chore: simplify run.sh
- get rid of sudo - do not change permissions of existing files - use our own docker image to generate certs to make it working on arm - bump kafka docker image version to have access to multiplatofrm one
This commit is contained in:
parent
c182a4053e
commit
5eaaa83b82
|
@ -10,13 +10,12 @@ services:
|
||||||
networks:
|
networks:
|
||||||
emqx_bridge:
|
emqx_bridge:
|
||||||
ssl_cert_gen:
|
ssl_cert_gen:
|
||||||
image: fredrikhgrelland/alpine-jdk11-openssl
|
# see https://github.com/emqx/docker-images
|
||||||
|
image: ghcr.io/emqx/certgen:latest
|
||||||
container_name: ssl_cert_gen
|
container_name: ssl_cert_gen
|
||||||
|
user: "${DOCKER_USER:-root}"
|
||||||
volumes:
|
volumes:
|
||||||
- /tmp/emqx-ci/emqx-shared-secret:/var/lib/secret
|
- /tmp/emqx-ci/emqx-shared-secret:/var/lib/secret
|
||||||
- ./kafka/generate-certs.sh:/bin/generate-certs.sh
|
|
||||||
entrypoint: /bin/sh
|
|
||||||
command: /bin/generate-certs.sh
|
|
||||||
kdc:
|
kdc:
|
||||||
hostname: kdc.emqx.net
|
hostname: kdc.emqx.net
|
||||||
image: ghcr.io/emqx/emqx-builder/5.0-28:1.13.4-24.3.4.2-2-ubuntu20.04
|
image: ghcr.io/emqx/emqx-builder/5.0-28:1.13.4-24.3.4.2-2-ubuntu20.04
|
||||||
|
@ -36,7 +35,7 @@ services:
|
||||||
- ./kerberos/run.sh:/usr/bin/run.sh
|
- ./kerberos/run.sh:/usr/bin/run.sh
|
||||||
command: run.sh
|
command: run.sh
|
||||||
kafka_1:
|
kafka_1:
|
||||||
image: wurstmeister/kafka:2.13-2.7.0
|
image: wurstmeister/kafka:2.13-2.8.1
|
||||||
# ports:
|
# ports:
|
||||||
# - "9192-9195:9192-9195"
|
# - "9192-9195:9192-9195"
|
||||||
container_name: kafka-1.emqx.net
|
container_name: kafka-1.emqx.net
|
||||||
|
|
|
@ -23,7 +23,7 @@ services:
|
||||||
- ./kerberos/krb5.conf:/etc/krb5.conf
|
- ./kerberos/krb5.conf:/etc/krb5.conf
|
||||||
working_dir: /emqx
|
working_dir: /emqx
|
||||||
tty: true
|
tty: true
|
||||||
user: "${UID_GID}"
|
user: "${DOCKER_USER:-root}"
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
emqx_bridge:
|
emqx_bridge:
|
||||||
|
|
|
@ -1,46 +0,0 @@
|
||||||
#!/usr/bin/bash
|
|
||||||
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
set -x
|
|
||||||
|
|
||||||
# Source https://github.com/zmstone/docker-kafka/blob/master/generate-certs.sh
|
|
||||||
|
|
||||||
HOST="*."
