service"
cd "$boulderDir"
let num=$(docker ps -a | grep " boulder-" | wc -l)
if [ $num -eq 0 ]; then
perl -i -p0e "s/(version:.*\n).*\n?(services:\n)/\1name: labca\n\2/" docker-compose.yml
fi
cnt=$(docker-compose ps | wc -l)
if [ "$cnt" -le "2" ]; then
msg="Download docker images and build containers"
@@ -735,11 +721,18 @@ startup() {
for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6; do
[ -z "$(docker ps | grep $ct)" ] || docker stop $ct &>>$installLog
done
if [ $num -ne 0 ]; then
docker-compose stop control &>>$installLog || true
fi
wait_down $PS_NGINX &>>$installLog || true
wait_down $PS_MYSQL &>>$installLog || true
wait_down $PS_CONSUL &>>$installLog || true
wait_down $PS_LABCA &>>$installLog || true
wait_down $PS_BOULDER &>>$installLog || true
if [ $num -ne 0 ]; then
wait_down $PS_CONTROL &>>$installLog || true
cnt=0
fi
for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6; do
[ -z "$(docker ps -a | grep -e "$ct\$")" ] || docker rm -f $ct &>>$installLog
done
@@ -754,6 +747,9 @@ startup() {
[ -d /home/labca/control_logs ] || mkdir -p /home/labca/control_logs
perl -i -p0e "s/(version:.*\n).*\n?(services:\n)/\1name: labca\n\2/" docker-compose.yml
docker network rm boulder_bluenet boulder_consulnet boulder_rednet &>>$installLog || /bin/true
COMPOSE_HTTP_TIMEOUT=180 docker-compose up -d &>>$installLog
wait_up $PS_NGINX &>>$installLog || true
@@ -790,6 +786,20 @@ first_time() {
fi
}
check_dockeronly() {
set +e
wd=$(which docker)
set -e
if [ "$wd" != "" ]; then
let num=$(docker volume ls | grep labca_ | grep -v labca_dbdata | wc -l)
if [ $num -gt 0 ]; then
scriptname=$(basename $0)
echo "You can not run the $scriptname script when using dockeronly mode!"
exit 1
fi
fi
}
#
# The actual main function to tie it all together
#
@@ -797,6 +807,8 @@ main() {
local curdir="$PWD"
echo
check_dockeronly
start_temporary_log
check_root
install_pkg "git"
@@ -817,6 +829,22 @@ main() {
restart_if_updated
fi
if [ $alphaTest -eq 1 ]; then
install_extra
cd $(dirname $this)
local msg="TEST: build labca-gui binary"
msg_info "$msg"
# this will ultimately NOT be done on the target machine!
build/build.sh &>>$installLog || msg_fatal "Could not build docker images!"
msg_ok "$msg"
msg="TEST build local docker image"
msg_info "$msg"
build/tag_and_upload.sh &>>$installLog || msg_fatal "Could not tag (and upload) docker images!"
msg_ok "$msg"
msg_ok "That's it for now!"
exit 0
fi
get_fqdn
copy_admin
@@ -829,6 +857,15 @@ main() {
get_boulder
config_boulder
#if [ $alphaTest -eq 1 ]; then
# msg="TEST modify docker-compose.yml"
# msg_info "$msg"
# cd "$boulderDir"
# patch -p1 < $(dirname $this)/build/tmp.patch &>>$installLog
# patch -p1 -o "$boulderLabCADir/startservers.py" < $(dirname $this)/build/tmp2.patch
# msg_ok "$msg"
#fi
cleanup
startup
@@ -840,4 +877,4 @@ main() {
cd "$curdir"
}
main "$@"
[ "$installMode" == "normal" ] && main "$@" || /bin/true

2
logrotate_d
View File

@@ -1,5 +1,5 @@
/etc/nginx/ssl/*.log
/logs/cron-*.log
/opt/logs/cron-*.log
{
rotate 4
monthly

