fix: properly handle certs on alpine docker

2024-08-11 11:08:33 +01:00 · 2024-08-11 11:08:33 +01:00 · fd7c4362a3
commit fd7c4362a3
parent d4f703b0fc
5 changed files with 80 additions and 106 deletions
--- a/bin/lamassu-admin-server-entrypoint.sh
+++ b/bin/lamassu-admin-server-entrypoint.sh
@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -e
+
+CERT_FILES=(
+  /lamassu-data/certs/{Lamassu_CA,Lamassu_OP,Lamassu_OP_Root_CA}.pem
+  /lamassu-data/certs/Lamassu_OP_Root_CA.srl
+  /lamassu-data/private/{Lamassu_OP,Lamassu_OP_Root_CA}.key
+)
+
+if ! (( ${#CERT_FILES[@]} == $(ls "${CERT_FILES[@]}" 2>/dev/null | wc -l) )); then
+    echo "Some certificates are missing. Retrying in 5 seconds"
+    sleep 5
+    exit 1
+fi
+
+echo "Update certs on alpine"
+cp /lamassu-data/certs/Lamassu_CA.pem /usr/local/share/ca-certificates
+cp /lamassu-data/certs/Lamassu_OP_Root_CA.pem /usr/local/share/ca-certificates
+update-ca-certificates
+
+echo "Starting admin server..."
+node /lamassu-server/bin/lamassu-admin-server
--- a/bin/lamassu-server-entrypoint.sh
+++ b/bin/lamassu-server-entrypoint.sh
@ -1,20 +1,25 @@
 #!/usr/bin/env bash
+CERT_FILES=(
+  /lamassu-data/certs/{Lamassu_CA,Lamassu_OP,Lamassu_OP_Root_CA}.pem
+  /lamassu-data/certs/Lamassu_OP_Root_CA.srl
+  /lamassu-data/private/{Lamassu_OP,Lamassu_OP_Root_CA}.key
+)

-FILE_1=/etc/ssl/certs/Lamassu_CA.pem
-FILE_2=/etc/ssl/certs/Lamassu_OP.pem
-FILE_3=/etc/ssl/certs/Lamassu_OP_Root_CA.pem
-FILE_4=/etc/ssl/certs/Lamassu_OP_Root_CA.srl
-FILE_5=/etc/ssl/private/Lamassu_OP.key
-FILE_6=/etc/ssl/private/Lamassu_OP_Root_CA.key
+echo "Checking for Lamassu certificates..."

-echo "Checking for the existence of certificates..."
-if [[ ! -f "$FILE_1" || ! -f "$FILE_2" || ! -f "$FILE_3" || ! -f "$FILE_4" || ! -f "$FILE_5" || ! -f "$FILE_6" ]]; then
-  echo "No Lamassu certificates found. Building them..."
-  bash /lamassu-server/tools/build-docker-certs.sh
+if ! (( ${#CERT_FILES[@]} == $(ls "${CERT_FILES[@]}" 2>/dev/null | wc -l) )); then
+    echo "Some certificates are missing. Building them..."
+    bash /lamassu-server/tools/build-docker-certs.sh
 fi

+echo "Upcate certs on alpine"
+cp /lamassu-data/certs/Lamassu_CA.pem /usr/local/share/ca-certificates
+cp /lamassu-data/certs/Lamassu_OP_Root_CA.pem /usr/local/share/ca-certificates
+update-ca-certificates
+
 echo "Executing migrations..."
 node /lamassu-server/bin/lamassu-migrate

 echo "Starting server..."
 node /lamassu-server/bin/lamassu-server
+
--- a/build/server.Dockerfile
+++ b/build/server.Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:3.14 as build
+FROM alpine:3.14 AS build
 RUN apk add --no-cache nodejs npm git curl build-base net-tools python3 postgresql-dev

 WORKDIR lamassu-server
@ -10,13 +10,13 @@ RUN npm install --production
 COPY . ./


-FROM alpine:3.14 as l-s-base
-RUN apk add --no-cache nodejs npm git curl bash libpq openssl
+FROM alpine:3.14 AS l-s-base
+RUN apk add --no-cache nodejs npm git curl bash libpq openssl ca-certificates

 COPY --from=build /lamassu-server /lamassu-server


-FROM l-s-base as l-s
+FROM l-s-base AS l-s

 RUN chmod +x /lamassu-server/bin/lamassu-server-entrypoint.sh

@ -25,7 +25,7 @@ EXPOSE 3000
 ENTRYPOINT [ "/lamassu-server/bin/lamassu-server-entrypoint.sh" ]


-FROM alpine:3.14 as build-ui
+FROM alpine:3.14 AS build-ui
 RUN apk add --no-cache nodejs npm git curl build-base python3

