Work in progress

amousset · Sep 25, 2020 · 7556574 · 7556574
1 parent e61a3ba
commit 7556574
Show file tree

Hide file tree

Showing 18 changed files with 265 additions and 140 deletions.
diff --git a/docker/cf-execd.Dockerfile → docker/agent/cf-execd.Dockerfile b/docker/cf-execd.Dockerfile → docker/agent/cf-execd.Dockerfile
diff --git a/docker/cf-execd.sh → docker/agent/cf-execd.sh b/docker/cf-execd.sh → docker/agent/cf-execd.sh
diff --git a/docker/cf-serverd.Dockerfile → docker/agent/cf-serverd.Dockerfile b/docker/cf-serverd.Dockerfile → docker/agent/cf-serverd.Dockerfile
diff --git a/docker/cf-serverd.sh → docker/agent/cf-serverd.sh b/docker/cf-serverd.sh → docker/agent/cf-serverd.sh
diff --git a/docker/docker-compose.yml → docker/agent/docker-compose.yml b/docker/docker-compose.yml → docker/agent/docker-compose.yml
diff --git a/docker/policy_server.dat → docker/agent/policy_server.dat b/docker/policy_server.dat → docker/agent/policy_server.dat
diff --git a/docker/relay/README.adoc b/docker/relay/README.adoc
@@ -0,0 +1,61 @@
+= relay
+
+== Goals
+
+We want to be able to
+
+== Summary
+
+These containers provide a full Rudder relay running in unprivileged
+read-only containers.
+
+Each service runs in its own read-only container.
+
+The relay is almost stateless and the only data that needs to be persisted is:
+
+* Agent id and key pair
+* HTTP server key pair
+
+Everything else can be rebuilt dynamically.
+
+A lot of config files are actually data files, and need to be updated dynamically.
+
+== Images
+
+Images are currently based on CentOS 8 and install Rudder 6.1 using rudder-setup.
+
+We use the standard packages (after disabling service management to allow
+packaging scripts calls to systemctl to succeed).
+
+The `cf-execd` container is a bit different as it synchronizes the policies
+from the server and shares some of them with the other containers.
+
+== Agent
+
+An agent is required to run a relay.
+
+== Run a relay
+
+We provide a docker-compose configuration example.
+
+You need to modify the policy_server.dat file to set the right policy server.
+
+----
+docker-compose up
+----
+
+== Limitations
+
+No remote-run for now.
+
+We need to give read access to the cf-serverd container.
+
+== TODO
+
+* [ ] See to configure policy server (inside or outside of the container?)
+* [ ] Upgrade procedure
+* [ ] Exposed and redirected ports
+* [ ] Reload reload
+
+
+Contraintes pour l'update : les volumes ne doivent pas contenir de trucs à mettre à jour
diff --git a/docker/relay/cf-execd.Dockerfile b/docker/relay/cf-execd.Dockerfile
@@ -11,22 +11,21 @@ RUN \
         sh rudder-setup add-repository 6.1 && \
         yum -y install rudder-server-relay
 
-RUN \
-        mkdir  /data /apache_conf_file && \
-        ln -sf /data/uuid.hive /opt/rudder/etc/uuid.hive && \
-        ln -sf /data/ssl/agent.cert /opt/rudder/etc/ssl/agent.cert && \
-        ln -sf /data/ppkeys/localhost.pub /var/rudder/cfengine-community/ppkeys/localhost.pub && \
-        ln -sf /data/ppkeys/localhost.priv /var/rudder/cfengine-community/ppkeys/localhost.priv
 COPY \
-        script.sh .
+        policy_server.dat /var/rudder/cfengine-community/policy_server.dat
 
 RUN \
-        sh script.sh && \
-        ln -sf /apache_conf_file/rudder-networks-24.conf /opt/rudder/etc/rudder-networks-24.conf && \
-        ln -sf /apache_conf_file/rudder-networks-policy-server-24.conf /opt/rudder/etc/rudder-networks-policy-server-24.conf && \
-        ln -sf /apache_conf_file/rudder-apache-relay-ssl.conf /opt/rudder/etc/rudder-apache-relay-ssl.conf && \
-        ln -sf /apache_conf_file/rudder-apache-relay-common.conf /opt/rudder/etc/rudder-apache-relay-common.conf && \
-        ln -sf /apache_conf_file/rudder-apache-relay-nossl.conf /opt/rudder/etc/rudder-apache-relay-nossl.conf
+        mkdir  /agent_certs /node_id /httpd_conf && \
+        ln -sf /node_id/uuid.hive /opt/rudder/etc/uuid.hive && \
+        ln -sf /agent_certs/ssl/agent.cert /opt/rudder/etc/ssl/agent.cert && \
+        ln -sf /agent_certs/ppkeys/localhost.pub /var/rudder/cfengine-community/ppkeys/localhost.pub && \
+        ln -sf /agent_certs/ppkeys/localhost.priv /var/rudder/cfengine-community/ppkeys/localhost.priv && \
+        for f in rudder-networks-24.conf rudder-networks-policy-server-24.conf rudder-apache-relay-ssl.conf \
+                 rudder-apache-relay-common.conf rudder-apache-relay-nossl.conf htpasswd-webdav htpasswd-webdav-initial; \
+        do \
+          cp /opt/rudder/etc/${f} /httpd_conf/${f} && \
+          ln -sf /httpd_conf/${f} /opt/rudder/etc/${f}; \
+        done
 