|
|
||||||
DAYS=3650
|
|
||||||
PASS="password"
|
|
||||||
|
|
||||||
cd /var/lib/secret/
|
|
||||||
|
|
||||||
# Delete old files
|
|
||||||
(rm ca.key ca.crt server.key server.csr server.crt client.key client.csr client.crt server.p12 kafka.keystore.jks kafka.truststore.jks 2>/dev/null || true)
|
|
||||||
|
|
||||||
ls
|
|
||||||
|
|
||||||
echo '== Generate self-signed server and client certificates'
|
|
||||||
echo '= generate CA'
|
|
||||||
openssl req -new -x509 -keyout ca.key -out ca.crt -days $DAYS -nodes -subj "/C=SE/ST=Stockholm/L=Stockholm/O=brod/OU=test/CN=$HOST"
|
|
||||||
|
|
||||||
echo '= generate server certificate request'
|
|
||||||
openssl req -newkey rsa:2048 -sha256 -keyout server.key -out server.csr -days "$DAYS" -nodes -subj "/C=SE/ST=Stockholm/L=Stockholm/O=brod/OU=test/CN=$HOST"
|
|
||||||
|
|
||||||
echo '= sign server certificate'
|
|
||||||
openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -days "$DAYS" -CAcreateserial
|
|
||||||
|
|
||||||
echo '= generate client certificate request'
|
|
||||||
openssl req -newkey rsa:2048 -sha256 -keyout client.key -out client.csr -days "$DAYS" -nodes -subj "/C=SE/ST=Stockholm/L=Stockholm/O=brod/OU=test/CN=$HOST"
|
|
||||||
|
|
||||||
echo '== sign client certificate'
|
|
||||||
openssl x509 -req -CA ca.crt -CAkey ca.key -in client.csr -out client.crt -days $DAYS -CAserial ca.srl
|
|
||||||
|
|
||||||
echo '= Convert self-signed certificate to PKCS#12 format'
|
|
||||||
openssl pkcs12 -export -name "$HOST" -in server.crt -inkey server.key -out server.p12 -CAfile ca.crt -passout pass:"$PASS"
|
|
||||||
|
|
||||||
echo '= Import PKCS#12 into a java keystore'
|
|
||||||
|
|
||||||
echo $PASS | keytool -importkeystore -destkeystore kafka.keystore.jks -srckeystore server.p12 -srcstoretype pkcs12 -alias "$HOST" -storepass "$PASS"
|
|
||||||
|
|
||||||
|
|
||||||
echo '= Import CA into java truststore'
|
|
||||||
|
|
||||||
echo yes | keytool -keystore kafka.truststore.jks -alias CARoot -import -file ca.crt -storepass "$PASS"
|
|
|
@ -17,6 +17,7 @@ timeout $TIMEOUT bash -c 'until [ -f /var/lib/secret/kafka.keytab ]; do sleep 1;
|
||||||
echo "+++++++ Wait until SSL certs are generated ++++++++"
|
echo "+++++++ Wait until SSL certs are generated ++++++++"
|
||||||
|
|
||||||
timeout $TIMEOUT bash -c 'until [ -f /var/lib/secret/kafka.truststore.jks ]; do sleep 1; done'
|
timeout $TIMEOUT bash -c 'until [ -f /var/lib/secret/kafka.truststore.jks ]; do sleep 1; done'
|
||||||
|
keytool -list -v -keystore /var/lib/secret/kafka.keystore.jks -storepass password
|
||||||
|
|
||||||
sleep 3
|
sleep 3
|
||||||
|
|
||||||
|
|
|
@ -154,9 +154,6 @@ for dep in ${CT_DEPS}; do
|
||||||
'.ci/docker-compose-file/docker-compose-pgsql-tls.yaml' )
|
'.ci/docker-compose-file/docker-compose-pgsql-tls.yaml' )
|
||||||
;;
|
;;
|
||||||
kafka)
|
kafka)
|
||||||
# Kafka container generates root owned ssl files
|
|
||||||
# the files are shared with EMQX (with a docker volume)
|
|
||||||
NEED_ROOT=yes
|
|
||||||
FILES+=( '.ci/docker-compose-file/docker-compose-kafka.yaml' )
|
FILES+=( '.ci/docker-compose-file/docker-compose-kafka.yaml' )
|
||||||
;;
|
;;
|
||||||
tdengine)
|
tdengine)
|
||||||
|
@ -180,35 +177,14 @@ F_OPTIONS=""
|
||||||
for file in "${FILES[@]}"; do
|
for file in "${FILES[@]}"; do
|
||||||
F_OPTIONS="$F_OPTIONS -f $file"
|
F_OPTIONS="$F_OPTIONS -f $file"
|
||||||
done
|
done
|
||||||
ORIG_UID_GID="$UID:$UID"
|
|
||||||
if [[ "${NEED_ROOT:-}" == 'yes' ]]; then
|
|
||||||
export UID_GID='root:root'
