Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #22666: Update docker scripts for 7.2 #4770

Draft
wants to merge 1 commit into
base: branches/rudder/7.2
Choose a base branch
from
Draft

Fixes #22666: Update docker scripts for 7.2 #4770

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docker/rudder-relay/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM centos:8
FROM rockylinux:9
ARG VERSION=latest
EXPOSE 443 5309

Expand Down
46 changes: 29 additions & 17 deletions docker/rudder-relay/rudder-relay.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,17 @@
set -e
#set -x

# This script runs as entry point for the container
# It encures the configuration is correct, then
amousset marked this conversation as resolved.
Show resolved Hide resolved
# starts the services.

# It is configured through the following environement variables:
#
# * RUDDER_RELAY_ID: the node id
# * RUDDER_RELAY_SERVER: the relay's policy server hostname/IP
# * RUDDER_RELAY_SERVER_PUBKEY: the relay's policy server public key
# * RUDDER_RELAY_PRIVKEY: the relay's private key

# Allow using our binaries
export PATH="/opt/rudder/bin/:$PATH"

Expand All @@ -24,8 +35,9 @@ fi

if [ -n "$RUDDER_RELAY_SERVER" ]; then
echo "$RUDDER_RELAY_SERVER" > "${PPKEYS}/policy_server.dat"
elif [ ! -f "${PPKEYS}/policy_server.dat" ]; then
echo "rudder" > "${PPKEYS}/policy_server.dat"
elif [ ! -f "$RUDDER_RELAY_SERVER" ]; then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this codepath will never be reached, since anything that would be a valid file from the var RUDDER_RELAY_SERVER (checked here by -f) is already a valid string one above (at -n).

It's probably better to switch the logic: If the value of the string is set and is a valid file, copy it to the dest, otherwise write it to the file.

echo "Missing policy server configuration, exiting" >&2
exit 1
fi

################
Expand Down Expand Up @@ -55,29 +67,29 @@ elif [ ! -f "${PPKEYS}/localhost.priv" ]; then
cf-key --key-type 4096 --output-file "${PPKEYS}/localhost"
fi

# Generate public key based on private key to be sure it's correct
# Regenerate public key based on private key to be sure it's correct
openssl rsa -in "${PPKEYS}/localhost.priv" -RSAPublicKey_out > "${PPKEYS}/localhost.pub"

################
# Certificate
################

if [ -n "$RUDDER_RELAY_CERTIFICATE" ]; then
(
echo "-----BEGIN CERTIFICATE-----"
echo "$RUDDER_RELAY_CERTIFICATE" | fold -w 64
echo "-----END CERTIFICATE-----"
) > "${PPKEYS}/agent.cert"
elif [ ! -f "${PPKEYS}/agent.cert" ]; then
openssl req -new -sha256 -key "${PPKEYS}/localhost.priv" -out "${PPKEYS}/agent.cert" -x509 -days 3650 -extensions agent_cert -config /opt/rudder/etc/ssl/openssl-agent.cnf -subj "/UID=${uuid}"
# Generate a certificate for the key pair.
# We can regenerate it on the fly as the pinning is only done on the public key level.

# Remove if not matching public key to allow updating it
if [ -f "${PPKEYS}/agent.cert" ]; then
# We verify that the certificate belongs to the private key (Modulus is identical)
modulus_cert=$(openssl x509 -noout -modulus -in "${PPKEYS}/agent.cert")
modulus_key=$(openssl rsa -noout -modulus -in "${PPKEYS}/localhost.priv")
if [ "${modulus_cert}" != "${modulus_key}" ]; then
rm "${PPKEYS}/agent.cert"
echo "Certificate does not match agent key, updating"
fi
fi

# We verify that the certificate belongs to the private key (Modulus is identical)
modulus_cert=$(openssl x509 -noout -modulus -in "${PPKEYS}/agent.cert")
modulus_key=$(openssl rsa -noout -modulus -in "${PPKEYS}/localhost.priv")
if [ "${modulus_cert}" != "${modulus_key}" ]; then
echo "Certificate does not match agent key" >&2
exit 1
if [ ! -f "${PPKEYS}/agent.cert" ]; then
openssl req -new -sha256 -key "${PPKEYS}/localhost.priv" -out "${PPKEYS}/agent.cert" -x509 -days 3650 -extensions agent_cert -config /opt/rudder/etc/ssl/openssl-agent.cnf -subj "/UID=${uuid}"
fi

# Copy files from persisted folder
Expand Down
Loading