Work in progress

docker/relay/README.adoc

@@ -0,0 +1,51 @@
+= relay
+
+== Goals
+
+We want to be able to
+
+== Summary
+
+These containers provide a full Rudder relay running in unprivileged
+read-only containers.
+
+Each service runs in its own read-only container.
+
+The relay is almost stateless and the only data that needs to be persisted is:
+
+* Agent id and key pair
+* HTTP server key pair
+
+Everything else can be rebuilt dynamically.
+
+== Images
+
+Images are currently based on CentOS 8 and install Rudder 6.1 using rudder-setup.
+
+We use the standard packages (after disabling service management to allow
+packaging scripts calls to systemctl to succeed).
+
+The `cf-execd` container is a bit different as it synchronizes the policies
+from the server and shares some of them with the other containers.
+
+== Agent
+
+An agent is required to run a relay.
+
+== Run a relay
+
+We provide a docker-compose configuration example.
+
+You need to modify the policy_server.dat file to set the right policy server.
+
+----
+docker-compose up
+----
+
+== TODO
+
+* [ ] See to configure policy server (inside or outside of the container?)
+* [ ]
+
+
+Contraintes pour l'update : les volumes ne doivent pas contenir de trucs à mettre à jour

docker/relay/cf-execd.Dockerfile

@@ -11,22 +11,21 @@ RUN \
         sh rudder-setup add-repository 6.1 && \
         yum -y install rudder-server-relay
 
+COPY \
+        policy_server.dat /var/rudder/cfengine-community/policy_server.dat
+
 RUN \
-        mkdir  /data /apache_conf_file && \
+        mkdir  /data /httpd_conf && \
         ln -sf /data/uuid.hive /opt/rudder/etc/uuid.hive && \
         ln -sf /data/ssl/agent.cert /opt/rudder/etc/ssl/agent.cert && \
         ln -sf /data/ppkeys/localhost.pub /var/rudder/cfengine-community/ppkeys/localhost.pub && \
-        ln -sf /data/ppkeys/localhost.priv /var/rudder/cfengine-community/ppkeys/localhost.priv
-COPY \
-        script.sh .
-
-RUN \
-        sh script.sh && \
-        ln -sf /apache_conf_file/rudder-networks-24.conf /opt/rudder/etc/rudder-networks-24.conf && \
-        ln -sf /apache_conf_file/rudder-networks-policy-server-24.conf /opt/rudder/etc/rudder-networks-policy-server-24.conf && \
-        ln -sf /apache_conf_file/rudder-apache-relay-ssl.conf /opt/rudder/etc/rudder-apache-relay-ssl.conf && \
-        ln -sf /apache_conf_file/rudder-apache-relay-common.conf /opt/rudder/etc/rudder-apache-relay-common.conf && \
-        ln -sf /apache_conf_file/rudder-apache-relay-nossl.conf /opt/rudder/etc/rudder-apache-relay-nossl.conf
+        ln -sf /data/ppkeys/localhost.priv /var/rudder/cfengine-community/ppkeys/localhost.priv && \
+        for f in rudder-networks-24.conf rudder-networks-policy-server-24.conf rudder-apache-relay-ssl.conf \
+                 rudder-apache-relay-common.conf rudder-apache-relay-nossl.conf htpasswd-webdav htpasswd-webdav-initial; \
+        do \
+          cp /opt/rudder/etc/${f} /httpd_conf/${f} && \
+          ln -sf /httpd_conf/${f} /opt/rudder/etc/${f}; \
+        done
 
 COPY \
         cf-execd.sh .
@@ -35,7 +34,4 @@ RUN \
         yum clean all && \
         rm -rf /var/rudder/cfengine-community/state/*
 
-
-ENTRYPOINT ["/bin/bash", "-c"]
-
 CMD ["./cf-execd.sh"]

docker/relay/cf-execd.sh

@@ -21,9 +21,7 @@ if [ ! -f /opt/rudder/etc/ssl/agent.cert ]; then
   openssl req -new -sha256 -key /data/ppkeys/localhost.priv -out /data/ssl/agent.cert -passin "pass:Cfengine passphrase" -x509 -days 3650 -extensions agent_cert -config /opt/rudder/etc/ssl/openssl-agent.cnf -subj "/UID=${uuid}"
 fi
 
-echo "server" > /var/rudder/cfengine-community/policy_server.dat 
-
-rudder agent check
+rudder agent check -f
 
 rudder agent inventory
 

docker/relay/cf-serverd.Dockerfile

@@ -11,20 +11,22 @@ RUN \
         sh rudder-setup add-repository 6.1 && \
         yum -y install rudder-agent
 
+COPY \
+        policy_server.dat /var/rudder/cfengine-community/policy_server.dat
+
 RUN \
         ln -sf /data/uuid.hive /opt/rudder/etc/uuid.hive && \
         ln -sf /data/ssl/agent.cert /opt/rudder/etc/ssl/agent.cert && \
         ln -sf /data/ppkeys/localhost.pub /var/rudder/cfengine-community/ppkeys/localhost.pub && \
         ln -sf /data/ppkeys/localhost.priv /var/rudder/cfengine-community/ppkeys/localhost.priv
 
-COPY cf-serverd.sh .
+COPY \
+        cf-serverd.sh .
 