 COPY \
         cf-execd.sh .
@@ -35,7 +34,4 @@ RUN \
         yum clean all && \
         rm -rf /var/rudder/cfengine-community/state/*
 
-
-ENTRYPOINT ["/bin/bash", "-c"]
-
 CMD ["./cf-execd.sh"]
diff --git a/docker/relay/cf-execd.sh b/docker/relay/cf-execd.sh
@@ -5,26 +5,22 @@ set -x
 
 # Needed because standard paths are symlinks
 
-if [ ! -f /data/uuid.hive ]; then
-  /opt/rudder/bin/rudder-uuidgen > /data/uuid.hive
+if [ ! -f /node_id/uuid.hive ]; then
+  /opt/rudder/bin/rudder-uuidgen > /node_id/uuid.hive
 fi
 
-uuid=$(cat /data/uuid.hive)
+uuid=$(cat /node_id/uuid.hive)
 
-if [ ! -f /data/ppkeys/localhost.pub ]; then
-  mkdir -p /data/ppkeys
-  /opt/rudder/bin/cf-key -T 4096 -f /data/ppkeys/localhost
+if [ ! -f /agent_certs/ppkeys/localhost.pub ]; then
+  mkdir -p /agent_certs/ppkeys
+  /opt/rudder/bin/cf-key -T 4096 -f /agent_certs/ppkeys/localhost
 fi
 
 if [ ! -f /opt/rudder/etc/ssl/agent.cert ]; then
-  mkdir -p /data/ssl
-  openssl req -new -sha256 -key /data/ppkeys/localhost.priv -out /data/ssl/agent.cert -passin "pass:Cfengine passphrase" -x509 -days 3650 -extensions agent_cert -config /opt/rudder/etc/ssl/openssl-agent.cnf -subj "/UID=${uuid}"
+  mkdir -p /agent_certs/ssl
+  openssl req -new -sha256 -key /agent_certs/ppkeys/localhost.priv -out /agent_certs/ssl/agent.cert -passin "pass:Cfengine passphrase" -x509 -days 3650 -extensions agent_cert -config /opt/rudder/etc/ssl/openssl-agent.cnf -subj "/UID=${uuid}"
 fi
 
-echo "server" > /var/rudder/cfengine-community/policy_server.dat 
-
-rudder agent check
-
-rudder agent inventory
+rudder agent check -f
 
 /opt/rudder/bin/cf-execd --no-fork --inform
diff --git a/docker/relay/cf-serverd.Dockerfile b/docker/relay/cf-serverd.Dockerfile
@@ -11,20 +11,22 @@ RUN \
         sh rudder-setup add-repository 6.1 && \
         yum -y install rudder-agent
 
+COPY \
+        policy_server.dat /var/rudder/cfengine-community/policy_server.dat
+
 RUN \
-        ln -sf /data/uuid.hive /opt/rudder/etc/uuid.hive && \
-        ln -sf /data/ssl/agent.cert /opt/rudder/etc/ssl/agent.cert && \
-        ln -sf /data/ppkeys/localhost.pub /var/rudder/cfengine-community/ppkeys/localhost.pub && \
-        ln -sf /data/ppkeys/localhost.priv /var/rudder/cfengine-community/ppkeys/localhost.priv
+        ln -sf /node_id/uuid.hive /opt/rudder/etc/uuid.hive && \
+        ln -sf /agent_certs/ssl/agent.cert /opt/rudder/etc/ssl/agent.cert && \
+        ln -sf /agent_certs/ppkeys/localhost.pub /var/rudder/cfengine-community/ppkeys/localhost.pub && \
+        ln -sf /agent_certs/ppkeys/localhost.priv /var/rudder/cfengine-community/ppkeys/localhost.priv
 
-COPY cf-serverd.sh .
+COPY \
+        cf-serverd.sh .
 
 RUN \
         yum clean all && \
         rm -rf /var/rudder/cfengine-community/state/*
 
 EXPOSE 5309
 
-ENTRYPOINT ["/bin/bash", "-c"]
-
 CMD ["./cf-serverd.sh"]
diff --git a/docker/relay/cf-serverd.sh b/docker/relay/cf-serverd.sh
@@ -3,6 +3,7 @@
 set -e
 set -x
 