2
mailer
View File

@@ -5,5 +5,5 @@ set -e
TODAY=`date '+%Y_%m_%d'`
echo "Running cron-$(basename $0) for ${TODAY}..."
cd /boulder
cd /opt/boulder
docker-compose exec -T boulder bin/expiration-mailer --config labca/config/expiration-mailer.json 2>&1

4
nginx.conf
View File

@@ -59,7 +59,7 @@ server {
location /admin/ {
include conf.d/proxy.conf;
proxy_set_header X-Request-Base "/admin";
proxy_pass http://labca:3000/;
proxy_pass http://gui:3000/;
error_page 502 504 /502.html;
}
@@ -68,7 +68,7 @@ server {
proxy_set_header X-Request-Base "/admin";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass http://labca:3000/ws;
proxy_pass http://gui:3000/ws;
}
location /acme/ {

51
patch-cfg.sh
View File

@@ -39,3 +39,54 @@ if [ "$flag_skip_redis" == true ]; then
fi
for f in $(grep -l boulder-proxysql $boulderLabCADir/secrets/*); do sed -i -e "s/proxysql:6033/mysql:3306/" $f; done
cd "$boulderLabCADir"
sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ocsp-responder.json
sed -i -e "s/test-ca2.pem/test-ca.pem/" config/publisher.json
sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ra.json
sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe2.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/akamai-purger.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-responder.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/publisher.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/orphan-finder.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-storer.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-updater.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" issuer-ocsp-responder.json
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" cert-ceremonies/intermediate-ocsp-rsa.yaml
sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" v2_integration.py
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/root-ceremony-rsa.yaml
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/intermediate-ocsp-rsa.yaml
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/intermediate-ceremony-rsa.yaml
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" config/publisher.json
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" config/wfe2.json
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" integration-test.py
sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" helpers.py
sed -i -e "s/5001/443/g" config/va.json
sed -i -e "s/5002/80/g" config/va.json
sed -i -e "s/5001/443/g" config/va-remote-a.json
sed -i -e "s/5002/80/g" config/va-remote-a.json
sed -i -e "s/5001/443/g" config/va-remote-b.json
sed -i -e "s/5002/80/g" config/va-remote-b.json
sed -i -e "s|letsencrypt/boulder|hakwerk/labca|" config/wfe2.json
sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca-a.json
sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca-b.json
sed -i -e "s/ocspURL.Path = encodedReq/ocspURL.Path += encodedReq/" ocsp/helper/helper.go
sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/ra.json
sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va.json
sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-a.json
sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-b.json
if [ "$flag_skip_redis" == true ]; then
sed -i -e "s/^\(.*wait-for-it.sh.*4218\)/#\1/" entrypoint.sh
fi
for file in `find . -type f | grep -v .git`; do
sed -i -e "s|test/|labca/|g" $file
done
sed -i -e "s/names/name\(s\)/" config/expiration-mailer.gotmpl
rm test-ca2.pem

8
patch.sh
View File

@@ -13,6 +13,10 @@ if [ "$flag_skip_redis" == true ]; then
$SUDO patch -p1 < $cloneDir/patches/docker-compose-redis.patch
fi
$SUDO patch -p1 < $cloneDir/patches/docker-compose.patch
if [ "$SUDO" == "" ]; then
# TODO: should incorporate this into docker-compose.patch
$SUDO patch -p1 < $cloneDir/build/tmp.patch
fi
$SUDO patch -p1 < $cloneDir/patches/bad-key-revoker_main.patch
$SUDO patch -p1 < $cloneDir/patches/boulder-va_main.patch
@@ -38,6 +42,10 @@ $SUDO patch -p1 < $cloneDir/patches/ra_ra.patch
$SUDO patch -p1 < $cloneDir/patches/ratelimit_rate-limits.patch
$SUDO patch -p1 < $cloneDir/patches/reloader_reloader.patch
$SUDO patch -p1 < $cloneDir/patches/startservers.patch
if [ "$SUDO" == "" ]; then
# TODO: should include this into startservers.patch
$SUDO patch -p1 < $cloneDir/build/tmp2.patch
fi
$SUDO patch -p1 < $cloneDir/patches/storer_storer.patch
$SUDO patch -p1 < $cloneDir/patches/updater_updater.patch

