diff --git a/.gitignore b/.gitignore index 2a51bc9..ca6c5ac 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ debian/.debhelper/ debian/files debian/labca-gui.substvars debian/labca-gui/ +build/tmp/ diff --git a/Makefile b/Makefile index 37b9350..974124b 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,7 @@ BINNAME?=labca-gui Q=$(if $V,,@) PREFIX?= TAG=$(shell git rev-list --tags --max-count=1) -VERSION=$(shell git describe --tags $(TAG)) +VERSION=$(shell git describe --always --tags $(TAG)) DEB_VERSION=$(shell echo $(VERSION) | sed 's/^v//' | sed 's/-/./g') RELEASE=./release diff --git a/backup b/backup index 44ac571..19fdea5 100755 --- a/backup +++ b/backup @@ -12,23 +12,23 @@ fi BASE=${NOW}_${HOSTNAME}${CRON} TMPDIR=/tmp/$BASE mkdir -p $TMPDIR -mkdir -p /backup +mkdir -p /opt/backup -cd /boulder +cd /opt/boulder docker-compose exec -T bmysql mysqldump boulder_sa_integration >$TMPDIR/boulder_sa_integration.sql cp -p /etc/nginx/ssl/*key* /etc/nginx/ssl/*cert.pem /etc/nginx/ssl/*.csr $TMPDIR/ -cp -rp /admin/data $TMPDIR/ +cp -rp /opt/labca/data $TMPDIR/ cd /tmp -tar czf /backup/$BASE.tgz $BASE +tar czf /opt/backup/$BASE.tgz $BASE rm -rf $TMPDIR # housekeeping -find /backup -name "*_cron_*.tgz" -mtime +31 -exec rm -rf {} \; +find /opt/backup -name "*_cron_*.tgz" -mtime +31 -exec rm -rf {} \; if [ "$1" != "cron" ]; then - echo /backup/$BASE.tgz + echo /opt/backup/$BASE.tgz fi diff --git a/build/Dockerfile-boulder b/build/Dockerfile-boulder new file mode 100644 index 0000000..be089a1 --- /dev/null +++ b/build/Dockerfile-boulder @@ -0,0 +1,25 @@ +FROM letsencrypt/boulder-tools:go1.20.1_2023-02-22 AS boulder-tools + +FROM ubuntu:focal + +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + ca-certificates \ + mariadb-client-core-10.3 \ + python3-pip \ + rsyslog \ + softhsm2 \ + && rm -rf /var/lib/apt/lists/* \ + && pip3 install requests + +COPY --from=boulder-tools /usr/local/bin/sql-migrate /usr/local/bin/sql-migrate +COPY --from=boulder-tools /usr/local/bin/pebble-challtestsrv /usr/local/bin/pebble-challtestsrv +COPY tmp/bin /opt/boulder/bin +COPY tmp/src/start.py /opt/boulder +RUN sed -i -e "s|./test|./labca|" /opt/boulder/start.py +COPY tmp/src/sa/db /opt/boulder/sa/db +COPY tmp/src/sa/db-users /opt/boulder/sa/db-users +COPY tmp/src/test/boulder-tools/boulder.rsyslog.conf /etc/rsyslog.d/ +RUN sed -i '/imklog/s/^/#/' /etc/rsyslog.conf +RUN sed -i '/$ActionFileDefaultTemplate/s/^/#/' /etc/rsyslog.conf +RUN sed -i '/$RepeatedMsgReduction on/s/^/#/' /etc/rsyslog.conf diff --git a/build/Dockerfile-control b/build/Dockerfile-control new file mode 100644 index 0000000..e3ec2ab --- /dev/null +++ b/build/Dockerfile-control @@ -0,0 +1,62 @@ +FROM ubuntu:focal as builder + +RUN export DEBIAN_FRONTEND=noninteractive \ + && apt-get update \ + && apt-get install -y --no-install-recommends \ + ca-certificates \ + cron \ + curl \ + && curl -fsSL https://get.docker.com -o get-docker.sh \ + && sh get-docker.sh \ + && curl -SL https://github.com/docker/compose/releases/download/v2.16.0/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose \ + && chmod +x /usr/local/bin/docker-compose \ + && rm -rf /var/lib/apt/lists/* + +FROM ubuntu:focal + +RUN export DEBIAN_FRONTEND=noninteractive \ + && apt-get update \ + && apt-get install -y --no-install-recommends \ + ca-certificates \ + cron \ + curl \ + python3 \ + tzdata \ + ucspi-tcp \ + && rm -rf /var/lib/apt/lists/* + +COPY --from=builder /usr/bin/docker /usr/bin/docker +COPY --from=builder /lib/x86_64-linux-gnu/libpthread.so.0 /lib/x86_64-linux-gnu/libpthread.so.0 +COPY --from=builder /lib/x86_64-linux-gnu/libdl.so.2 /lib/x86_64-linux-gnu/libdl.so.2 +COPY --from=builder /lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/libc.so.6 +COPY --from=builder /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 + +COPY --from=builder /usr/local/bin/docker-compose /usr/local/bin/docker-compose + +COPY tmp/acme_tiny.py /opt/labca/ +COPY tmp/backup /opt/labca/ +COPY tmp/checkcrl /opt/labca/ +COPY tmp/checkrenew /opt/labca/ +COPY tmp/commander /opt/labca/ +COPY tmp/control.sh /opt/labca/ +COPY tmp/cron_d /opt/labca/ +COPY tmp/mailer /opt/labca/ +COPY tmp/nameidtool /opt/labca/ +COPY tmp/renew /opt/labca/ +COPY tmp/restore /opt/labca/ +COPY tmp/utils.sh /opt/labca/ +COPY tmp/src/labca /opt/staging/boulder_labca +COPY tmp/admin/apply-boulder /opt/labca/ + +COPY tmp/admin/static /opt/staging/static +COPY tmp/admin/data /opt/staging/data +COPY tmp/nginx.conf /opt/staging/ +COPY tmp/proxy.conf /opt/staging/ +COPY tmp/admin/apply-nginx /opt/labca/ + +COPY tmp/bin/boulder /opt/boulder/bin/ + +RUN cd /opt/boulder/bin/ \ + && ln -s boulder admin-revoker \ + && ln -s boulder mail-tester \ + && mkdir /opt/logs diff --git a/build/Dockerfile-gui b/build/Dockerfile-gui new file mode 100644 index 0000000..a0dc626 --- /dev/null +++ b/build/Dockerfile-gui @@ -0,0 +1,15 @@ +FROM ubuntu:focal + +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + ca-certificates \ + tzdata \ + && rm -rf /var/lib/apt/lists/* + +COPY tmp/labca-gui /opt/labca/bin/ +COPY tmp/nameidtool /opt/labca/ +COPY tmp/admin/setup.sh /opt/labca/ +COPY tmp/admin/apply /opt/labca/ +COPY tmp/admin/apply-boulder /opt/labca/ +COPY tmp/admin/apply-nginx /opt/labca/ +COPY tmp/admin/templates /opt/labca/templates/ diff --git a/build/build.sh b/build/build.sh new file mode 100755 index 0000000..7510b52 --- /dev/null +++ b/build/build.sh @@ -0,0 +1,53 @@ +#!/bin/bash -e + +set -euo pipefail + +cd $(dirname $0) + +TMP_DIR=$(pwd)/tmp +rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src} + +boulderDir=$TMP_DIR/src +boulderTag="release-2023-04-04" +boulderUrl="https://github.com/letsencrypt/boulder/" +cloneDir=$(pwd)/.. + +GIT_VERSION=$(git describe --always --tags 2>/dev/null) +BUILD_HOST=labca-$GIT_VERSION +BUILD_IMAGE=$(eval echo $(grep boulder-tools ../patches/docker-compose.patch | head -1 | sed -e "s/image://" | sed -e "s/&boulder_image//")) + +git clone --branch $boulderTag --depth 1 $boulderUrl $boulderDir 2>/dev/null +cd $boulderDir +git checkout $boulderTag -b $boulderTag 2>/dev/null + +if [ "$BUILD_IMAGE" == "" ]; then + BUILD_IMAGE=$(eval echo $(grep boulder-tools $TMP_DIR/src/docker-compose.yml | grep "image:" | head -1 | sed -e "s/image://" | sed -e "s/&boulder_image//")) +fi + +echo +$cloneDir/patch.sh +cp -r test labca +$cloneDir/patch-cfg.sh " " "$boulderDir/labca" +sed -i "s/BUILD_ID = .*/BUILD_ID = \$(shell git describe --always HEAD 2>\/dev\/null) +\$(COMMIT_ID)/" $boulderDir/Makefile +sed -i "s/BUILD_HOST = .*/BUILD_HOST ?= labca-develop/" $boulderDir/Makefile +sed -i "s/-ldflags \"-X/-ldflags \"-s -w -X/" $boulderDir/Makefile +cp -p docker-compose.yml $cloneDir/build/ + +echo +BASEDIR=/go/src/github.com/letsencrypt/boulder +docker run -it -v $boulderDir:$BASEDIR:cached -v $TMP_DIR/bin:$BASEDIR/bin -w $BASEDIR -e BUILD_HOST=$BUILD_HOST $BUILD_IMAGE sh -c "git config --global --add safe.directory $BASEDIR && make build" + +cp $cloneDir/nginx.conf $TMP_DIR/ +cp $cloneDir/proxy.conf $TMP_DIR/ +cp $cloneDir/utils/nameidtool.go $TMP_DIR/ +cp -rp $cloneDir/gui/* $TMP_DIR/admin/ +sed -i -e "s/^bin\/labca-gui//" $TMP_DIR/admin/setup.sh +sed -i -e "s/.*apt update.