+# Wait until cf-execd has fetched initial policies
 while [ ! -f /var/rudder/cfengine-community/inputs/promises.cf ]
 do 
   sleep 1

diff --git a/docker/relay/docker-compose.yml b/docker/relay/docker-compose.yml
@@ -1,61 +1,111 @@
-version: "2"
+version: '2'
 services:
-    cf_execd:
-       read_only: true
-       build:
-         context: .
-         dockerfile: cf-execd.Dockerfile
-       volumes:
-          - cfengine_community:/var/rudder/cfengine-community/
-          - uuid_keys:/data
-          - ncf:/var/rudder/ncf
-          - shared:/var/rudder/share
-          - secure_httpd:/opt/rudder/etc/ssl/
-          - httpd_conf:/apache_conf_file
-          - relay_conf:/opt/rudder/etc/relayd
-          - nodelist:/var/rudder/lib/relay/
-       tmpfs:
-          - /var/rudder/tmp
-          - /var/backup/rudder
-          - /opt/rudder/var/fusioninventory
-          - /var/rudder/inventories
-       external_links:
-          - server
-    cf_serverd: 
-       read_only: true
-       build:
-         context: .
-         dockerfile: cf-serverd.Dockerfile
-       volumes:
-         - cfengine_community:/var/rudder/cfengine-community/
-         - uuid_keys:/data:ro
-         - ncf:/var/rudder/ncf:ro
-         - shared:/var/rudder/share:ro
-    relay:
-       read_only: true
-       build:
-         context: .
-         dockerfile: relay.Dockerfile
-       volumes:
-          - nodelist:/var/rudder/lib/relay:ro
-          - relay_conf:/opt/rudder/etc/relayd:ro
-       tmpfs:
-          - /var/rudder/reports
-          - /var/rudder/inventories
-    httpd:
-       build:
-         context: .
-         dockerfile: httpd.Dockerfile
-       volumes:
-          - httpd_conf:/apache_conf_file:ro
-          - secure_httpd:/opt/rudder/etc/ssl:ro
+  cf_execd:
+    hostname: 'relay'
+    read_only: true
+    build:
+      context: .
+      dockerfile: cf-execd.Dockerfile
+    volumes:
+      - 'agent_state:/var/rudder/cfengine-community/'
+      - 'agent_certs:/agent_certs'
+      - 'node_id:/node_id'
 
+      - 'policies_lib:/var/rudder/ncf'
+      - 'policies_src_lib:/usr/share/ncf/tree'
+      - 'policies_loc_lib:/var/rudder/configuration-repository/ncf'
+      - 'policies:/var/rudder/share'
+
+      - 'httpd_certs:/opt/rudder/etc/ssl/'
+      - 'httpd_conf:/httpd_conf'
+
+      - 'relayd_conf:/opt/rudder/etc/relayd'
+      - 'relayd_nodelist:/var/rudder/lib/relay/'
+      - 'relayd_certs:/var/rudder/lib/ssl/'
+    tmpfs:
+      - /var/rudder/tmp
+      - /var/rudder/modified-files
+      - /var/backup/rudder
+      - /opt/rudder/var/fusioninventory
+      - /var/rudder/inventories
+      - /var/rudder/reports
+      - /tmp
+      - /etc/cron.d
+      - /etc/logrotate.d
+      - /var/log
+  cf_serverd:
+    read_only: true
+    build:
+      context: .
+      dockerfile: cf-serverd.Dockerfile
+    ports:
+      - "5309:5309"
+    volumes_from:
+      # same as cf-execd to allow remote run
+      - 'cf_execd'
+    tmpfs:
+      # same as cf-execd to allow remote run
+      - /var/rudder/tmp
+      - /var/rudder/modified-files
+      - /var/backup/rudder
+      - /opt/rudder/var/fusioninventory
+      - /var/rudder/inventories
+      - /var/rudder/reports
+      - /tmp
+      - /etc/cron.d
+      - /etc/logrotate.d
+      - /var/log
+  relayd:
+    read_only: true
+    build:
+      context: .
+      dockerfile: relayd.Dockerfile
+    ports:
+      # remove?
+      - "127.0.0.1:3030:3030"
+    volumes:
+      - 'relayd_nodelist:/var/rudder/lib/relay:ro'
+      - 'relayd_certs:/var/rudder/lib/ssl:ro'
+      - 'relayd_conf:/opt/rudder/etc/relayd:ro'
+      - 'inventories:/var/rudder/inventories'
+    tmpfs:
+      - /var/rudder/reports
+      - /var/rudder/inventories
+  httpd:
+    read_only: true
+    build:
+      context: .
+      dockerfile: httpd.Dockerfile
+    ports:
+      - "443:443"
+    volumes:
+      - 'httpd_conf:/httpd_conf:ro'
+      - 'httpd_certs:/opt/rudder/etc/ssl:ro'
+      - 'node_id:/node_id:ro'
+      # windows policies
+      - 'policies:/var/rudder/share:ro'
+      - 'inventories:/var/rudder/inventories'
+    tmpfs:
+      - /var/log/httpd
+      - /var/log/rudder/apache2
+      - /run/httpd
+      # /tmp/davlock.db
+      - /tmp
 volumes:
-     cfengine_community:
-     uuid_keys:
-     ncf:
-     shared:
-     secure_httpd:
-     httpd_conf:
-     nodelist:
-     relay_conf:
+  agent_state:
+  agent_certs:
+  node_id:
+
+  policies_lib:
+  policies_src_lib:
+  policies_loc_lib:
+  policies:
+
+  inventories:
+
+  httpd_certs:
+  httpd_conf:
+
+  relayd_nodelist:
+  relayd_certs:
+  relayd_conf: