-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
235 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
FROM ubuntu:23.04 as build-env | ||
ENV DEBIAN_FRONTEND=noninteractive | ||
ARG TARGETPLATFORM | ||
ARG BUILDPLATFORM | ||
ARG TESTS | ||
ARG SOURCE_COMMIT | ||
|
||
ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin | ||
RUN echo "I am running on ${BUILDPLATFORM}, building for ${TARGETPLATFORM}" | ||
|
||
# Prepare whl build env | ||
RUN mkdir -p /usr/local/build | ||
|
||
# Build FIX CA | ||
COPY bootstrap /usr/local/sbin/bootstrap | ||
COPY . /usr/src/fixca | ||
RUN apt-get update | ||
RUN apt-get -y install apt-utils | ||
RUN apt-get -y dist-upgrade | ||
RUN apt-get -y install \ | ||
openssl \ | ||
ca-certificates \ | ||
python3 \ | ||
python3-pip \ | ||
python3-setuptools \ | ||
python3-build \ | ||
python3-wheel | ||
|
||
WORKDIR /usr/src/fixca | ||
RUN pip wheel --wheel-dir=/usr/local/build --no-cache-dir . | ||
RUN echo "${SOURCE_COMMIT:-unknown}" > /usr/local/etc/git-commit.HEAD | ||
|
||
|
||
# Setup main image | ||
FROM ubuntu:23.04 | ||
ENV DEBIAN_FRONTEND=noninteractive | ||
ENV LANG="en_US.UTF-8" | ||
ENV TERM="xterm-256color" | ||
ENV COLORTERM="truecolor" | ||
ENV EDITOR="vi" | ||
COPY --from=build-env /usr/local /usr/local | ||
ENV PATH=/usr/local/python/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin | ||
WORKDIR / | ||
RUN groupadd -g "${PGID:-0}" -o fix \ | ||
&& useradd -g "${PGID:-0}" -u "${PUID:-0}" -o --create-home fix \ | ||
&& apt-get update \ | ||
&& apt-get -y --no-install-recommends install apt-utils \ | ||
&& apt-get -y dist-upgrade \ | ||
&& apt-get -y --no-install-recommends install \ | ||
dumb-init \ | ||
iproute2 \ | ||
dateutils \ | ||
openssl \ | ||
ca-certificates \ | ||
locales \ | ||
python3-minimal \ | ||
python3-pip \ | ||
&& ln -s /usr/bin/busybox /usr/local/bin/vi \ | ||
&& ln -s /usr/bin/busybox /usr/local/bin/less \ | ||
&& echo 'LANG="en_US.UTF-8"' > /etc/default/locale \ | ||
&& echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ | ||
&& locale-gen \ | ||
&& pip install --no-cache-dir --break-system-packages /usr/local/build/*.whl \ | ||
&& apt-get clean \ | ||
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/local/build | ||
|
||
ENTRYPOINT ["/bin/dumb-init", "--", "/usr/local/sbin/bootstrap"] | ||
CMD ["/usr/local/bin/fixca"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,140 @@ | ||
#!/bin/bash | ||
# Bootstraps runit config | ||
set -euo pipefail | ||
|
||
TZ=${TZ:-Etc/UTC} | ||
PUID=${PUID:-0} | ||
PGID=${PGID:-0} | ||
|
||
|
||
main() { | ||
apply_permissions | ||
configure_timezone | ||
setup_etc_hosts || true | ||
exec runuser -u fix -g fix -- "$@" | ||
} | ||
|
||
|
||
# Apply user id and group id | ||
apply_permissions() { | ||
info "Setting uid:gid of fix to $PUID:$PGID" | ||
groupmod -g "${PGID}" -o fix | ||
#usermod -u "${PUID}" -o -g fix fix | ||
sed -i -E "s/^(fix:x):[0-9]+:[0-9]+:(.*)/\\1:$PUID:$PGID:\\2/" /etc/passwd | ||
chown fix:fix /home/fix | ||
} | ||
|
||
|
||
# Configure timezone | ||
configure_timezone() { | ||
export TZ | ||
if [ ! -f "/usr/share/zoneinfo/$TZ" ]; then | ||
warn "Unknown timezone $TZ - defaulting to Etc/UTC" | ||
TZ="Etc/UTC" | ||
fi | ||
ln -snf "/usr/share/zoneinfo/$TZ" /etc/localtime | ||
echo "$TZ" > /etc/timezone | ||
info "Setting timezone $TZ" | ||
} | ||
|
||
|
||
# Enable/disable IP protocols in /etc/hosts | ||
setup_etc_hosts() { | ||
local temp_hosts | ||
temp_hosts="$(mktemp)" | ||
cat /etc/hosts > "$temp_hosts" | ||
|
||
if ipv4_enabled; then | ||