*//" $TMP_DIR/admin/setup.sh +sed -i '/^$/d' $TMP_DIR/admin/setup.sh + +echo +BASEDIR=/go/src/labca +docker run -it -v $TMP_DIR/admin:$BASEDIR:cached -v $TMP_DIR:$BASEDIR/bin -w $BASEDIR -e GIT_VERSION=$GIT_VERSION $BUILD_IMAGE ./setup.sh +docker run -it -v $TMP_DIR:/utils -w /utils $BUILD_IMAGE go build nameidtool.go + +echo diff --git a/build/docker-compose.yml b/build/docker-compose.yml new file mode 100644 index 0000000..b50c8b1 --- /dev/null +++ b/build/docker-compose.yml @@ -0,0 +1,178 @@ +version: '3' +name: labca +services: + boulder: + # Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh. + image: hakwerk/labca-boulder:dockeronly + environment: + # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS + # to the IP address where your ACME client's solver is listening. + # FAKE_DNS: 172.17.0.1 + FAKE_DNS: 10.77.77.77 + BOULDER_CONFIG_DIR: &boulder_config_dir labca/config + GOFLAGS: -mod=vendor + volumes: + - boulder_data:/opt/boulder/labca + - nginx_html:/opt/wwwstatic + #- ./.hierarchy:/hierarchy/:cached + - softhsm:/var/lib/softhsm/tokens:cached + networks: + bluenet: + ipv4_address: 10.77.77.77 + rednet: + ipv4_address: 10.88.88.88 + consulnet: + ipv4_address: 10.55.55.55 + # Use consul as a backup to Docker's embedded DNS server. If there's a name + # Docker's DNS server doesn't know about, it will forward the query to this + # IP (running consul). + # (https://docs.docker.com/config/containers/container-networking/#dns-services). + # This is used to look up service names via A records (like ra.service.consul) that + # are configured via the ServerAddress field of cmd.GRPCClientConfig. + # TODO: Remove this when ServerAddress is deprecated in favor of SRV records + # and DNSAuthority. + dns: 10.55.55.10 + expose: + - 4001 # ACMEv2 + - 4002 # OCSP + - 4003 # OCSP + depends_on: + - bmysql + - bconsul + - control + entrypoint: labca/entrypoint.sh + working_dir: &boulder_working_dir /opt/boulder + logging: + driver: "json-file" + options: + max-size: "500k" + max-file: "5" + restart: always + + bmysql: + image: mariadb:10.5 + volumes: + - dbdata:/var/lib/mysql + networks: + bluenet: + aliases: + - boulder-mysql + environment: + MYSQL_ALLOW_EMPTY_PASSWORD: "yes" + # Send slow queries to a table so we can check for them in the + # integration tests. For now we ignore queries not using indexes, + # because that seems to trigger based on the optimizer's choice to not + # use an index for certain queries, particularly when tables are still + # small. + command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON + logging: + driver: "json-file" + options: + max-size: "500k" + max-file: "5" + restart: always + + bconsul: + image: hashicorp/consul:1.13.1 + depends_on: + - control + volumes: + - boulder_data:/opt/boulder/labca + networks: + consulnet: + ipv4_address: 10.55.55.10 + command: "consul agent -dev -config-format=hcl -config-file=/opt/boulder/labca/consul/config.hcl" + + gui: + image: hakwerk/labca-gui:dockeronly + networks: + - bluenet + volumes: + - ldata:/opt/labca/data + - nginx_html:/opt/wwwstatic + - backup:/opt/backup + #- .:/boulder + - boulder_data:/opt/boulder/labca + expose: + - 3000 + depends_on: + - bmysql + - control + working_dir: /opt/labca + command: bin/labca-gui + logging: + driver: "json-file" + options: + max-size: "500k" + max-file: "5" + restart: always + + nginx: + image: nginx:1.21.6 + restart: always + networks: + - bluenet + ports: + - 80:80 + - 443:443 + volumes: + - nginx_conf:/etc/nginx/conf.d + - nginx_ssl:/etc/nginx/ssl + - nginx_html:/var/www/html + depends_on: + - control + + control: + image: hakwerk/labca-control:dockeronly + networks: + - bluenet + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - ./docker-compose.yml:/opt/boulder/docker-compose.yml + - ldata:/opt/labca/data + - backup:/opt/backup + - logs:/opt/logs + - boulder_data:/opt/boulder/labca + - nginx_conf:/etc/nginx/conf.d + - nginx_ssl:/etc/nginx/ssl + - nginx_html:/var/www/html + expose: + - 3030 + environment: + LABCA_FQDN: ${LABCA_FQDN:-notset} + #privileged: true + working_dir: /opt/labca + command: ./control.sh + restart: always + +volumes: + dbdata: + nginx_conf: + nginx_ssl: + nginx_html: + boulder_data: + ldata: + backup: + logs: + softhsm: + +networks: + bluenet: + driver: bridge + ipam: + driver: default + config: + - subnet: 10.77.77.0/24 + rednet: + driver: bridge + ipam: + driver: default + config: + - subnet: 10.88.88.0/24 + + consulnet: + driver: bridge + ipam: + driver: default + config: + - subnet: 10.55.55.0/24 diff --git a/build/tag_and_upload.sh b/build/tag_and_upload.sh new file mode 100755 index 0000000..f565051 --- /dev/null +++ b/build/tag_and_upload.sh @@ -0,0 +1,89 @@ +#!/bin/bash -e + +set -euo pipefail + +cd $(dirname $0) + +REPO_BASE="hakwerk/labca" + +BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null) +if [ "$BRANCH" == "master" ] || [ "$BRANCH" == "main" ]; then + TAG=$(git describe --always --tags 2>/dev/null) + [[ $TAG == v* ]] && TAG="${TAG:1}" || /bin/true +else + TAG=$BRANCH +fi + +LABCA_GUI_TAG="${REPO_BASE}-gui:$TAG" +LABCA_GUI_LATEST="${REPO_BASE}-gui:latest" +LABCA_BOULDER_TAG="${REPO_BASE}-boulder:$TAG" +LABCA_BOULDER_LATEST="${REPO_BASE}-boulder:latest" +LABCA_CONTROL_TAG="${REPO_BASE}-control:$TAG" +LABCA_CONTROL_LATEST="${REPO_BASE}-control:latest" + +die() { + echo $1 + exit 1 +} + +cp -rp ../gui/setup.sh tmp/admin/ +[ -f "tmp/labca-gui" ] || die "LabCA binary does not exist!" +docker build -f Dockerfile-gui -t $LABCA_GUI_TAG . + +if [ "$BRANCH" == "master" ] || [ "$BRANCH" == "main" ]; then + ID="$(docker images | grep "${REPO_BASE}-gui" | grep -v latest | head -n 1 | awk '{print $3}')" + docker tag "$ID" $LABCA_GUI_LATEST +fi + +cnt=$(ls -1 tmp/bin | wc -l) +[ $cnt -gt 20 ] || die "Only found $cnt boulder binaries!" # ?? still correct?? +docker build -f Dockerfile-boulder -t $LABCA_BOULDER_TAG . + +if [ "$BRANCH" == "master" ] || [ "$BRANCH" == "main" ]; then + ID="$(docker images | grep "${REPO_BASE}-boulder" | grep -v latest | head -n 1 | awk '{print $3}')" + docker tag "$ID" $LABCA_BOULDER_LATEST +fi + +cp -rp ../acme_tiny.py tmp/ +cp -rp ../backup tmp/ +cp -rp ../checkcrl tmp/ +cp -rp ../checkrenew tmp/ +cp -rp ../commander tmp/ +cp -rp ../control_do.sh tmp/control.sh +cp -rp ../cron_d tmp/ +cp -rp ../mailer tmp/ +cp -rp ../renew tmp/ +cp -rp ../restore tmp/ +cp -rp ../utils.sh tmp/ +docker build -f Dockerfile-control -t $LABCA_CONTROL_TAG . + +if [ "$BRANCH" == "master" ] || [ "$BRANCH" == "main" ]; then + ID="$(docker images | grep "${REPO_BASE}-control" | grep -v latest | head -n 1 | awk '{print $3}')" + docker tag "$ID" $LABCA_CONTROL_LATEST +fi + +echo +if [ "$BRANCH" != "master" ] || [ "$BRANCH" == "main" ]; then + echo "Not pushing to Dockerhub..." + exit +fi + +echo "Image ready, please login to allow Dockerhub push" +echo TODO docker login + +echo +echo "Pushing ${LABCA_GUI_TAG} to Dockerhub" +echo TODO docker push ${LABCA_GUI_TAG} +echo "Pushing ${LABCA_BOULDER_TAG} to Dockerhub" +echo TODO docker push ${LABCA_BOULDER_TAG} +echo "Pushing ${LABCA_CONTROL_TAG} to Dockerhub" +echo TODO docker push ${LABCA_CONTROL_TAG} + +if [ "$BRANCH" == "master" ] || [ "$BRANCH" == "main" ]; then + echo "Pushing ${LABCA_GUI_LATEST} to Dockerhub" + echo TODO docker push ${LABCA_GUI_LATEST} + echo "Pushing ${LABCA_BOULDER_LATEST} to Dockerhub" + echo TODO docker push ${LABCA_BOULDER_LATEST} + echo "Pushing ${LABCA_CONTROL_LATEST} to Dockerhub" + echo TODO docker push ${LABCA_CONTROL_LATEST} +fi diff --git a/build/tmp.patch b/build/tmp.patch new file mode 100644 index 0000000..5e2eb98 --- /dev/null +++ b/build/tmp.patch @@ -0,0 +1,145 @@ +diff --git a/docker-compose.yml b/docker-compose.yml +index cfdcc784a..b50c8b18d 100644 +--- a/docker-compose.yml ++++ b/docker-compose.yml +@@ -1,8 +1,9 @@ + version: '3' ++name: labca + services: + boulder: + # Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh. +- image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.20.3_2023-04-04} ++ image: hakwerk/labca-boulder:dockeronly + environment: + # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS + # to the IP address where your ACME client's solver is listening. +@@ -11,12 +12,10 @@ services: + BOULDER_CONFIG_DIR: &boulder_config_dir labca/config + GOFLAGS: -mod=vendor + volumes: +- - .:/opt/boulder:cached +- - /home/labca/boulder_labca:/opt/boulder/labca +- - /home/labca/nginx_data/static:/opt/wwwstatic +- - ./.gocache:/root/.cache/go-build:cached +- - ./.hierarchy:/hierarchy/:cached +- - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached ++ - boulder_data:/opt/boulder/labca ++ - nginx_html:/opt/wwwstatic ++ #- ./.hierarchy:/hierarchy/:cached ++ - softhsm:/var/lib/softhsm/tokens:cached + networks: + bluenet: + ipv4_address: 10.77.77.77 +@@ -40,6 +39,7 @@ services: + depends_on: + - bmysql + - bconsul ++ - control + entrypoint: labca/entrypoint.sh + working_dir: &boulder_working_dir /opt/boulder + logging: +@@ -74,30 +74,32 @@ services: + + bconsul: + image: hashicorp/consul:1.13.1 ++ depends_on: ++ - control + volumes: +- - ./test/:/test/:cached ++ - boulder_data:/opt/boulder/labca + networks: + consulnet: + ipv4_address: 10.55.55.10 +- command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl" ++ command: "consul agent -dev -config-format=hcl -config-file=/opt/boulder/labca/consul/config.hcl" + + gui: +- image: *boulder_image ++ image: hakwerk/labca-gui:dockeronly + networks: + - bluenet + volumes: +- - /home/labca/admin:/go/src/labca +- - ./.gocache:/root/.cache/go-build +- - /home/labca/nginx_data/static:/opt/wwwstatic +- - /home/labca/backup:/opt/backup +- - .:/opt/boulder +- - /home/labca/boulder_labca:/opt/boulder/labca ++ - ldata:/opt/labca/data ++ - nginx_html:/opt/wwwstatic ++ - backup:/opt/backup ++ #- .:/boulder ++ - boulder_data:/opt/boulder/labca + expose: + - 3000 + depends_on: + - bmysql +- working_dir: /go/src/labca +- command: ./setup.sh ++ - control ++ working_dir: /opt/labca ++ command: bin/labca-gui + logging: + driver: "json-file" + options: +@@ -114,37 +116,45 @@ services: + - 80:80 + - 443:443 + volumes: +- - /home/labca/nginx_data/conf.d:/etc/nginx/conf.d +- - /home/labca/nginx_data/ssl:/etc/nginx/ssl +- - /home/labca/nginx_data/static:/var/www/html ++ - nginx_conf:/etc/nginx/conf.d ++ - nginx_ssl:/etc/nginx/ssl ++ - nginx_html:/var/www/html ++ depends_on: ++ - control + + control: +- image: *boulder_image ++ image: hakwerk/labca-control:dockeronly + networks: + - bluenet + volumes: + - /var/run/docker.sock:/var/run/docker.sock +- - /home/labca/admin/data:/opt/labca/data +- - /home/labca/admin/data:/opt/labca/gui/data +- - /home/labca/admin/bin:/opt/labca/bin +- - /home/labca/labca:/opt/labca +- - /home/labca/backup:/opt/backup +- - /home/labca/control_logs:/opt/logs +- - .:/opt/boulder +- - /home/labca/boulder_labca:/opt/boulder/labca +- - /home/labca/nginx_data/conf.d:/etc/nginx/conf.d +- - /home/labca/nginx_data/ssl:/etc/nginx/ssl +- - /home/labca/nginx_data/static:/var/www/html ++ - ./docker-compose.yml:/opt/boulder/docker-compose.yml ++ - ldata:/opt/labca/data ++ - backup:/opt/backup ++ - logs:/opt/logs ++ - boulder_data:/opt/boulder/labca ++ - nginx_conf:/etc/nginx/conf.d ++ - nginx_ssl:/etc/nginx/ssl ++ - nginx_html:/var/www/html + expose: + - 3030 + environment: + LABCA_FQDN: ${LABCA_FQDN:-notset} ++ #privileged: true + working_dir: /opt/labca + command: ./control.sh + restart: always + + volumes: + dbdata: ++ nginx_conf: ++ nginx_ssl: ++ nginx_html: ++ boulder_data: ++ ldata: ++ backup: ++ logs: ++ softhsm: + + networks: + bluenet: diff --git a/build/tmp2.patch b/build/tmp2.patch new file mode 100644 index 0000000..4a85afc --- /dev/null +++ b/build/tmp2.patch @@ -0,0 +1,14 @@ +diff --git a/test/startservers.py b/test/startservers.py +index 6aa2f9a..7d17d7f 100644 +--- a/test/startservers.py ++++ b/test/startservers.py +@@ -159,6 +159,9 @@ def setupHierarchyOriginal(): + + + def install(race_detection): ++ return True ++ ++def installOriginal(race_detection): + # Pass empty BUILD_TIME and BUILD_ID flags to avoid constantly invalidating the + # build cache with new BUILD_TIMEs, or invalidating it on merges with a new + # BUILD_ID. diff --git a/checkcrl b/checkcrl index 9c8c4de..53b6af2 100755 --- a/checkcrl +++ b/checkcrl @@ -7,7 +7,7 @@ if [ crl/ -nt certs/index.html ]; then echo "Updating certs/index.html with latest CRL info..." PKI_ROOT_CERT_BASE="crl/root-ca" - PKI_ISSUER_NAME_ID=$(grep issuer_name_id /admin/data/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/,//g' | sed -e 's/\"//g') + PKI_ISSUER_NAME_ID=$(grep issuer_name_id /opt/labca/data/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/,//g' | sed -e 's/\"//g') PKI_ROOT_CRL_VALIDITY="" if [ -e "$PKI_ROOT_CERT_BASE.crl" ]; then diff --git a/checkrenew b/checkrenew index aca4085..120685a 100755 --- a/checkrenew +++ b/checkrenew @@ -10,5 +10,5 @@ echo "Running cron-$(basename $0) for ${TODAY}..." if ! expires=`openssl x509 -checkend $[ 86400 * $RENEW ] -noout -in /etc/nginx/ssl/labca_cert.pem`; then echo " renewing!" cp -p /etc/nginx/ssl/labca_cert.pem /etc/nginx/ssl/labca_cert_$TODAY.pem - /labca/renew + /opt/labca/renew fi diff --git a/commander b/commander index 55ef210..aef9f03 100755 --- a/commander +++ b/commander @@ -2,7 +2,7 @@ set -euo pipefail -LOGFILE=/logs/commander.log +LOGFILE=/opt/logs/commander.log err_report() { echo "ERROR! On line $1 in commander script" @@ -38,8 +38,8 @@ function wait_server() { read txt case $txt in "docker-restart") - cd /boulder - COMPOSE_HTTP_TIMEOUT=120 docker-compose restart boulder bmysql bconsul labca nginx &>>$LOGFILE + cd /opt/boulder + COMPOSE_HTTP_TIMEOUT=120 docker-compose restart boulder bmysql bconsul gui nginx &>>$LOGFILE sleep 45 wait_up $PS_MYSQL &>>$LOGFILE wait_up $PS_CONSUL 2 &>>$LOGFILE @@ -53,32 +53,32 @@ case $txt in [ -e labca_key.pem ] || openssl genrsa 4096 > labca_key.pem san=$(openssl x509 -noout -text -in labca_cert.pem | grep DNS:) openssl req -new -utf8 -sha256 -key labca_key.pem -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=$san")) > domain.csr - url=$(grep 'DEFAULT_DIRECTORY_URL =' /labca/acme_tiny.py | sed -e 's/.*=[ ]*//' | sed -e 's/\"//g') + url=$(grep 'DEFAULT_DIRECTORY_URL =' /opt/labca/acme_tiny.py | sed -e 's/.*=[ ]*//' | sed -e 's/\"//g') wait_server $url sleep 10 - /labca/renew - ln -sf /labca/cron_d /etc/cron.d/labca - ln -sf /labca/logrotate_d /etc/logrotate.d/labca + /opt/labca/renew + ln -sf /opt/labca/cron_d /etc/cron.d/labca + ln -sf /opt/labca/logrotate_d /etc/logrotate.d/labca ;; "acme-change") read fqdn cd /etc/nginx/ssl openssl genrsa 4096 > labca_key.pem openssl req -new -utf8 -sha256 -key labca_key.pem -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$fqdn")) > domain.csr - url=$(grep 'DEFAULT_DIRECTORY_URL =' /labca/acme_tiny.py | sed -e 's/.*=[ ]*//' | sed -e 's/\"//g') + url=$(grep 'DEFAULT_DIRECTORY_URL =' /opt/labca/acme_tiny.py | sed -e 's/.*=[ ]*//' | sed -e 's/\"//g') wait_server $url sleep 10 - /labca/renew + /opt/labca/renew ;; "nginx-remove-redirect") perl -i -p0e 's/\n # BEGIN temporary redirect\n location = \/ \{\n return 302 \/admin\/;\n }\n # END temporary redirect\n//igs' /etc/nginx/conf.d/labca.conf ;; "nginx-reload") - cd /boulder + cd /opt/boulder docker-compose exec -T nginx nginx -s reload &>>$LOGFILE ;; "nginx-restart") - cd /boulder + cd /opt/boulder docker-compose restart nginx &>>$LOGFILE ;; "log-cert") @@ -90,51 +90,51 @@ case $txt in exit 0 ;; "log-control-notail") - cd /boulder + cd /opt/boulder docker-compose logs --no-color --tail=50 control ;; "log-cron") - [ -f /logs/cron.log ] && tail -n200 -f /logs/cron.log || /bin/true + [ -f /opt/logs/cron.log ] && tail -n200 -f /opt/logs/cron.log || /bin/true exit 0 ;; "log-boulder") - cd /boulder + cd /opt/boulder docker-compose logs -f --no-color --tail=50 boulder ;; "log-boulder-notail") - cd /boulder + cd /opt/boulder docker-compose logs --no-color --tail=50 boulder ;; "log-audit") - cd /boulder + cd /opt/boulder docker-compose logs --no-color boulder | grep "\[AUDIT\]" | grep -v "grpc: parseServiceConfig error unmarshaling due to unexpected end