|
|
||||||
else
|
|
||||||
# Passing $UID to docker-compose to be used in erlang container
|
|
||||||
# as owner of the main process to avoid git repo permissions issue.
|
|
||||||
# Permissions issue happens because we are mounting local filesystem
|
|
||||||
# where files are owned by $UID to docker container where it's using
|
|
||||||
# root (UID=0) by default, and git is not happy about it.
|
|
||||||
export UID_GID="$ORIG_UID_GID"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# /emqx is where the source dir is mounted to the Erlang container
|
export DOCKER_USER="$(id -u)"
|
||||||
# in .ci/docker-compose-file/docker-compose.yaml
|
|
||||||
TTY=''
|
TTY=''
|
||||||
if [[ -t 1 ]]; then
|
if [[ -t 1 ]]; then
|
||||||
TTY='-t'
|
TTY='-t'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
function restore_ownership {
|
|
||||||
if [[ -n ${EMQX_TEST_DO_NOT_RUN_SUDO+x} ]] || ! sudo chown -R "$ORIG_UID_GID" . >/dev/null 2>&1; then
|
|
||||||
docker exec -i $TTY -u root:root "$ERLANG_CONTAINER" bash -c "chown -R $ORIG_UID_GID /emqx" >/dev/null 2>&1 || true
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
restore_ownership
|
|
||||||
trap restore_ownership EXIT
|
|
||||||
|
|
||||||
|
|
||||||
if [ "$STOP" = 'no' ]; then
|
if [ "$STOP" = 'no' ]; then
|
||||||
# some left-over log file has to be deleted before a new docker-compose up
|
# some left-over log file has to be deleted before a new docker-compose up
|
||||||
rm -f '.ci/docker-compose-file/redis/*.log'
|
rm -f '.ci/docker-compose-file/redis/*.log'
|
||||||
|
@ -216,11 +192,10 @@ if [ "$STOP" = 'no' ]; then
|
||||||
$DC $F_OPTIONS up -d --build --remove-orphans
|
$DC $F_OPTIONS up -d --build --remove-orphans
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Fixing file owners and permissions for $UID_GID"
|
# rebar and hex cache directory need to be writable by $DOCKER_USER
|
||||||
# rebar and hex cache directory need to be writable by $UID
|
docker exec -i $TTY -u root:root "$ERLANG_CONTAINER" bash -c "mkdir -p /.cache && chown $DOCKER_USER /.cache"
|
||||||
docker exec -i $TTY -u root:root "$ERLANG_CONTAINER" bash -c "mkdir -p /.cache && chown $UID_GID /.cache && chown -R $UID_GID /emqx/.git /emqx/.ci /emqx/_build/default/lib"
|
# need to initialize .erlang.cookie manually here because / is not writable by $DOCKER_USER
|
||||||
# need to initialize .erlang.cookie manually here because / is not writable by $UID
|
docker exec -i $TTY -u root:root "$ERLANG_CONTAINER" bash -c "openssl rand -base64 16 > /.erlang.cookie && chown $DOCKER_USER /.erlang.cookie && chmod 0400 /.erlang.cookie"
|
||||||
docker exec -i $TTY -u root:root "$ERLANG_CONTAINER" bash -c "openssl rand -base64 16 > /.erlang.cookie && chown $UID_GID /.erlang.cookie && chmod 0400 /.erlang.cookie"
|
|
||||||
|
|
||||||
if [ "$ONLY_UP" = 'yes' ]; then
|
if [ "$ONLY_UP" = 'yes' ]; then
|
||||||
exit 0
|
exit 0
|
||||||
|
@ -242,7 +217,6 @@ else
|
||||||
docker exec -e IS_CI="$IS_CI" -e PROFILE="$PROFILE" -i $TTY "$ERLANG_CONTAINER" bash -c "./rebar3 ct $REBAR3CT"
|
docker exec -e IS_CI="$IS_CI" -e PROFILE="$PROFILE" -i $TTY "$ERLANG_CONTAINER" bash -c "./rebar3 ct $REBAR3CT"
|
||||||
fi
|
fi
|
||||||
RESULT=$?
|
RESULT=$?
|
||||||
restore_ownership
|
|
||||||
if [ $RESULT -ne 0 ]; then
|
if [ $RESULT -ne 0 ]; then
|
||||||
LOG='_build/test/logs/docker-compose.log'
|
LOG='_build/test/logs/docker-compose.log'
|
||||||
echo "Dumping docker-compose log to $LOG"
|
echo "Dumping docker-compose log to $LOG"
|
||||||
|
|
Loading…
Reference in New Issue