Merge pull request #190 from geebee/master

Docker builds for tunnel core server

Server/.gitignore

@@ -0,0 +1,4 @@
+Server
+psiphond
+psiphond.config
+serverEntry.dat

Server/Dockerfile

@@ -0,0 +1,17 @@
+FROM alpine:latest
+
+MAINTAINER Psiphon Inc. <info@psiphon.ca>
+LABEL Description="Alpine Linux based Psiphon Tunnel-Core Server" Vendor="Psiphon Inc." Version="1.0"
+
+RUN apk add --update \
+      bash \
+      ca-certificates \
+    && rm -rf /var/cache/apk/*
+
+RUN mkdir -p /opt/psiphon
+
+ADD ["psiphond", "psiphond.config", "/opt/psiphon/"]
+
+WORKDIR /opt/psiphon
+
+ENTRYPOINT ["./psiphond", "--config", "psiphond.config", "run"]

Server/Dockerfile-binary-builder

@@ -0,0 +1,28 @@
+FROM alpine:latest
+
+ENV GOLANG_VERSION 1.6.2
+ENV GOLANG_SRC_URL https://golang.org/dl/go$GOLANG_VERSION.src.tar.gz
+
+RUN set -ex \
+	&& apk add --no-cache \
+		bash \
+		ca-certificates \
+		gcc \
+    git \
+		musl-dev \
+		openssl \
+		go \
+	\
+	&& export GOROOT_BOOTSTRAP="$(go env GOROOT)" \
+	\
+	&& wget -q "$GOLANG_SRC_URL" -O golang.tar.gz \
+	&& tar -C /usr/local -xzf golang.tar.gz \
+	&& rm golang.tar.gz \
+	&& cd /usr/local/go/src \
+	&& ./make.bash
+
+ENV GOPATH /go
+ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
+
+RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH"
+WORKDIR $GOPATH

Server/README.md

@@ -1,17 +1,74 @@
-Psiphon Tunnel Core Server README
-================================================================================
+## Psiphon Tunnel Core Server README
 
-Overview
---------------------------------------------------------------------------------
+### Overview
+The `Server`/`psiphond` program and the `github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/server` package contain an experimental Psiphon server stack.
 
-The `Server` program and the `github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/server` package contain an experimental Psiphon server stack.
+Functionality is based on the [production server stack](https://bitbucket.org/psiphon/psiphon-circumvention-system/src/tip/Server/) but only a small subset is implemented. Currently, this stack supports the `SSH` and `OSSH` protocols and has a minimal web server to support the API calls the tunnel-core client requires.
 
-Functionality is based on the (production server stack)[https://bitbucket.org/psiphon/psiphon-circumvention-system/src/tip/Server/] but only a small subset is implemented. Currently, this stack supports the `SSH` protocol and has a minimal web server to support the API calls the tunnel-core client requires.
+### Build
+Prerequisites:
+ - Go 1.6.2 or later
 
-Usage
---------------------------------------------------------------------------------
+Build Steps:
+ - Get dependencies: `go get -d -v ./...`
+ - Build: `go build -o psiphond main.go` (will generate a binary named `psiphond` for Linux/OSX  or `psiphond.exe` for Windows)
 