 RUN \
         yum clean all && \
         rm -rf /var/rudder/cfengine-community/state/*
 
 EXPOSE 5309
 
-ENTRYPOINT ["/bin/bash", "-c"]
-
 CMD ["./cf-serverd.sh"]

docker/relay/cf-serverd.sh

@@ -3,6 +3,7 @@
 set -e
 set -x
 
+# Wait until cf-execd has fetched initial policies
 while [ ! -f /var/rudder/cfengine-community/inputs/promises.cf ]
 do 
   sleep 1

docker/relay/docker-compose.yml

@@ -1,61 +1,78 @@
-version: "2"
+version: '2'
 services:
-    cf_execd:
-       read_only: true
-       build:
-         context: .
-         dockerfile: cf-execd.Dockerfile
-       volumes:
-          - cfengine_community:/var/rudder/cfengine-community/
-          - uuid_keys:/data
-          - ncf:/var/rudder/ncf
-          - shared:/var/rudder/share
-          - secure_httpd:/opt/rudder/etc/ssl/
-          - httpd_conf:/apache_conf_file
-          - relay_conf:/opt/rudder/etc/relayd
-          - nodelist:/var/rudder/lib/relay/
-       tmpfs:
-          - /var/rudder/tmp
-          - /var/backup/rudder
-          - /opt/rudder/var/fusioninventory
-          - /var/rudder/inventories
-       external_links:
-          - server
-    cf_serverd: 
-       read_only: true
-       build:
-         context: .
-         dockerfile: cf-serverd.Dockerfile
-       volumes:
-         - cfengine_community:/var/rudder/cfengine-community/
-         - uuid_keys:/data:ro
-         - ncf:/var/rudder/ncf:ro
-         - shared:/var/rudder/share:ro
-    relay:
-       read_only: true
-       build:
-         context: .
-         dockerfile: relay.Dockerfile
-       volumes:
-          - nodelist:/var/rudder/lib/relay:ro
-          - relay_conf:/opt/rudder/etc/relayd:ro
-       tmpfs:
-          - /var/rudder/reports
-          - /var/rudder/inventories
-    httpd:
-       build:
-         context: .
-         dockerfile: httpd.Dockerfile
-       volumes:
-          - httpd_conf:/apache_conf_file:ro
-          - secure_httpd:/opt/rudder/etc/ssl:ro
+  cf_execd:
+    hostname: "relay"
+    read_only: true
+    build:
+      context: .
+      dockerfile: cf-execd.Dockerfile
+    volumes:
+      - 'agent_state:/var/rudder/cfengine-community/'
+      - 'agent_certs:/data'
 
+      - 'policies_lib:/var/rudder/ncf'
+      - 'policies_src_lib:/usr/share/ncf/tree'
+      - 'policies_loc_lib:/var/rudder/configuration-repository/ncf'
+      - 'policies:/var/rudder/share'
+
+      - 'httpd_certs:/opt/rudder/etc/ssl/'
+      - 'httpd_conf:/httpd_conf'
+
+      - 'relayd_conf:/opt/rudder/etc/relayd'
+      - 'relayd_nodelist:/var/rudder/lib/relay/'
+      - 'relayd_certs:/var/rudder/lib/ssl/'
+    tmpfs:
+      - /var/rudder/tmp
+      - /var/backup/rudder
+      - /opt/rudder/var/fusioninventory
+      - /var/rudder/inventories
+      - /var/rudder/reports
+      - /tmp
+      - /etc/cron.d
+  cf_serverd:
+    read_only: true
+    build:
+      context: .
+      dockerfile: cf-serverd.Dockerfile
+    volumes:
+      - 'agent_state:/var/rudder/cfengine-community/'
+      - 'agent_certs:/data:ro'
+
+      - 'policies_lib:/var/rudder/ncf:ro'
+      - 'policies_src_lib:/usr/share/ncf/tree:ro'
+      - 'policies_loc_lib:/var/rudder/configuration-repository/ncf:ro'
+      - 'policies:/var/rudder/share:ro'
+  relayd:
+    read_only: true
+    build:
+      context: .
+      dockerfile: relayd.Dockerfile
+    volumes:
+      - 'relayd_nodelist:/var/rudder/lib/relay:ro'
+      - 'relayd_certs:/var/rudder/lib/ssl:ro'
+      - 'relayd_conf:/opt/rudder/etc/relayd:ro'
+    tmpfs:
+      - /var/rudder/reports
+      - /var/rudder/inventories
+  httpd:
+    read_only: true
+    build:
+      context: .
+      dockerfile: httpd.Dockerfile
+    volumes:
+      - 'httpd_conf:/httpd_conf:ro'
+      - 'httpd_certs:/opt/rudder/etc/ssl:ro'
+    tmpfs:
+      - /etc/httpd/logs
 volumes:
-     cfengine_community:
-     uuid_keys:
-     ncf:
-     shared:
-     secure_httpd:
-     httpd_conf:
-     nodelist:
-     relay_conf:
+  agent_state:
+  agent_certs:
+  policies_lib:
+  policies_src_lib:
+  policies_loc_lib:
+  policies:
+  httpd_certs:
+  httpd_conf:
+  relayd_nodelist:
+  relayd_certs:
+  relayd_conf:

