From fd7c4362a38cd264ad40aec77e6eaeaf05337880 Mon Sep 17 00:00:00 2001 From: Rafael Taranto Date: Sun, 11 Aug 2024 11:08:33 +0100 Subject: [PATCH] fix: properly handle certs on alpine docker --- bin/lamassu-admin-server-entrypoint.sh | 22 ++++++ bin/lamassu-server-entrypoint.sh | 25 ++++--- build/server.Dockerfile | 17 ++--- docker-compose.yaml | 99 ++++++-------------------- tools/build-docker-certs.sh | 23 +++--- 5 files changed, 80 insertions(+), 106 deletions(-) create mode 100644 bin/lamassu-admin-server-entrypoint.sh diff --git a/bin/lamassu-admin-server-entrypoint.sh b/bin/lamassu-admin-server-entrypoint.sh new file mode 100644 index 00000000..47aefe82 --- /dev/null +++ b/bin/lamassu-admin-server-entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash +set -e + +CERT_FILES=( + /lamassu-data/certs/{Lamassu_CA,Lamassu_OP,Lamassu_OP_Root_CA}.pem + /lamassu-data/certs/Lamassu_OP_Root_CA.srl + /lamassu-data/private/{Lamassu_OP,Lamassu_OP_Root_CA}.key +) + +if ! (( ${#CERT_FILES[@]} == $(ls "${CERT_FILES[@]}" 2>/dev/null | wc -l) )); then + echo "Some certificates are missing. Retrying in 5 seconds" + sleep 5 + exit 1 +fi + +echo "Update certs on alpine" +cp /lamassu-data/certs/Lamassu_CA.pem /usr/local/share/ca-certificates +cp /lamassu-data/certs/Lamassu_OP_Root_CA.pem /usr/local/share/ca-certificates +update-ca-certificates + +echo "Starting admin server..." +node /lamassu-server/bin/lamassu-admin-server diff --git a/bin/lamassu-server-entrypoint.sh b/bin/lamassu-server-entrypoint.sh index a5af9481..b4a06441 100644 --- a/bin/lamassu-server-entrypoint.sh +++ b/bin/lamassu-server-entrypoint.sh @@ -1,20 +1,25 @@ #!/usr/bin/env bash +CERT_FILES=( + /lamassu-data/certs/{Lamassu_CA,Lamassu_OP,Lamassu_OP_Root_CA}.pem + /lamassu-data/certs/Lamassu_OP_Root_CA.srl + /lamassu-data/private/{Lamassu_OP,Lamassu_OP_Root_CA}.key +) -FILE_1=/etc/ssl/certs/Lamassu_CA.pem -FILE_2=/etc/ssl/certs/Lamassu_OP.pem -FILE_3=/etc/ssl/certs/Lamassu_OP_Root_CA.pem -FILE_4=/etc/ssl/certs/Lamassu_OP_Root_CA.srl -FILE_5=/etc/ssl/private/Lamassu_OP.key -FILE_6=/etc/ssl/private/Lamassu_OP_Root_CA.key +echo "Checking for Lamassu certificates..." -echo "Checking for the existence of certificates..." -if [[ ! -f "$FILE_1" || ! -f "$FILE_2" || ! -f "$FILE_3" || ! -f "$FILE_4" || ! -f "$FILE_5" || ! -f "$FILE_6" ]]; then - echo "No Lamassu certificates found. Building them..." - bash /lamassu-server/tools/build-docker-certs.sh +if ! (( ${#CERT_FILES[@]} == $(ls "${CERT_FILES[@]}" 2>/dev/null | wc -l) )); then + echo "Some certificates are missing. Building them..." + bash /lamassu-server/tools/build-docker-certs.sh fi +echo "Upcate certs on alpine" +cp /lamassu-data/certs/Lamassu_CA.pem /usr/local/share/ca-certificates +cp /lamassu-data/certs/Lamassu_OP_Root_CA.pem /usr/local/share/ca-certificates +update-ca-certificates + echo "Executing migrations..." node /lamassu-server/bin/lamassu-migrate echo "Starting server..." node /lamassu-server/bin/lamassu-server + diff --git a/build/server.Dockerfile b/build/server.Dockerfile index 882b131b..05bbdf87 100644 --- a/build/server.Dockerfile +++ b/build/server.Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.14 as build +FROM alpine:3.14 AS build RUN apk add --no-cache nodejs npm git curl build-base net-tools python3 postgresql-dev WORKDIR lamassu-server @@ -10,13 +10,13 @@ RUN npm install --production COPY . ./ -FROM alpine:3.14 as l-s-base -RUN apk add --no-cache nodejs npm git curl bash libpq openssl +FROM alpine:3.14 AS l-s-base +RUN apk add --no-cache nodejs npm git curl bash libpq openssl ca-certificates COPY --from=build /lamassu-server /lamassu-server -FROM l-s-base as l-s +FROM l-s-base AS l-s RUN chmod +x /lamassu-server/bin/lamassu-server-entrypoint.sh @@ -25,7 +25,7 @@ EXPOSE 3000 ENTRYPOINT [ "/lamassu-server/bin/lamassu-server-entrypoint.sh" ] -FROM alpine:3.14 as build-ui +FROM alpine:3.14 AS build-ui RUN apk add --no-cache nodejs npm git curl build-base python3 COPY ["new-lamassu-admin/package.json", "new-lamassu-admin/package-lock.json", "./"] @@ -37,10 +37,11 @@ COPY new-lamassu-admin/ ./ RUN npm run build -FROM l-s-base as l-a-s +FROM l-s-base AS l-a-s COPY --from=build-ui /build /lamassu-server/public +RUN chmod +x /lamassu-server/bin/lamassu-admin-server-entrypoint.sh + EXPOSE 443 -ENTRYPOINT [ "node" ] -CMD [ "/lamassu-server/bin/lamassu-admin-server" ] +ENTRYPOINT [ "/lamassu-server/bin/lamassu-admin-server-entrypoint.sh" ] diff --git a/docker-compose.yaml b/docker-compose.yaml index 2aa0beb1..bb8cb1ce 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,115 +1,62 @@ version: "3.8" -networks: - lamassu-network: - ipam: - driver: default - config: - - subnet: "172.29.0.0/24" - services: - database: - container_name: postgres-db - image: postgres - restart: on-failure - environment: - - POSTGRES_DB=lamassu - - POSTGRES_USER=postgres - - POSTGRES_PASSWORD=postgres123 - logging: - options: - max-size: 10m - max-file: "3" - ports: - - 15432:5432 - volumes: - - ~/lamassu-data/psql:/var/lib/postgresql/data - networks: - - lamassu-network - healthcheck: - test: pg_isready -U postgres -d postgres - interval: 3s - timeout: 3s - retries: 10 - lamassu-server: - container_name: lamassu-server build: context: . dockerfile: build/server.Dockerfile - target: production-l-s + target: l-s restart: on-failure ports: - 3000:3000 volumes: - - ~/lamassu-data/certs:/etc/ssl/certs - - ~/lamassu-data/private:/etc/ssl/private - - ~/lamassu-data/files:/opt/lamassu-server - - ~/lamassu-data/mnemonics:/etc/lamassu/mnemonics - - ~/lamassu-data/ofac:/var/lamassu/ofac - - ~/lamassu-data/blockchains:/mnt/blockchains - networks: - lamassu-network: - ipv4_address: 172.29.0.3 + - ./lamassu-data:/lamassu-data environment: - NODE_ENV=production - POSTGRES_USER=postgres - POSTGRES_PASSWORD=postgres123 - - POSTGRES_HOST=postgres-db + - POSTGRES_HOST=host.docker.internal - POSTGRES_PORT=5432 - POSTGRES_DB=lamassu - - CA_PATH=/etc/ssl/certs/Lamassu_OP_Root_CA.pem - - CERT_PATH=/etc/ssl/certs/Lamassu_OP.pem - - KEY_PATH=/etc/ssl/private/Lamassu_OP.key - - MNEMONIC_PATH=/etc/lamassu/mnemonics/mnemonic.txt - - BLOCKCHAIN_DIR=/mnt/blockchains - - OFAC_DATA_DIR=/var/lamassu/ofac - - ID_PHOTO_CARD_DIR=/opt/lamassu-server/idphotocard - - FRONT_CAMERA_DIR=/opt/lamassu-server/frontcamera - - OPERATOR_DATA_DIR=/opt/lamassu-server/operatordata + - CA_PATH=/lamassu-data/certs/Lamassu_OP_Root_CA.pem + - CERT_PATH=/lamassu-data/certs/Lamassu_OP.pem + - KEY_PATH=/lamassu-data/private/Lamassu_OP.key + - MNEMONIC_PATH=/lamassu-data/mnemonics/mnemonic.txt + - OFAC_DATA_DIR=/lamassu-data/ofac + - ID_PHOTO_CARD_DIR=/lamassu-data/idphotocard + - FRONT_CAMERA_DIR=/lamassu-data/frontcamera + - OPERATOR_DATA_DIR=/lamassu-data/operatordata - COIN_ATM_RADAR_URL=https://coinatmradar.info/api/lamassu/ - OFAC_SOURCES_NAMES=sdn_advanced,cons_advanced - OFAC_SOURCES_URLS=https://www.treasury.gov/ofac/downloads/sanctions/1.0/sdn_advanced.xml,https://www.treasury.gov/ofac/downloads/sanctions/1.0/cons_advanced.xml - HOSTNAME=localhost - LOG_LEVEL=info - depends_on: - database: - condition: service_healthy lamassu-admin-server: - container_name: lamassu-admin-server build: context: . - dockerfile: build/admin-server.Dockerfile - target: production-l-a-s + dockerfile: build/server.Dockerfile + target: l-a-s restart: on-failure ports: - 443:443 volumes: - - ~/lamassu-data/certs:/etc/ssl/certs - - ~/lamassu-data/private:/etc/ssl/private - - ~/lamassu-data/files:/opt/lamassu-server - - ~/lamassu-data/mnemonics:/etc/lamassu/mnemonics - - ~/lamassu-data/ofac:/var/lamassu/ofac - - ~/lamassu-data/blockchains:/mnt/blockchains - networks: - - lamassu-network + - ./lamassu-data:/lamassu-data environment: - NODE_ENV=production - POSTGRES_USER=postgres - POSTGRES_PASSWORD=postgres123 - - POSTGRES_HOST=postgres-db + - POSTGRES_HOST=host.docker.internal - POSTGRES_PORT=5432 - POSTGRES_DB=lamassu - - CA_PATH=/etc/ssl/certs/Lamassu_OP_Root_CA.pem - - CERT_PATH=/etc/ssl/certs/Lamassu_OP.pem - - KEY_PATH=/etc/ssl/private/Lamassu_OP.key - - MNEMONIC_PATH=/etc/lamassu/mnemonics/mnemonic.txt - - BLOCKCHAIN_DIR=/mnt/blockchains - - OFAC_DATA_DIR=/var/lamassu/ofac - - ID_PHOTO_CARD_DIR=/opt/lamassu-server/idphotocard - - FRONT_CAMERA_DIR=/opt/lamassu-server/frontcamera - - OPERATOR_DATA_DIR=/opt/lamassu-server/operatordata + - CA_PATH=/lamassu-data/certs/Lamassu_OP_Root_CA.pem + - CERT_PATH=/lamassu-data/certs/Lamassu_OP.pem + - KEY_PATH=/lamassu-data/private/Lamassu_OP.key + - MNEMONIC_PATH=/lamassu-data/mnemonics/mnemonic.txt + - OFAC_DATA_DIR=/lamassu-data/ofac + - ID_PHOTO_CARD_DIR=/lamassu-data/idphotocard + - FRONT_CAMERA_DIR=/lamassu-data/frontcamera + - OPERATOR_DATA_DIR=/lamassu-data/operatordata - COIN_ATM_RADAR_URL=https://coinatmradar.info/api/lamassu/ - OFAC_SOURCES_NAMES=sdn_advanced,cons_advanced - OFAC_SOURCES_URLS=https://www.treasury.gov/ofac/downloads/sanctions/1.0/sdn_advanced.xml,https://www.treasury.gov/ofac/downloads/sanctions/1.0/cons_advanced.xml diff --git a/tools/build-docker-certs.sh b/tools/build-docker-certs.sh index eebd4599..e2dd1b90 100644 --- a/tools/build-docker-certs.sh +++ b/tools/build-docker-certs.sh @@ -3,22 +3,21 @@ set -e export LOG_FILE=/tmp/install.log -CERT_DIR=/etc/ssl/certs -KEY_DIR=/etc/ssl/private -CONFIG_DIR=/etc/lamassu +CONFIG_DIR=/lamassu-data + +# certs +CERT_DIR=$CONFIG_DIR/certs +KEY_DIR=$CONFIG_DIR/private LAMASSU_CA_PATH=$CERT_DIR/Lamassu_CA.pem CA_KEY_PATH=$KEY_DIR/Lamassu_OP_Root_CA.key CA_PATH=$CERT_DIR/Lamassu_OP_Root_CA.pem SERVER_KEY_PATH=$KEY_DIR/Lamassu_OP.key SERVER_CERT_PATH=$CERT_DIR/Lamassu_OP.pem -MNEMONIC_DIR=$CONFIG_DIR/mnemonics -MNEMONIC_FILE=$MNEMONIC_DIR/mnemonic.txt -BACKUP_DIR=/var/backups/postgresql -BLOCKCHAIN_DIR=/mnt/blockchains -OFAC_DATA_DIR=/var/lamassu/ofac -ID_PHOTO_CARD_DIR=/opt/lamassu-server/idphotocard -FRONTCAMERA_DIR=/opt/lamassu-server/frontcamera -OPERATOR_DIR=/opt/lamassu-server/operatordata + +# other +MNEMONIC_DIR=$CONFIG_DIR/mnemonics +MNEMONIC_FILE=$MNEMONIC_DIR/mnemonic.txt +OFAC_DATA_DIR=$CONFIG_DIR/ofac decho () { echo `date +"%H:%M:%S"` $1 @@ -35,7 +34,7 @@ MNEMONIC=$(/lamassu-server/bin/bip39 $SEED) echo "$MNEMONIC" > $MNEMONIC_FILE mkdir -p $CERT_DIR -mkdir -p $CONFIG_DIR +mkdir -p $KEY_DIR decho "Generating SSL certificates..."