of JSON input" | tail -50 docker-compose logs -f --no-color --tail=0 boulder | grep "\[AUDIT\]" ;; "log-activity") - cd /boulder + cd /opt/boulder echo "GMT" docker-compose logs --no-color boulder | grep "\[AUDIT\]" | grep -v "grpc: parseServiceConfig error unmarshaling due to unexpected end of JSON input" | tail -15 exit 0 ;; "log-labca") - cd /boulder - docker-compose logs -f --no-color --tail=50 labca + cd /opt/boulder + docker-compose logs -f --no-color --tail=50 gui ;; "log-labca-notail") - cd /boulder - docker-compose logs --no-color --tail=50 labca + cd /opt/boulder + docker-compose logs --no-color --tail=50 gui ;; "log-web") - cd /boulder + cd /opt/boulder docker-compose logs -f --no-color --tail=50 nginx ;; "log-components") - nginx=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -nginx-) | grep -i started | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/") - svc=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -control-) | grep -i started | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/") + nginx=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -nginx-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/") + svc=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -control-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/") boulder=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -boulder-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/") - labca=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -labca-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/") + labca=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- labca-gui) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/") mysql=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -bmysql-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/") - consul=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -bconsul-) | grep -i started | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/") + consul=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -bconsul-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/") echo "$nginx|$svc|$boulder|$labca|$mysql|$consul" exit 0 ;; @@ -145,21 +145,21 @@ case $txt in exit 0 ;; "log-stats") - docker stats --no-stream -a | grep " boulder-" + docker stats --no-stream -a | grep " labca-" ;; "revoke-cert") read serial read reasonCode - cd /boulder + cd /opt/boulder docker-compose exec -T boulder bin/admin-revoker serial-revoke --config labca/config/admin-revoker.json $serial $reasonCode 2>&1 ;; "test-email") read recipient - cd /boulder + cd /opt/boulder docker-compose exec -T boulder bin/mail-tester --config labca/config/expiration-mailer.json $recipient 2>&1 ;; "boulder-start") - cd /boulder + cd /opt/boulder COMPOSE_HTTP_TIMEOUT=120 docker-compose up -d bmysql bconsul wait_up $PS_MYSQL &>>$LOGFILE wait_up $PS_CONSUL 2 &>>$LOGFILE @@ -167,7 +167,7 @@ case $txt in wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE ;; "boulder-stop") - cd /boulder + cd /opt/boulder docker-compose stop boulder docker-compose stop bmysql bconsul wait_down $PS_MYSQL &>>$LOGFILE @@ -175,7 +175,7 @@ case $txt in wait_down $PS_BOULDER &>>$LOGFILE ;; "boulder-restart") - cd /boulder + cd /opt/boulder COMPOSE_HTTP_TIMEOUT=120 docker-compose restart boulder bmysql bconsul &>>$LOGFILE sleep 30 wait_up $PS_MYSQL &>>$LOGFILE @@ -183,48 +183,48 @@ case $txt in wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE ;; "labca-restart") - cd /boulder - COMPOSE_HTTP_TIMEOUT=120 docker-compose restart labca + cd /opt/boulder + COMPOSE_HTTP_TIMEOUT=120 docker-compose restart gui sleep 15 wait_up $PS_LABCA &>>$LOGFILE ;; "mysql-restart") - cd /boulder + cd /opt/boulder set +e COMPOSE_HTTP_TIMEOUT=120 docker-compose restart bmysql set -e ;; "consul-restart") - cd /boulder + cd /opt/boulder set +e COMPOSE_HTTP_TIMEOUT=120 docker-compose restart bconsul set -e ;; "svc-restart") - cd /boulder + cd /opt/boulder set +e COMPOSE_HTTP_TIMEOUT=120 docker-compose restart control set -e ;; "log-backups") - ls -1tr /backup || /bin/true + ls -1tr /opt/backup || /bin/true exit 0 ;; "log-server-backup") - /labca/backup + /opt/labca/backup exit 0 ;; "backup-delete") read backup - rm -f /backup/$backup + rm -f /opt/backup/$backup ;; "backup-restore") read backup - /labca/restore "$backup" + /opt/labca/restore "$backup" ;; "server-restart") - cd /boulder - nohup docker-compose restart labca & >/dev/null + cd /opt/boulder + nohup docker-compose restart gui & >/dev/null nohup docker-compose restart nginx & >/dev/null set +e nohup docker-compose restart control & >/dev/null diff --git a/control.sh b/control.sh index 64f5573..d25973f 100755 --- a/control.sh +++ b/control.sh @@ -4,15 +4,15 @@ set -e get_fqdn() { local file_fqdn="" - if [ -e /admin/data/config.json ]; then - file_fqdn=$(grep fqdn /admin/data/config.json 2>/dev/null | cut -d ":" -f 2- | tr -d " \",") + if [ -e /opt/labca/data/config.json ]; then + file_fqdn=$(grep fqdn /opt/labca/data/config.json 2>/dev/null | cut -d ":" -f 2- | tr -d " \",") fi if [ "$file_fqdn" == "" ]; then if [ "$LABCA_FQDN" == "notset" ]; then echo "ERROR: environment variable LABCA_FQDN is not set!" exit 1 else - echo -e "{\n \"config\": {\n \"complete\": false\n },\n \"labca\": {\n \"fqdn\": \"$LABCA_FQDN\"\n },\n \"version\": \"\"\n}" > /admin/data/config.json + echo -e "{\n \"config\": {\n \"complete\": false\n },\n \"labca\": {\n \"fqdn\": \"$LABCA_FQDN\"\n },\n \"version\": \"\"\n}" > /opt/labca/data/config.json fi elif [ "$LABCA_FQDN" != "notset" ] && [ "$LABCA_FQDN" != "$file_fqdn" ]; then echo "WARNING: environment variable LABCA_FQDN ('$LABCA_FQDN') does not match config file. Using '$file_fqdn'..." @@ -65,7 +65,7 @@ renew_near_expiry() { if [ "$hash" == "$issuer_hash" ]; then selfsigned_cert else - echo "acme-request" | /labca/commander + echo "acme-request" | /opt/labca/commander fi fi popd >/dev/null @@ -75,10 +75,10 @@ renew_near_expiry() { start_cron() { apt update apt install -y cron - [ -e /boulder/labca/setup_complete ] && [ ! -e /etc/cron.d/labca ] && ln -sf /labca/cron_d /etc/cron.d/labca || true - chmod g-w /labca/cron_d - [ -e /logs/cron.log ] || touch /logs/cron.log - tail -f -n0 /logs/cron.log & + [ -e /opt/boulder/labca/setup_complete ] && [ ! -e /etc/cron.d/labca ] && ln -sf /opt/labca/cron_d /etc/cron.d/labca || true + chmod g-w /opt/labca/cron_d + [ -e /opt/logs/cron.log ] || touch /opt/logs/cron.log + tail -f -n0 /opt/logs/cron.log & service cron start } @@ -86,12 +86,15 @@ start_cron() { serve_commander() { apt update apt install -y ucspi-tcp + cd /opt/boulder/labca + /opt/labca/gui/apply-boulder + cd - echo "Start serving commander script..." - tcpserver 0.0.0.0 3030 /labca/commander + tcpserver 0.0.0.0 3030 /opt/labca/commander } main() { - mkdir -p /logs + mkdir -p /opt/logs get_fqdn diff --git a/control_do.sh b/control_do.sh new file mode 100755 index 0000000..848e65f --- /dev/null +++ b/control_do.sh @@ -0,0 +1,115 @@ +#!