 COPY ["new-lamassu-admin/package.json", "new-lamassu-admin/package-lock.json", "./"]
@ -37,10 +37,11 @@ COPY new-lamassu-admin/ ./
 RUN npm run build


-FROM l-s-base as l-a-s
+FROM l-s-base AS l-a-s
 COPY --from=build-ui /build /lamassu-server/public

+RUN chmod +x /lamassu-server/bin/lamassu-admin-server-entrypoint.sh
+
 EXPOSE 443

-ENTRYPOINT [ "node" ]
-CMD [ "/lamassu-server/bin/lamassu-admin-server" ]
+ENTRYPOINT [ "/lamassu-server/bin/lamassu-admin-server-entrypoint.sh" ]
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -1,115 +1,62 @@
 version: "3.8"

-networks:
-  lamassu-network:
-    ipam:
-      driver: default
-      config:
-        - subnet: "172.29.0.0/24"
-
 services:
-  database:
-    container_name: postgres-db
-    image: postgres
-    restart: on-failure
-    environment:
-      - POSTGRES_DB=lamassu
-      - POSTGRES_USER=postgres
-      - POSTGRES_PASSWORD=postgres123
-    logging:
-      options:
-        max-size: 10m
-        max-file: "3"
-    ports:
-      - 15432:5432
-    volumes:
-      - ~/lamassu-data/psql:/var/lib/postgresql/data
-    networks:
-      - lamassu-network
-    healthcheck:
-      test: pg_isready -U postgres -d postgres
-      interval: 3s
-      timeout: 3s
-      retries: 10
-
  lamassu-server:
-    container_name: lamassu-server
    build:
      context: .
      dockerfile: build/server.Dockerfile
-      target: production-l-s
+      target: l-s
    restart: on-failure
    ports:
      - 3000:3000
    volumes:
-      - ~/lamassu-data/certs:/etc/ssl/certs
-      - ~/lamassu-data/private:/etc/ssl/private
-      - ~/lamassu-data/files:/opt/lamassu-server
-      - ~/lamassu-data/mnemonics:/etc/lamassu/mnemonics
-      - ~/lamassu-data/ofac:/var/lamassu/ofac
-      - ~/lamassu-data/blockchains:/mnt/blockchains
-    networks:
-      lamassu-network:
-        ipv4_address: 172.29.0.3
+      - ./lamassu-data:/lamassu-data
    environment:
      - NODE_ENV=production
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD=postgres123
-      - POSTGRES_HOST=postgres-db
+      - POSTGRES_HOST=host.docker.internal
      - POSTGRES_PORT=5432
      - POSTGRES_DB=lamassu
-      - CA_PATH=/etc/ssl/certs/Lamassu_OP_Root_CA.pem
-      - CERT_PATH=/etc/ssl/certs/Lamassu_OP.pem
-      - KEY_PATH=/etc/ssl/private/Lamassu_OP.key
-      - MNEMONIC_PATH=/etc/lamassu/mnemonics/mnemonic.txt
-      - BLOCKCHAIN_DIR=/mnt/blockchains
-      - OFAC_DATA_DIR=/var/lamassu/ofac
-      - ID_PHOTO_CARD_DIR=/opt/lamassu-server/idphotocard
-      - FRONT_CAMERA_DIR=/opt/lamassu-server/frontcamera
-      - OPERATOR_DATA_DIR=/opt/lamassu-server/operatordata
+      - CA_PATH=/lamassu-data/certs/Lamassu_OP_Root_CA.pem
+      - CERT_PATH=/lamassu-data/certs/Lamassu_OP.pem
+      - KEY_PATH=/lamassu-data/private/Lamassu_OP.key
+      - MNEMONIC_PATH=/lamassu-data/mnemonics/mnemonic.txt
+      - OFAC_DATA_DIR=/lamassu-data/ofac
+      - ID_PHOTO_CARD_DIR=/lamassu-data/idphotocard
+      - FRONT_CAMERA_DIR=/lamassu-data/frontcamera
+      - OPERATOR_DATA_DIR=/lamassu-data/operatordata
      - COIN_ATM_RADAR_URL=https://coinatmradar.info/api/lamassu/
      - OFAC_SOURCES_NAMES=sdn_advanced,cons_advanced
      - OFAC_SOURCES_URLS=https://www.treasury.gov/ofac/downloads/sanctions/1.0/sdn_advanced.xml,https://www.treasury.gov/ofac/downloads/sanctions/1.0/cons_advanced.xml
      - HOSTNAME=localhost
      - LOG_LEVEL=info
-    depends_on:
-      database:
-        condition: service_healthy