2
patches/config_crl-storer.patch
View File

@@ -11,7 +11,7 @@ index 61f14d79..a620896f 100644
- "/hierarchy/intermediate-cert-ecdsa-a.pem"
+ "/hierarchy/intermediate-cert-rsa-a.pem"
],
+ "localStorePath": "/wwwstatic/crl",
+ "localStorePath": "/opt/wwwstatic/crl",
"s3Endpoint": "http://localhost:7890",
"s3Bucket": "lets-encrypt-crls",
"awsConfigFile": "test/config/crl-storer.ini",

45
patches/docker-compose.patch
View File

@@ -1,5 +1,5 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index 5699aa777..77ec97a16 100644
index 5699aa777..cfdcc784a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,10 +8,12 @@ services:
@@ -10,9 +10,10 @@ index 5699aa777..77ec97a16 100644
+ BOULDER_CONFIG_DIR: &boulder_config_dir labca/config
GOFLAGS: -mod=vendor
volumes:
- .:/boulder:cached
+ - /home/labca/boulder_labca:/boulder/labca
+ - /home/labca/nginx_data/static:/wwwstatic
- - .:/boulder:cached
+ - .:/opt/boulder:cached
+ - /home/labca/boulder_labca:/opt/boulder/labca
+ - /home/labca/nginx_data/static:/opt/wwwstatic
- ./.gocache:/root/.cache/go-build:cached
- ./.hierarchy:/hierarchy/:cached
- ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
@@ -33,8 +34,9 @@ index 5699aa777..77ec97a16 100644
- - bproxysql
- bconsul
- entrypoint: test/entrypoint.sh
- working_dir: &boulder_working_dir /boulder
+ entrypoint: labca/entrypoint.sh
working_dir: &boulder_working_dir /boulder
+ working_dir: &boulder_working_dir /opt/boulder
+ logging:
+ driver: "json-file"
+ options:
@@ -77,12 +79,12 @@ index 5699aa777..77ec97a16 100644
bconsul:
image: hashicorp/consul:1.13.1
@@ -83,18 +81,68 @@ services:
@@ -83,18 +81,70 @@ services:
ipv4_address: 10.55.55.10
command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
- netaccess:
+ labca:
+ gui:
image: *boulder_image
- environment:
- GO111MODULE: "on"
@@ -91,14 +93,15 @@ index 5699aa777..77ec97a16 100644
networks:
- bluenet
volumes:
+ - /home/labca/admin:/go/src/labca
+ - ./.gocache:/root/.cache/go-build
+ - /home/labca/nginx_data/static:/wwwstatic
+ - /home/labca/backup:/backup
- .:/boulder
- - .:/boulder
- working_dir: *boulder_working_dir
- entrypoint: test/entrypoint-netaccess.sh
+ - /home/labca/boulder_labca:/boulder/labca
+ - /home/labca/admin:/go/src/labca
+ - ./.gocache:/root/.cache/go-build
+ - /home/labca/nginx_data/static:/opt/wwwstatic
+ - /home/labca/backup:/opt/backup
+ - .:/opt/boulder
+ - /home/labca/boulder_labca:/opt/boulder/labca
+ expose:
+ - 3000
+ depends_on:
@@ -131,12 +134,14 @@ index 5699aa777..77ec97a16 100644
+ - bluenet
+ volumes:
+ - /var/run/docker.sock:/var/run/docker.sock
+ - /home/labca/admin:/admin
+ - /home/labca/labca:/labca
+ - /home/labca/backup:/backup
+ - /home/labca/control_logs:/logs
+ - .:/boulder
+ - /home/labca/boulder_labca:/boulder/labca
+ - /home/labca/admin/data:/opt/labca/data
+ - /home/labca/admin/data:/opt/labca/gui/data
+ - /home/labca/admin/bin:/opt/labca/bin
+ - /home/labca/labca:/opt/labca
+ - /home/labca/backup:/opt/backup
+ - /home/labca/control_logs:/opt/logs
+ - .:/opt/boulder
+ - /home/labca/boulder_labca:/opt/boulder/labca
+ - /home/labca/nginx_data/conf.d:/etc/nginx/conf.d
+ - /home/labca/nginx_data/ssl:/etc/nginx/ssl
+ - /home/labca/nginx_data/static:/var/www/html
@@ -144,7 +149,7 @@ index 5699aa777..77ec97a16 100644
+ - 3030
+ environment:
+ LABCA_FQDN: ${LABCA_FQDN:-notset}
+ working_dir: /labca
+ working_dir: /opt/labca
+ command: ./control.sh
+ restart: always
+