/bin/bash + +set -e + +get_fqdn() { + local file_fqdn="" + if [ -e /opt/labca/data/config.json ]; then + file_fqdn=$(grep fqdn /opt/labca/data/config.json 2>/dev/null | cut -d ":" -f 2- | tr -d " \",") + fi + if [ "$file_fqdn" == "" ]; then + if [ "$LABCA_FQDN" == "notset" ]; then + echo "ERROR: environment variable LABCA_FQDN is not set!" + exit 1 + else + echo -e "{\n \"config\": {\n \"complete\": false\n },\n \"labca\": {\n \"fqdn\": \"$LABCA_FQDN\"\n },\n \"version\": \"\"\n}" > /opt/labca/data/config.json + fi + elif [ "$LABCA_FQDN" != "notset" ] && [ "$LABCA_FQDN" != "$file_fqdn" ]; then + echo "WARNING: environment variable LABCA_FQDN ('$LABCA_FQDN') does not match config file. Using '$file_fqdn'..." + export LABCA_FQDN=$file_fqdn + fi +} + +setup_boulder_data() { + cp -rp /opt/staging/boulder_labca/* /opt/boulder/labca/ + + cd /opt/boulder/labca + /opt/labca/apply-boulder +} + +setup_nginx_data() { + rm -f /etc/nginx/conf.d/default.conf + cp -p /opt/staging/nginx.conf /etc/nginx/conf.d/labca.conf + cp -p /opt/staging/proxy.conf /etc/nginx/conf.d/proxy.conf + [ -e /opt/boulder/labca/setup_complete ] && perl -i -p0e 's/\n # BEGIN temporary redirect\n location = \/ \{\n return 302 \/admin\/;\n }\n # END temporary redirect\n//igs' /etc/nginx/conf.d/labca.conf || true + + cd /var/www/html + mkdir -p .well-known/acme-challenge + find .well-known/acme-challenge/ -type f -mtime +10 -exec rm {} \; # Clean up files older than 10 days + mkdir -p crl + [ -e cert ] || ln -s certs cert + cp -rp /opt/staging/static/* . + + [ -e /opt/labca/data/root-ca.crl ] && cp /opt/labca/data/root-ca.crl crl/ || true + [ -e /opt/labca/data/root-ca.pem ] && cp /opt/labca/data/root-ca.pem certs/ || true + [ -e /opt/labca/data/root-ca.der ] && cp /opt/labca/data/root-ca.der certs/ || true + [ -e /opt/labca/data/issuer/ca-int.pem ] && cp /opt/labca/data/issuer/ca-int.pem certs/ || true + [ -e /opt/labca/data/issuer/ca-int.pem ] && cp /opt/labca/data/issuer/ca-int.der certs/ || true + + if [ ! -e /etc/nginx/ssl/labca_cert.pem ]; then + pushd /etc/nginx/ssl >/dev/null + openssl req -x509 -nodes -sha256 -newkey rsa:2048 -keyout labca_key.pem -out labca_cert.pem -days 7 \ + -subj "/O=LabCA/CN=$LABCA_FQDN" -reqexts SAN -extensions SAN \ + -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nbasicConstraints=CA:FALSE\nnsCertType=server\nsubjectAltName=DNS:$LABCA_FQDN")) + popd >/dev/null + fi + + /opt/labca/apply-nginx +} + +setup_labca_data() { + cd /opt/labca/data + cp -rp /opt/staging/data/* . +} + +selfsigned_cert() { + pushd /etc/nginx/ssl >/dev/null + openssl req -x509 -nodes -sha256 -newkey rsa:2048 -keyout labca_key.pem -out labca_cert.pem -days 7 \ + -subj "/O=LabCA/CN=$LABCA_FQDN" -reqexts SAN -extensions SAN \ + -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nbasicConstraints=CA:FALSE\nnsCertType=server\nsubjectAltName=DNS:$LABCA_FQDN")) + popd >/dev/null +} + +renew_near_expiry() { + pushd /etc/nginx/ssl >/dev/null + if ! expires=$(openssl x509 -checkend 86400 -noout -in /etc/nginx/ssl/labca_cert.pem); then + hash=$(openssl x509 -hash -noout -in /etc/nginx/ssl/labca_cert.pem) + issuer_hash=$(openssl x509 -issuer_hash -noout -in /etc/nginx/ssl/labca_cert.pem) + if [ "$hash" == "$issuer_hash" ]; then + selfsigned_cert + else + echo "acme-request" | /opt/labca/commander + fi + fi + popd >/dev/null +} + +start_cron() { + [ -e /opt/boulder/labca/setup_complete ] && [ ! -e /etc/cron.d/labca ] && ln -sf /opt/labca/cron_d /etc/cron.d/labca || true + chmod g-w /opt/labca/cron_d + [ -e /opt/logs/cron.log ] || touch /opt/logs/cron.log + tail -f -n0 /opt/logs/cron.log & + service cron start +} + +serve_commander() { + echo "Start serving commander script..." + tcpserver 0.0.0.0 3030 /opt/labca/commander +} + +main() { + get_fqdn + + setup_boulder_data + setup_nginx_data + setup_labca_data + + [ -e /etc/nginx/ssl/labca_cert.pem ] || selfsigned_cert + renew_near_expiry + + start_cron + + serve_commander +} + +main "$@" diff --git a/cron_d b/cron_d index b0d4509..90458bf 100644 --- a/cron_d +++ b/cron_d @@ -2,7 +2,7 @@ SHELL=/bin/bash PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin -1 6 * * Mon root /labca/backup cron &>>/logs/cron.log -1 7 * * * root /labca/mailer &>>/logs/cron.log -5 7 * * * root /labca/checkrenew &>>/logs/cron.log -*/5 * * * * root /labca/checkcrl &>>/logs/cron.log +1 6 * * Mon root /opt/labca/backup cron &>>/opt/logs/cron.log +1 7 * * * root /opt/labca/mailer &>>/opt/logs/cron.log +5 7 * * * root /opt/labca/checkrenew &>>/opt/logs/cron.log +*/5 * * * * root /opt/labca/checkcrl &>>/opt/logs/cron.log diff --git a/gui/apply b/gui/apply index ef74d73..cc1b8a9 100755 --- a/gui/apply +++ b/gui/apply @@ -8,7 +8,7 @@ dataDir="$baseDir/data" export PKI_ROOT_CERT_BASE="$dataDir/root-ca" export PKI_INT_CERT_BASE="$dataDir/issuer/ca-int" -cd /wwwstatic +cd /opt/wwwstatic $baseDir/apply-nginx @@ -19,5 +19,5 @@ cp $PKI_INT_CERT_BASE.pem certs/ cp $PKI_INT_CERT_BASE.der certs/ -cd /boulder/labca +cd /opt/boulder/labca $baseDir/apply-boulder diff --git a/gui/dashboard.go b/gui/dashboard.go index 6aff17b..080b6c5 100644 --- a/gui/dashboard.go +++ b/gui/dashboard.go @@ -454,7 +454,7 @@ func parseDockerStats(data string) []AjaxStat { if strings.Contains(docker.Name, "-bconsul-") { stat.Name = "Consul (Boulder)" } - if strings.Contains(docker.Name, "-labca-") { + if strings.Contains(docker.Name, "labca-gui-") { stat.Name = "LabCA Application" } if strings.Contains(docker.Name, "-control-") { diff --git a/gui/main.go b/gui/main.go index 4c1906a..7e2c735 100644 --- a/gui/main.go +++ b/gui/main.go @@ -1866,7 +1866,7 @@ func _setupAdminUser(w http.ResponseWriter, r *http.Request) bool { } defer file.Close() - out, err := os.Create("/backup/" + header.Filename) + out, err := os.Create("/opt/backup/" + header.Filename) if err != nil { fmt.Println(err) reg.Errors["File"] = "Could not create local file" @@ -2861,6 +2861,9 @@ func init() { version = standaloneVersion } else { version = viper.GetString("version") + if version == "" { + version = standaloneVersion + } } webTitle = viper.GetString("labca.web_title") @@ -2927,7 +2930,7 @@ func main() { r.HandleFunc("/certificates/{id}", certificateHandler).Methods("GET") r.HandleFunc("/certificates/{id}", certRevokeHandler).Methods("POST") - r.PathPrefix("/backup/").Handler(http.StripPrefix("/backup/", http.FileServer(http.Dir("/backup")))) + r.PathPrefix("/backup/").Handler(http.StripPrefix("/backup/", http.FileServer(http.Dir("/opt/backup")))) r.NotFoundHandler = http.HandlerFunc(notFoundHandler) if viper.GetBool("standalone") || isDev { diff --git a/gui/setup.sh b/gui/setup.sh index bf29c57..8070cfc 100755 --- a/gui/setup.sh +++ b/gui/setup.sh @@ -8,7 +8,7 @@ set -e if [ ! -e bin/labca-gui ]; then go mod download - go build -buildvcs=false -o bin/labca-gui + go build -buildvcs=false -o bin/labca-gui -ldflags="-X 'main.standaloneVersion=$GIT_VERSION'" fi export DEBIAN_FRONTEND=noninteractive diff --git a/install b/install index d4daba9..124edfa 100755 --- a/install +++ b/install @@ -16,15 +16,16 @@ err_report() { # # Variables / Constants # -baseDir=/home/labca -logDir="$baseDir/logs" +installMode=${installMode:-normal} +baseDir=${baseDir:-/home/labca} +logDir=${logDir:-"$baseDir/logs"} runId="`date +%y%m%d-%H%M%S`" installLog="$logDir/install-${runId}.log" logTimeFormat="+%Y-%m-%d %T.%3N" -cloneDir="$baseDir/labca" -adminDir="$baseDir/admin" -boulderDir="$baseDir/boulder" -boulderLabCADir="${boulderDir}_labca" +cloneDir=${cloneDir:-"$baseDir/labca"} +adminDir=${adminDir:-"$baseDir/admin"} +boulderDir=${boulderDir:-"$baseDir/boulder"} +boulderLabCADir=${boulderLabCADir:-"${boulderDir}_labca"} dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" @@ -64,6 +65,7 @@ cmdlineFqdn="" cmdlineBranch="" fullCmdline="" keepLocal=0 +alphaTest=0 # # Helper functions for informing the user and logging to file @@ -175,7 +177,14 @@ pull_repo() { msg_info "$msg" sudo -u labca -H git stash --all --quiet &>>$installLog || true sudo -u labca -H git clean --quiet --force -d &>>$installLog || true - sudo -u labca -H git pull --quiet &>>$installLog && msg_ok "$msg" || msg_fatal "Could not update local repository" + sudo -u labca -H git pull --quiet &>>$installLog && msg_ok "$msg" || ( + if [ "$dir" == "$GOPATH/src/github.com/letsencrypt/boulder" ]; then + sudo -u labca -H git reset --hard $boulderTag &>>$installLog && msg_ok "$msg" || msg_fatal "Could not reset local repository" + sudo -u labca -H git pull --quiet &>>$installLog && msg_ok "$msg" || msg_fatal "Could not update local repository (after reset)" + else + msg_fatal "Could not update local repository" + fi + ) if [ "$branch" != "" ]; then cd "$dir" @@ -265,7 +274,7 @@ prompt_and_export() { # Parse the command line options, if any parse_cmdline() { fullCmdline="$@" - local parsed=$(getopt --options=n:,b:,k --longoptions=name:,fqdn:,branch:,keep --name "$0" -- "$@" 2>>$installLog) || msg_fatal "Could not process commandline parameters" + local parsed=$(getopt --options=n:,b:,k,t --longoptions=name:,fqdn:,branch:,keep,test --name "$0" -- "$@" 2>>$installLog) || msg_fatal "Could not process commandline parameters" eval set -- "$parsed" while true; do case "$1" in @@ -284,6 +293,11 @@ parse_cmdline() { shift 1 msg_ok "option: keeping local version as is" ;; + -t|--test) + alphaTest=1 + shift 1 + msg_ok "option: INCLUDING ALPHA TEST STEPS" + ;; --) shift break @@ -496,7 +510,7 @@ static_web() { [ -e $adminDir/data/root-ca.pem ] && cp $adminDir/data/root-ca.pem certs/ || true [ -e $adminDir/data/root-ca.der ] && cp $adminDir/data/root-ca.der certs/ || true [ -e $adminDir/data/issuer/ca-int.pem ] && cp $adminDir/data/issuer/ca-int.pem certs/ || true - [ -e $adminDir/data/issuer/ca-int.pem ] && cp $adminDir/data/issuer/ca-int.der certs/ || true + [ -e $adminDir/data/issuer/ca-int.der ] && cp $adminDir/data/issuer/ca-int.der certs/ || true local have_config=$(grep restarted $adminDir/data/config.json | grep true) if [ "$have_config" != "" ]; then @@ -566,12 +580,12 @@ config_boulder() { [ -d ".backup" ] || mkdir -p ".backup" git add --all &>/dev/null || true - git commit --all --quiet -m "LabCA before update $runId" &>>$installLog && { msg_ok "Commit existing modifications of $boulderLabCADir"; msg_info "$msg"; } || true + [ "$installMode" == "normal" ] && git commit --all --quiet -m "LabCA before update $runId" &>>$installLog && { msg_ok "Commit existing modifications of $boulderLabCADir"; msg_info "$msg"; } || true [ ! -e "$boulderLabCADir/secrets/smtp_password" ] || mv "$boulderLabCADir/secrets/smtp_password" "$boulderLabCADir/secrets/smtp_password_PRESERVE" cp -r "$boulderDir/test" -T "$boulderLabCADir" &>>$installLog [ ! -e "$boulderLabCADir/secrets/smtp_password_PRESERVE" ] || mv "$boulderLabCADir/secrets/smtp_password_PRESERVE" "$boulderLabCADir/secrets/smtp_password" - chown -R labca:labca "$boulderLabCADir" + [ "$installMode" == "normal" ] && chown -R labca:labca "$boulderLabCADir" || /bin/true rm -rf authz-filler challtestsrv gsb-test-srv @@ -580,7 +594,14 @@ config_boulder() { msg_info "$msg" cd "$boulderDir" - $cloneDir/patch.sh "sudo -u labca -H" &>>$installLog + if [ "$installMode" == "normal" ]; then + $cloneDir/patch.sh "sudo -u labca -H" &>>$installLog + sed -i -e "s/LABCA_FQDN: .*/LABCA_FQDN: $LABCA_FQDN/" docker-compose.yml + else + $cloneDir/patch.sh &>>$installLog + fi + + git config --global --add safe.directory /home/labca/boulder_labca cp docker-compose.yml "$boulderLabCADir/.backup/" cp cmd/shell.go "$boulderLabCADir/.backup/" @@ -602,7 +623,11 @@ config_boulder() { cp sa/db/boulder_sa/20210223140000_CombinedSchema.sql "$boulderLabCADir/.backup/" cp Makefile "$boulderLabCADir/.backup/" - $cloneDir/patch-cfg.sh "sudo -u labca -H" "$boulderLabCADir" &>>$installLog + if [ "$installMode" == "normal" ]; then + $cloneDir/patch-cfg.sh "sudo -u labca -H" "$boulderLabCADir" &>>$installLog + else + $cloneDir/patch-cfg.sh " " "$boulderLabCADir" &>>$installLog + fi mkdir -p $baseDir/backup [ -z "$(docker ps | grep boulder-bmysql-1)" ] || docker exec -i boulder-bmysql-1 mysqldump boulder_sa_integration >$baseDir/backup/dbdata-${runId}.sql @@ -611,75 +636,32 @@ config_boulder() { rm $file done - cd "$boulderLabCADir" - sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ocsp-responder.json - sed -i -e "s/test-ca2.pem/test-ca.pem/" config/publisher.json - sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ra.json - sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe2.json - sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/akamai-purger.json - sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-responder.json - sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/publisher.json - sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json - sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json - sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/orphan-finder.json - sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-storer.json - sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-updater.json - sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json - sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" issuer-ocsp-responder.json - sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" cert-ceremonies/intermediate-ocsp-rsa.yaml - sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" v2_integration.py - sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/root-ceremony-rsa.yaml - sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/intermediate-ocsp-rsa.yaml - sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/intermediate-ceremony-rsa.yaml - sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" config/publisher.json - sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" config/wfe2.json - sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" integration-test.py - sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" helpers.py - sed -i -e "s/5001/443/g" config/va.json - sed -i -e "s/5002/80/g" config/va.json - sed -i -e "s/5001/443/g" config/va-remote-a.json - sed -i -e "s/5002/80/g" config/va-remote-a.json - sed -i -e "s/5001/443/g" config/va-remote-b.json - sed -i -e "s/5002/80/g" config/va-remote-b.json - sed -i -e "s|https://boulder:4431/terms/v7|https://$LABCA_FQDN/terms/v1|" config/wfe2.json - sed -i -e "s|http://boulder:4430/acme/issuer-cert|http://$LABCA_FQDN/acme/issuer-cert|" config/wfe2.json - sed -i -e "s|http://127.0.0.1:4000/acme/issuer-cert|https://$LABCA_FQDN/acme/issuer-cert|" config/wfe2.json - sed -i -e "s|letsencrypt/boulder|hakwerk/labca|" config/wfe2.json - sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca-a.json - sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca-b.json - sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca-a.json - sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca-b.json - sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca-a.json - sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca-b.json - sed -i -e "s/ocspURL.Path = encodedReq/ocspURL.Path += encodedReq/" ocsp/helper/helper.go - sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/ra.json - sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va.json - sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-a.json - sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-b.json - - if [ "$flag_skip_redis" == true ]; then - sed -i -e "s/^\(.*wait-for-it.sh.*4218\)/#\1/" entrypoint.sh + if [ "$installMode" == "normal" ]; then + cd "$boulderLabCADir" + sed -i -e "s|https://boulder:4431/terms/v7|https://$LABCA_FQDN/terms/v1|" config/wfe2.json + sed -i -e "s|http://boulder:4430/acme/issuer-cert|http://$LABCA_FQDN/acme/issuer-cert|" config/wfe2.json + sed -i -e "s|http://127.0.0.1:4000/acme/issuer-cert|https://$LABCA_FQDN/acme/issuer-cert|" config/wfe2.json + sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca-a.json + sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca-b.json + sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca-a.json + sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca-b.json + cd "$boulderDir" fi - for file in `find . -type f | grep -v .git`; do - sed -i -e "s|test/|labca/|g" $file - done - - sed -i -e "s/names/name\(s\)/" config/expiration-mailer.gotmpl - - rm test-ca2.pem ([ -e mock-vendor.go ] && rm mock-vendor.go) || /bin/true ([ -e test-tools.go ] && rm test-tools.go) || /bin/true - local have_config=$(grep restarted $adminDir/data/config.json | grep true) - if [ "$have_config" != "" ]; then - $adminDir/apply-boulder &>>$installLog - else - chown -R labca:labca "$boulderLabCADir" + if [ "$installMode" == "normal" ]; then + local have_config=$(grep restarted $adminDir/data/config.json 2>/dev/null | grep true) + if [ "$have_config" != "" ]; then + $adminDir/apply-boulder &>>$installLog + else + chown -R labca:labca "$boulderLabCADir" || /bin/true + fi fi git add --all &>/dev/null || true - git commit --all --quiet -m "LabCA after update $runId" &>>$installLog || true + [ "$installMode" == "normal" ] && git commit --all --quiet -m "LabCA after update $runId" &>>$installLog || true msg_ok "$msg" } @@ -723,6 +705,10 @@ startup() { local msg="Restart docker containers and service" cd "$boulderDir" + let num=$(docker ps -a | grep " boulder-" | wc -l) + if [ $num -eq 0 ]; then + perl -i -p0e "s/(version:.