  lamassu-admin-server:
-    container_name: lamassu-admin-server
    build:
      context: .
-      dockerfile: build/admin-server.Dockerfile
-      target: production-l-a-s
+      dockerfile: build/server.Dockerfile
+      target: l-a-s
    restart: on-failure
    ports:
      - 443:443
    volumes:
-      - ~/lamassu-data/certs:/etc/ssl/certs
-      - ~/lamassu-data/private:/etc/ssl/private
-      - ~/lamassu-data/files:/opt/lamassu-server
-      - ~/lamassu-data/mnemonics:/etc/lamassu/mnemonics
-      - ~/lamassu-data/ofac:/var/lamassu/ofac
-      - ~/lamassu-data/blockchains:/mnt/blockchains
-    networks:
-      - lamassu-network
+      - ./lamassu-data:/lamassu-data
    environment:
      - NODE_ENV=production
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD=postgres123
-      - POSTGRES_HOST=postgres-db
+      - POSTGRES_HOST=host.docker.internal
      - POSTGRES_PORT=5432
      - POSTGRES_DB=lamassu
-      - CA_PATH=/etc/ssl/certs/Lamassu_OP_Root_CA.pem
-      - CERT_PATH=/etc/ssl/certs/Lamassu_OP.pem
-      - KEY_PATH=/etc/ssl/private/Lamassu_OP.key
-      - MNEMONIC_PATH=/etc/lamassu/mnemonics/mnemonic.txt
-      - BLOCKCHAIN_DIR=/mnt/blockchains
-      - OFAC_DATA_DIR=/var/lamassu/ofac
-      - ID_PHOTO_CARD_DIR=/opt/lamassu-server/idphotocard
-      - FRONT_CAMERA_DIR=/opt/lamassu-server/frontcamera
-      - OPERATOR_DATA_DIR=/opt/lamassu-server/operatordata
+      - CA_PATH=/lamassu-data/certs/Lamassu_OP_Root_CA.pem
+      - CERT_PATH=/lamassu-data/certs/Lamassu_OP.pem
+      - KEY_PATH=/lamassu-data/private/Lamassu_OP.key
+      - MNEMONIC_PATH=/lamassu-data/mnemonics/mnemonic.txt
+      - OFAC_DATA_DIR=/lamassu-data/ofac
+      - ID_PHOTO_CARD_DIR=/lamassu-data/idphotocard
+      - FRONT_CAMERA_DIR=/lamassu-data/frontcamera
+      - OPERATOR_DATA_DIR=/lamassu-data/operatordata
      - COIN_ATM_RADAR_URL=https://coinatmradar.info/api/lamassu/
      - OFAC_SOURCES_NAMES=sdn_advanced,cons_advanced
      - OFAC_SOURCES_URLS=https://www.treasury.gov/ofac/downloads/sanctions/1.0/sdn_advanced.xml,https://www.treasury.gov/ofac/downloads/sanctions/1.0/cons_advanced.xml
--- a/tools/build-docker-certs.sh
+++ b/tools/build-docker-certs.sh
@ -3,22 +3,21 @@ set -e

 export LOG_FILE=/tmp/install.log

-CERT_DIR=/etc/ssl/certs
-KEY_DIR=/etc/ssl/private
-CONFIG_DIR=/etc/lamassu
+CONFIG_DIR=/lamassu-data
+
+# certs
+CERT_DIR=$CONFIG_DIR/certs
+KEY_DIR=$CONFIG_DIR/private
 LAMASSU_CA_PATH=$CERT_DIR/Lamassu_CA.pem
 CA_KEY_PATH=$KEY_DIR/Lamassu_OP_Root_CA.key
 CA_PATH=$CERT_DIR/Lamassu_OP_Root_CA.pem
 SERVER_KEY_PATH=$KEY_DIR/Lamassu_OP.key
 SERVER_CERT_PATH=$CERT_DIR/Lamassu_OP.pem
-MNEMONIC_DIR=$CONFIG_DIR/mnemonics 
-MNEMONIC_FILE=$MNEMONIC_DIR/mnemonic.txt 
-BACKUP_DIR=/var/backups/postgresql
-BLOCKCHAIN_DIR=/mnt/blockchains
-OFAC_DATA_DIR=/var/lamassu/ofac
-ID_PHOTO_CARD_DIR=/opt/lamassu-server/idphotocard
-FRONTCAMERA_DIR=/opt/lamassu-server/frontcamera
-OPERATOR_DIR=/opt/lamassu-server/operatordata
+
+# other
+MNEMONIC_DIR=$CONFIG_DIR/mnemonics
+MNEMONIC_FILE=$MNEMONIC_DIR/mnemonic.txt
+OFAC_DATA_DIR=$CONFIG_DIR/ofac

 decho () {
  echo `date +"%H:%M:%S"` $1
@ -35,7 +34,7 @@ MNEMONIC=$(/lamassu-server/bin/bip39 $SEED)
 echo "$MNEMONIC" > $MNEMONIC_FILE

 mkdir -p $CERT_DIR
-mkdir -p $CONFIG_DIR
+mkdir -p $KEY_DIR

 decho "Generating SSL certificates..."