4
patches/updater_updater.patch
View File

@@ -17,7 +17,7 @@ index aa398d0a..0db875d2 100644
+ // If there is no .crl file yet, generate one (after a delay to let all other
+ // components start up fully).
+ // Dirty hack to check filesystem directly instead of using the crl-storer...
+ files, err := os.ReadDir("/wwwstatic/crl/")
+ files, err := os.ReadDir("/opt/wwwstatic/crl/")
+ if err != nil {
+ return err
+ }
@@ -31,7 +31,7 @@ index aa398d0a..0db875d2 100644
+ select {
+ case <-ctx.Done():
+ return ctx.Err()
+ case <-time.After(time.Minute):
+ case <-time.After(2 * time.Minute):
+ }
+
+ cu.Tick(ctx, cu.clk.Now())

4
renew
View File

@@ -5,8 +5,8 @@ set -e
cd /etc/nginx/ssl
echo >> acme_tiny.log
date >> acme_tiny.log
python3 /labca/acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/html/.well-known/acme-challenge/ > domain_chain.crt 2> >(tee -a acme_tiny.log >&2) || exit 1
python3 /opt/labca/acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/html/.well-known/acme-challenge/ > domain_chain.crt 2> >(tee -a acme_tiny.log >&2) || exit 1
mv domain_chain.crt labca_cert.pem
cd /boulder
cd /opt/boulder
docker-compose restart nginx

6
restore
View File

@@ -2,7 +2,7 @@
set -e
FILE=/backup/$1
FILE=/opt/backup/$1
[ "$1" != "" ] || (echo "You must provide a backup file name to restore"; exit 1)
[ -f $FILE ] || (echo "Backup file '$FILE' not found"; exit 1)
@@ -13,13 +13,13 @@ TMPDIR=/tmp/$BASE
cd /tmp
tar xzf $FILE 2>&1
cd /boulder
cd /opt/boulder
[ -f $TMPDIR/boulder_sa_integration.sql ] || (echo "MySQL backup file not found"; exit 1)
docker-compose exec -T bmysql mysql boulder_sa_integration <$TMPDIR/boulder_sa_integration.sql
mv -f $TMPDIR/*key* $TMPDIR/*cert.pem $TMPDIR/*.csr /etc/nginx/ssl/
[ -d $TMPDIR/data ] || (echo "Data folder backup not found"; exit 1)
rm -rf /admin/data && mv $TMPDIR/data /admin/
rm -rf /opt/labca/data/* && mv $TMPDIR/data/* /opt/labca/data/
rm -rf $TMPDIR

4
utils.sh
View File

@@ -4,7 +4,7 @@ set -e
export PS_LABCA="bin/labca-gui"
export PS_BOULDER="bin/boulder"
export PS_BOULDER_COUNT=22
export PS_BOULDER_COUNT=21
export PS_MYSQL="mysqld"
export PS_CONTROL="tcpserver"
export PS_NGINX="nginx:"
@@ -18,7 +18,7 @@ count() {
local prefix=""
case $pattern in
$PS_LABCA)
prefix="docker exec $(docker ps --format "{{.Names}}" | grep -- -labca-) "
prefix="docker exec $(docker ps --format "{{.Names}}" | grep -- labca-gui-) "
;;
$PS_BOULDER)
prefix="docker exec $(docker ps --format "{{.Names}}" | grep -- -boulder-) "