*\n).*\n?(services:\n)/\1name: labca\n\2/" docker-compose.yml + fi cnt=$(docker-compose ps | wc -l) if [ "$cnt" -le "2" ]; then msg="Download docker images and build containers" @@ -735,11 +721,18 @@ startup() { for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6; do [ -z "$(docker ps | grep $ct)" ] || docker stop $ct &>>$installLog done + if [ $num -ne 0 ]; then + docker-compose stop control &>>$installLog || true + fi wait_down $PS_NGINX &>>$installLog || true wait_down $PS_MYSQL &>>$installLog || true wait_down $PS_CONSUL &>>$installLog || true wait_down $PS_LABCA &>>$installLog || true wait_down $PS_BOULDER &>>$installLog || true + if [ $num -ne 0 ]; then + wait_down $PS_CONTROL &>>$installLog || true + cnt=0 + fi for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6; do [ -z "$(docker ps -a | grep -e "$ct\$")" ] || docker rm -f $ct &>>$installLog done @@ -754,6 +747,9 @@ startup() { [ -d /home/labca/control_logs ] || mkdir -p /home/labca/control_logs + perl -i -p0e "s/(version:.*\n).*\n?(services:\n)/\1name: labca\n\2/" docker-compose.yml + docker network rm boulder_bluenet boulder_consulnet boulder_rednet &>>$installLog || /bin/true + COMPOSE_HTTP_TIMEOUT=180 docker-compose up -d &>>$installLog wait_up $PS_NGINX &>>$installLog || true @@ -790,6 +786,20 @@ first_time() { fi } +check_dockeronly() { + set +e + wd=$(which docker) + set -e + if [ "$wd" != "" ]; then + let num=$(docker volume ls | grep labca_ | grep -v labca_dbdata | wc -l) + if [ $num -gt 0 ]; then + scriptname=$(basename $0) + echo "You can not run the $scriptname script when using dockeronly mode!" + exit 1 + fi + fi +} + # # The actual main function to tie it all together # @@ -797,6 +807,8 @@ main() { local curdir="$PWD" echo + check_dockeronly + start_temporary_log check_root install_pkg "git" @@ -817,6 +829,22 @@ main() { restart_if_updated fi + if [ $alphaTest -eq 1 ]; then + install_extra + cd $(dirname $this) + local msg="TEST: build labca-gui binary" + msg_info "$msg" + # this will ultimately NOT be done on the target machine! + build/build.sh &>>$installLog || msg_fatal "Could not build docker images!" + msg_ok "$msg" + msg="TEST build local docker image" + msg_info "$msg" + build/tag_and_upload.sh &>>$installLog || msg_fatal "Could not tag (and upload) docker images!" + msg_ok "$msg" + msg_ok "That's it for now!" + exit 0 + fi + get_fqdn copy_admin @@ -829,6 +857,15 @@ main() { get_boulder config_boulder + #if [ $alphaTest -eq 1 ]; then + # msg="TEST modify docker-compose.yml" + # msg_info "$msg" + # cd "$boulderDir" + # patch -p1 < $(dirname $this)/build/tmp.patch &>>$installLog + # patch -p1 -o "$boulderLabCADir/startservers.py" < $(dirname $this)/build/tmp2.patch + # msg_ok "$msg" + #fi + cleanup startup @@ -840,4 +877,4 @@ main() { cd "$curdir" } -main "$@" +[ "$installMode" == "normal" ] && main "$@" || /bin/true diff --git a/logrotate_d b/logrotate_d index a3fb0af..804e6a0 100644 --- a/logrotate_d +++ b/logrotate_d @@ -1,5 +1,5 @@ /etc/nginx/ssl/*.log -/logs/cron-*.log +/opt/logs/cron-*.log { rotate 4 monthly diff --git a/mailer b/mailer index 7327bd1..03c394a 100755 --- a/mailer +++ b/mailer @@ -5,5 +5,5 @@ set -e TODAY=`date '+%Y_%m_%d'` echo "Running cron-$(basename $0) for ${TODAY}..." -cd /boulder +cd /opt/boulder docker-compose exec -T boulder bin/expiration-mailer --config labca/config/expiration-mailer.json 2>&1 diff --git a/nginx.conf b/nginx.conf index dc6d6d2..bb055b1 100644 --- a/nginx.conf +++ b/nginx.conf @@ -59,7 +59,7 @@ server { location /admin/ { include conf.d/proxy.conf; proxy_set_header X-Request-Base "/admin"; - proxy_pass http://labca:3000/; + proxy_pass http://gui:3000/; error_page 502 504 /502.html; } @@ -68,7 +68,7 @@ server { proxy_set_header X-Request-Base "/admin"; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; - proxy_pass http://labca:3000/ws; + proxy_pass http://gui:3000/ws; } location /acme/ { diff --git a/patch-cfg.sh b/patch-cfg.sh index e00adcf..a9d4e99 100755 --- a/patch-cfg.sh +++ b/patch-cfg.sh @@ -39,3 +39,54 @@ if [ "$flag_skip_redis" == true ]; then fi for f in $(grep -l boulder-proxysql $boulderLabCADir/secrets/*); do sed -i -e "s/proxysql:6033/mysql:3306/" $f; done + +cd "$boulderLabCADir" +sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ocsp-responder.json +sed -i -e "s/test-ca2.pem/test-ca.pem/" config/publisher.json +sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ra.json +sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe2.json +sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/akamai-purger.json +sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-responder.json +sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/publisher.json +sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json +sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json +sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/orphan-finder.json +sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-storer.json +sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-updater.json +sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json +sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" issuer-ocsp-responder.json +sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" cert-ceremonies/intermediate-ocsp-rsa.yaml +sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" v2_integration.py +sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/root-ceremony-rsa.yaml +sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/intermediate-ocsp-rsa.yaml +sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/intermediate-ceremony-rsa.yaml +sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" config/publisher.json +sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" config/wfe2.json +sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" integration-test.py +sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" helpers.py +sed -i -e "s/5001/443/g" config/va.json +sed -i -e "s/5002/80/g" config/va.json +sed -i -e "s/5001/443/g" config/va-remote-a.json +sed -i -e "s/5002/80/g" config/va-remote-a.json +sed -i -e "s/5001/443/g" config/va-remote-b.json +sed -i -e "s/5002/80/g" config/va-remote-b.json +sed -i -e "s|letsencrypt/boulder|hakwerk/labca|" config/wfe2.json +sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca-a.json +sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca-b.json +sed -i -e "s/ocspURL.Path = encodedReq/ocspURL.Path += encodedReq/" ocsp/helper/helper.go +sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/ra.json +sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va.json +sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-a.json +sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-b.json + +if [ "$flag_skip_redis" == true ]; then + sed -i -e "s/^\(.*wait-for-it.sh.