docker/relay/httpd.Dockerfile

@@ -1,24 +1,33 @@
-FROM centos:8
-
-RUN \
-     yum -y install diffutils curl && \
-     curl -o rudder-setup https://repository.rudder.io/tools/rudder-setup && \
-     sh rudder-setup add-repository 6.1 && \
-     yum -y install rudder-server-relay && \
-     /usr/libexec/httpd-ssl-gencerts && \
-     yum clean all
-
-RUN \
-      mkdir /apache_conf_file && \
-      ln -sf /apache_conf_file/rudder-networks-24.conf /opt/rudder/etc/rudder-networks-24.conf && \
-      ln -sf /apache_conf_file/rudder-networks-policy-server-24.conf /opt/rudder/etc/rudder-networks-policy-server-24.conf && \
-      ln -sf /apache_conf_file/rudder-apache-relay-ssl.conf /opt/rudder/etc/rudder-apache-relay-ssl.conf && \
-      ln -sf /apache_conf_file/rudder-apache-relay-common.conf /opt/rudder/etc/rudder-apache-relay-common.conf && \
-      ln -sf /apache_conf_file/rudder-apache-relay-nossl.conf /opt/rudder/etc/rudder-apache-relay-nossl.conf
-
-
-EXPOSE 80 443
-
-ENTRYPOINT ["/bin/bash", "-c"]
-
-CMD ["/usr/sbin/apachectl -DFOREGROUND"]
+FROM centos:8
+
+RUN \
+        ln -sf /bin/true /usr/sbin/service && \
+        ln -sf /bin/true /bin/systemctl && \
+        ln -sf /bin/true /usr/bin/systemctl
+
+# We install the relay package is it does some config for httpd
+RUN \
+        yum -y install epel-release && \
+        yum -y install diffutils curl inotify-tools && \
+        curl -o rudder-setup https://repository.rudder.io/tools/rudder-setup && \
+        sh rudder-setup add-repository 6.1 && \
+        yum -y install rudder-server-relay && \
+        /usr/libexec/httpd-ssl-gencerts
+
+RUN \
+        mkdir /httpd_conf && \
+        for f in rudder-networks-24.conf rudder-networks-policy-server-24.conf rudder-apache-relay-ssl.conf \
+                 rudder-apache-relay-common.conf rudder-apache-relay-nossl.conf htpasswd-webdav htpasswd-webdav-initial; \
+        do \
+          ln -sf /httpd_conf/${f} /opt/rudder/etc/${f}; \
+        done
+
+COPY \
+        httpd.sh .
+
+RUN \
+        yum clean all
+
+EXPOSE 80 443
+
+CMD ["./httpd.sh"]

docker/relay/httpd.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -e
+set -x
+
+/usr/sbin/apachectl -DFOREGROUND &
+
+# watch for changes in /apache_config_file and update http if there is one on /backup
+while true; do
+    changes=$(inotifywait -m -e move,create,modify /httpd_conf/);
+    exit_code=$?
+    if [ $exit_code != 0 ]; then
+        echo "reloading httpd config"
+        exec /usr/sbin/httpd -k graceful
+	fi
+done

docker/relay/policy_server.dat

@@ -0,0 +1 @@
+server

docker/relay/relay.Dockerfile → docker/relay/relayd.Dockerfile

@@ -9,15 +9,13 @@ RUN \
         yum -y install diffutils curl && \
         curl -o rudder-setup https://repository.rudder.io/tools/rudder-setup && \
         sh rudder-setup add-repository 6.1 && \
-        yum -y install rudder-server-relay && \
-        /usr/libexec/httpd-ssl-gencerts && \
-        yum clean all 
-
-COPY relay.sh .
+        yum -y install rudder-server-relay
 
+RUN \
+        yum clean all
 
-EXPOSE  80 443 3030
+EXPOSE 3030
 
-ENTRYPOINT ["/bin/bash", "-c"]
+# FIXME reload relayd !
 
-CMD ["./relay.sh"]
+CMD ["/opt/rudder/bin/rudder-relayd"]