-* Execute `Server generate` to generate a server configuration, including new key material and credentials. This will emit a config file and a server entry file.
- * Note: `generate` does not yet take input parameters, so for now you must edit code if you must change the server IP address or ports.
-* Execute `Server run` to run the server stack using the generated configuration.
-* Copy the contents of the server entry file to the client (e.g., the `TargetServerEntry` config field in the tunnel-core client) to connect to the server.
+#### MUSL `libc` build (for Alpine Linux on Docker)
+Prerequisites:
+ - Go 1.6.2 or later
+ - Docker 1.10 or later
+ - MUSL libc toolchain
+
+##### Building MUSL
+ 1. Clone the latest source (master is stable): `git clone git://git.musl-libc.org/musl`
+ 2. Change into the musl directory: `cd musl`
+ 3. Configure the build environment: `./configure`
+ 4. Build the libraries and toolchain binaries: `make`
+ 5. Install: `sudo make install`
+    - Installs to `/usr/local/musl` by default, change by passing `--prefix <path>` as a flag to the configure script in step 3
+
+##### Building the binary with MUSL for Docker
+Build Steps:
+ - Get dependencies: `GOOS=linux GOARCH=amd64 go get -d -v ./...`
+ - Build: `GOOS=linux GOARCH=amd64 CC=/usr/local/musl/bin/musl-gcc go build --ldflags '-linkmode external -extldflags "-static"' -o psiphond main.go` (will generate a statically linked binary named `psiphond`)
+
+**NOTE**: If you have ever used a _GNU libc_ based build of this project, you will need to append the `-a` flag to your `go build` command in order to force rebuilding of previously built libraries. Additionally, compiling with the _GNU libc_ again (after having compiled with _MUSL libc_) will also require the `-a` flag. 
+
+Updated build command: `GOOS=linux GOARCH=amd64 CC=/usr/local/musl/bin/musl-gcc go build -a --ldflags '-linkmode external -extldflags "-static"' -o psiphond main.go`
+
+##### Building the binary with MUSL in Docker
+
+You may also use the `Dockerfile-binary-builder` docker file to create an image that will be able to build the binary for you without installing MUSL and cross-compiling locally.
+
+1. Build the image: `docker build -f Dockerfile-binary-builder -t psiphond-builder .`
+2. Run the build via the image: `cd .. && docker run --rm -v $(pwd):/go/src/github.com/Psiphon-Labs/psiphon-tunnel-core psiphond-builder /bin/bash -c 'cd /go/src/github.com/Psiphon-Labs/psiphon-tunnel-core/Server && ./make.bash'; cd -`
+3. Change the owner (if desired) of the `psiphond` binary. The permissions are `777`/`a+rwx`, but the owner and group will both be `root`. Functionally, this should not matter at all.
+
+##### Generate a configuration file
+ 1. Use the command `./psiphond --help` to get a list of flags to pass to the `generate` sub-command
+ 2. Run: `./psiphond --newConfig psiphond.config --ipaddress 0.0.0.0 --protocol SSH:22 --protocol OSSH:53 --web 80 generate` (IP address `0.0.0.0` is used due to how docker handles services bound to the loopback device)
+ 3. Remove the value for the `SyslogFacility` key (eg: `sed -i 's/"SyslogFacility": "user"/"SyslogFacility": ""/' psiphond.config`)
+ 4. Remove the value for the `Fail2BanFormat` key (eg: `sed -i 's/"Fail2BanFormat": "Authentication failure for psiphon-client from %s"/"Fail2BanFormat": ""/' psiphond.config`)
+
+##### Create the Docker image:
+ 1. Run the command: `docker build --no-cache=true -t psiphond .` (this may take some time to complete)
+    - Subsequent updates can be built without the `--no-cache=true` flag to speed up builds
+ 2. Once completed, verify that you see an image named `psiphond` when running: `docker images`
+
+### Usage
+- Execute `./psiphond generate` to generate a server configuration, including new key material and credentials. This will emit a config file and a server entry file.
+ - Note: `generate` does not yet take input parameters, so for now you must edit code if you must change the server IP address or ports.
+- Execute `./psiphond run` to run the server stack using the generated configuration.
+- Copy the contents of the server entry file to the client (e.g., the `TargetServerEntry` config field in the tunnel-core client) to connect to the server.
+
+#### Run the docker image
+Run the docker container built above as follows: `docker run -d --name psiphond-1 -p 10053:53 -p 10022:22 -p 10080:80 psiphond`
+
+This will start a daemonized container, running the tunnel core server named `psiphond-1`, with `host:container` port mappings:
+ - 10053:53
+ - 10022:22
+ - 10080:80
+
+ The container can be stopped by issuing the command `docker stop psiphond-1`. It will send the server a `SIGTERM`, followed by a `SIGKILL` if it is still running after a grace period
+
+ The container logs can be viewed/tailed/etc via the `docker logs psiphond-1` command and the various flags the `logs` subcommand allows

Server/make.bash

@@ -0,0 +1,31 @@
+#!/usr/bin/env sh
+
+set -e
+
+BASE_DIR=$( cd "$(dirname "$0")" ; pwd -P )
+cd $BASE_DIR
+
+if [ ! -f make.bash ]; then
+  echo "make.bash must be run from $GOPATH/src/github.com/Psiphon-Labs/psiphon-tunnel-core/Server"
+  exit 1
+fi
+
+build_for_linux () {
+  echo "Getting project dependencies (via go get) for Linux. Parameter is: '$1'"
+  GOOS=linux GOARCH=amd64 go get -d -v ./...
+  if [ $? != 0 ]; then
+    echo "...'go get' failed, exiting"
+    exit $?
+  fi
+
+  GOOS=linux GOARCH=amd64 go build --ldflags '-linkmode external -extldflags "-static"' -o psiphond main.go
+  if [ $? != 0 ]; then
+    echo "...'go build' failed, exiting"
+    exit $?
+  fi
+  chmod 777 psiphond
+
+}
+
+build_for_linux
+echo "Done"