*4218\)/#\1/" entrypoint.sh +fi + +for file in `find . -type f | grep -v .git`; do + sed -i -e "s|test/|labca/|g" $file +done + +sed -i -e "s/names/name\(s\)/" config/expiration-mailer.gotmpl + +rm test-ca2.pem diff --git a/patch.sh b/patch.sh index 5c48c18..23f11cd 100755 --- a/patch.sh +++ b/patch.sh @@ -13,6 +13,10 @@ if [ "$flag_skip_redis" == true ]; then $SUDO patch -p1 < $cloneDir/patches/docker-compose-redis.patch fi $SUDO patch -p1 < $cloneDir/patches/docker-compose.patch +if [ "$SUDO" == "" ]; then + # TODO: should incorporate this into docker-compose.patch + $SUDO patch -p1 < $cloneDir/build/tmp.patch +fi $SUDO patch -p1 < $cloneDir/patches/bad-key-revoker_main.patch $SUDO patch -p1 < $cloneDir/patches/boulder-va_main.patch @@ -38,6 +42,10 @@ $SUDO patch -p1 < $cloneDir/patches/ra_ra.patch $SUDO patch -p1 < $cloneDir/patches/ratelimit_rate-limits.patch $SUDO patch -p1 < $cloneDir/patches/reloader_reloader.patch $SUDO patch -p1 < $cloneDir/patches/startservers.patch +if [ "$SUDO" == "" ]; then + # TODO: should include this into startservers.patch + $SUDO patch -p1 < $cloneDir/build/tmp2.patch +fi $SUDO patch -p1 < $cloneDir/patches/storer_storer.patch $SUDO patch -p1 < $cloneDir/patches/updater_updater.patch diff --git a/patches/config_crl-storer.patch b/patches/config_crl-storer.patch index e0452c2..a8c0340 100644 --- a/patches/config_crl-storer.patch +++ b/patches/config_crl-storer.patch @@ -11,7 +11,7 @@ index 61f14d79..a620896f 100644 - "/hierarchy/intermediate-cert-ecdsa-a.pem" + "/hierarchy/intermediate-cert-rsa-a.pem" ], -+ "localStorePath": "/wwwstatic/crl", ++ "localStorePath": "/opt/wwwstatic/crl", "s3Endpoint": "http://localhost:7890", "s3Bucket": "lets-encrypt-crls", "awsConfigFile": "test/config/crl-storer.ini", diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch index 5d5ce98..ad76712 100644 --- a/patches/docker-compose.patch +++ b/patches/docker-compose.patch @@ -1,5 +1,5 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 5699aa777..77ec97a16 100644 +index 5699aa777..cfdcc784a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -8,10 +8,12 @@ services: @@ -10,9 +10,10 @@ index 5699aa777..77ec97a16 100644 + BOULDER_CONFIG_DIR: &boulder_config_dir labca/config GOFLAGS: -mod=vendor volumes: - - .:/boulder:cached -+ - /home/labca/boulder_labca:/boulder/labca -+ - /home/labca/nginx_data/static:/wwwstatic +- - .:/boulder:cached ++ - .:/opt/boulder:cached ++ - /home/labca/boulder_labca:/opt/boulder/labca ++ - /home/labca/nginx_data/static:/opt/wwwstatic - ./.gocache:/root/.cache/go-build:cached - ./.hierarchy:/hierarchy/:cached - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached @@ -33,8 +34,9 @@ index 5699aa777..77ec97a16 100644 - - bproxysql - bconsul - entrypoint: test/entrypoint.sh +- working_dir: &boulder_working_dir /boulder + entrypoint: labca/entrypoint.sh - working_dir: &boulder_working_dir /boulder ++ working_dir: &boulder_working_dir /opt/boulder + logging: + driver: "json-file" + options: @@ -77,12 +79,12 @@ index 5699aa777..77ec97a16 100644 bconsul: image: hashicorp/consul:1.13.1 -@@ -83,18 +81,68 @@ services: +@@ -83,18 +81,70 @@ services: ipv4_address: 10.55.55.10 command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl" - netaccess: -+ labca: ++ gui: image: *boulder_image - environment: - GO111MODULE: "on" @@ -91,14 +93,15 @@ index 5699aa777..77ec97a16 100644 networks: - bluenet volumes: -+ - /home/labca/admin:/go/src/labca -+ - ./.gocache:/root/.cache/go-build -+ - /home/labca/nginx_data/static:/wwwstatic -+ - /home/labca/backup:/backup - - .:/boulder +- - .:/boulder - working_dir: *boulder_working_dir - entrypoint: test/entrypoint-netaccess.sh -+ - /home/labca/boulder_labca:/boulder/labca ++ - /home/labca/admin:/go/src/labca ++ - ./.gocache:/root/.cache/go-build ++ - /home/labca/nginx_data/static:/opt/wwwstatic ++ - /home/labca/backup:/opt/backup ++ - .:/opt/boulder ++ - /home/labca/boulder_labca:/opt/boulder/labca + expose: + - 3000 + depends_on: @@ -131,12 +134,14 @@ index 5699aa777..77ec97a16 100644 + - bluenet + volumes: + - /var/run/docker.sock:/var/run/docker.sock -+ - /home/labca/admin:/admin -+ - /home/labca/labca:/labca -+ - /home/labca/backup:/backup -+ - /home/labca/control_logs:/logs -+ - .:/boulder -+ - /home/labca/boulder_labca:/boulder/labca ++ - /home/labca/admin/data:/opt/labca/data ++ - /home/labca/admin/data:/opt/labca/gui/data ++ - /home/labca/admin/bin:/opt/labca/bin ++ - /home/labca/labca:/opt/labca ++ - /home/labca/backup:/opt/backup ++ - /home/labca/control_logs:/opt/logs ++ - .:/opt/boulder ++ - /home/labca/boulder_labca:/opt/boulder/labca + - /home/labca/nginx_data/conf.d:/etc/nginx/conf.d + - /home/labca/nginx_data/ssl:/etc/nginx/ssl + - /home/labca/nginx_data/static:/var/www/html @@ -144,7 +149,7 @@ index 5699aa777..77ec97a16 100644 + - 3030 + environment: + LABCA_FQDN: ${LABCA_FQDN:-notset} -+ working_dir: /labca ++ working_dir: /opt/labca + command: ./control.sh + restart: always + diff --git a/patches/updater_updater.patch b/patches/updater_updater.patch index cc7b35a..a8320d4 100644 --- a/patches/updater_updater.patch +++ b/patches/updater_updater.patch @@ -17,7 +17,7 @@ index aa398d0a..0db875d2 100644 + // If there is no .crl file yet, generate one (after a delay to let all other + // components start up fully). + // Dirty hack to check filesystem directly instead of using the crl-storer... -+ files, err := os.ReadDir("/wwwstatic/crl/") ++ files, err := os.ReadDir("/opt/wwwstatic/crl/") + if err != nil { + return err + } @@ -31,7 +31,7 @@ index aa398d0a..0db875d2 100644 + select { + case <-ctx.Done(): + return ctx.Err() -+ case <-time.After(time.Minute): ++ case <-time.After(2 * time.Minute): + } + + cu.Tick(ctx, cu.clk.Now()) diff --git a/renew b/renew index 363aa67..d234c89 100755 --- a/renew +++ b/renew @@ -5,8 +5,8 @@ set -e cd /etc/nginx/ssl echo >> acme_tiny.log date >> acme_tiny.log -python3 /labca/acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/html/.well-known/acme-challenge/ > domain_chain.crt 2> >(tee -a acme_tiny.log >&2) || exit 1 +python3 /opt/labca/acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/html/.well-known/acme-challenge/ > domain_chain.crt 2> >(tee -a acme_tiny.log >&2) || exit 1 mv domain_chain.crt labca_cert.pem -cd /boulder +cd /opt/boulder docker-compose restart nginx diff --git a/restore b/restore index dff6cf1..b517b8b 100755 --- a/restore +++ b/restore @@ -2,7 +2,7 @@ set -e -FILE=/backup/$1 +FILE=/opt/backup/$1 [ "$1" != "" ] || (echo "You must provide a backup file name to restore"; exit 1) [ -f $FILE ] || (echo "Backup file '$FILE' not found"; exit 1) @@ -13,13 +13,13 @@ TMPDIR=/tmp/$BASE cd /tmp tar xzf $FILE 2>&1 -cd /boulder +cd /opt/boulder [ -f $TMPDIR/boulder_sa_integration.sql ] || (echo "MySQL backup file not found"; exit 1) docker-compose exec -T bmysql mysql boulder_sa_integration <$TMPDIR/boulder_sa_integration.sql mv -f $TMPDIR/*key* $TMPDIR/*cert.pem $TMPDIR/*.csr /etc/nginx/ssl/ [ -d $TMPDIR/data ] || (echo "Data folder backup not found"; exit 1) -rm -rf /admin/data && mv $TMPDIR/data /admin/ +rm -rf /opt/labca/data/* && mv $TMPDIR/data/* /opt/labca/data/ rm -rf $TMPDIR diff --git a/utils.sh b/utils.sh index 0b0b3aa..90f0739 100644 --- a/utils.sh +++ b/utils.sh @@ -4,7 +4,7 @@ set -e export PS_LABCA="bin/labca-gui" export PS_BOULDER="bin/boulder" -export PS_BOULDER_COUNT=22 +export PS_BOULDER_COUNT=21 export PS_MYSQL="mysqld" export PS_CONTROL="tcpserver" export PS_NGINX="nginx:" @@ -18,7 +18,7 @@ count() { local prefix="" case $pattern in $PS_LABCA) - prefix="docker exec $(docker ps --format "{{.Names}}" | grep -- -labca-) " + prefix="docker exec $(docker ps --format "{{.Names}}" | grep -- labca-gui-) " ;; $PS_BOULDER) prefix="docker exec $(docker ps --format "{{.Names}}" | grep -- -boulder-) "