sed -i -E "s/^#(127\.0\.0\.1.*)/\1/" "$temp_hosts" | ||
else | ||
sed -i -E "s/^(127\.0\.0\.1.*)/#\1/" "$temp_hosts" | ||
fi | ||
|
||
if ipv6_enabled; then | ||
sed -i -E "s/^#(::1.*)/\1/" "$temp_hosts" | ||
else | ||
sed -i -E "s/^(::1.*)/#\1/" "$temp_hosts" | ||
fi | ||
|
||
# /etc/hosts is singularly mounted into the container. | ||
# sed -i is not really working in-place but instead | ||
# creates a temp file and then moves it. So would fail | ||
# on /etc/hosts. Instead of atomically moving | ||
# we cat the temp file into the destination. | ||
cat "$temp_hosts" > /etc/hosts | ||
rm -f "$temp_hosts" | ||
} | ||
|
||
|
||
ipv_enabled() { | ||
local ip_version=$1 | ||
# shellcheck disable=SC2086 | ||
if [ "$(ip -$ip_version addr | wc -l)" -gt 0 ]; then | ||
return 0 | ||
fi | ||
return 1 | ||
} | ||
|
||
|
||
ipv4_enabled() { | ||
ipv_enabled 4 | ||
} | ||
|
||
|
||
ipv6_enabled() { | ||
ipv_enabled 6 | ||
} | ||
|
||
|
||
# log levels | ||
debug=50 | ||
info=40 | ||
warn=30 | ||
error=20 | ||
critical=10 | ||
fatal=5 | ||
log_level=${log_level:-$debug} | ||
|
||
|
||
debug() { logstd $debug "DEBUG - [$$] - $*"; } | ||
info() { logstd $info "INFO - $*"; } | ||
warn() { logstd $warn "WARN - $*"; } | ||
error() { logerr $error "ERROR - $*"; } | ||
critical() { logerr $critical "CRITIAL - $*"; } | ||
fatal() { logerr $fatal "FATAL - $*"; exit 1; } | ||
|
||
|
||
logstd() { | ||
local log_at_level | ||
log_at_level="$1"; shift | ||
printline "$log_at_level" "$*" | ||
} | ||
|
||
|
||
logstd() { | ||
local log_at_level | ||
log_at_level="$1"; shift | ||
printline "$log_at_level" "$*" | ||
} | ||
|
||
|
||
logerr() { | ||
local log_at_level | ||
log_at_level="$1"; shift | ||
printline "$log_at_level" "$*" >&2 | ||
} | ||
|
||
|
||
printline() { | ||
local log_at_level | ||
local log_data | ||
log_at_level="$1"; shift | ||
log_data="$*" | ||
|
||
if [ "$log_at_level" -le "$log_level" ]; then | ||
echo "$log_data" | ||
fi | ||
} | ||
|
||
|
||
main "$@" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,35 @@ | ||
import os | ||
from argparse import ArgumentParser, Namespace | ||
from typing import Callable, List | ||
|
||
|
||
def parse_args(add_args: List[Callable]) -> Namespace: | ||
parser = ArgumentParser(prog="fixca", description="FIX Certification Authority") | ||
parser.add_argument("--psk", dest="psk", help="Pre-shared-key", required=True) | ||
parser.add_argument("--port", dest="port", help="HTTPS port to listen on (default: 7900)", default=7900, type=int) | ||
parser.add_argument("--namespace", dest="namespace", help="K8s namespace (default: fix)", default="fix") | ||
parser.add_argument("--secret", dest="secret", help="Secret name (default: fix-ca)", default="fix-ca") | ||
parser.add_argument("--psk", dest="psk", help="Pre-shared-key", default=os.environ.get("FIXCA_PSK")) | ||
parser.add_argument( | ||
"--port", | ||
dest="port", | ||
help="HTTPS port to listen on (default: 7900)", | ||
default=os.environ.get("FIXCA_PORT", 7900), | ||
type=int, | ||
) | ||
parser.add_argument( | ||
"--namespace", | ||
dest="namespace", | ||
help="K8s namespace (default: fix)", | ||
default=os.environ.get("FIXCA_NAMESPACE", "fix"), | ||
) | ||
parser.add_argument( | ||
"--secret", | ||
dest="secret", | ||
help="Secret name (default: fix-ca)", | ||
default=os.environ.get("FIXCA_SECRET", "fix-ca"), | ||
) | ||
for add_arg in add_args: | ||
add_arg(parser) | ||
return parser.parse_args() | ||
|
||
args = parser.parse_args() | ||
if args.psk is None: | ||
parser.error("Missing --psk argument") | ||
|
||
return args |
Binary file not shown.