yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore: simplify run.sh 

- get rid of sudo
- do not change permissions of existing files
- use our own docker image to generate certs to make it working on arm
- bump kafka docker image version to have access to multiplatofrm one
This commit is contained in:
Ivan Dyachkov 2023-03-08 18:53:08 +01:00 committed by Thales Macedo Garitezi
parent c182a4053e
commit 5eaaa83b82
5 changed files with 12 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.ci/docker-compose-file/docker-compose-kafka.yaml
View File

@ -10,13 +10,12 @@ services:
networks:
emqx_bridge:
ssl_cert_gen:
image: fredrikhgrelland/alpine-jdk11-openssl
# see https://github.com/emqx/docker-images
image: ghcr.io/emqx/certgen:latest
container_name: ssl_cert_gen
user: "${DOCKER_USER:-root}"
volumes:
- /tmp/emqx-ci/emqx-shared-secret:/var/lib/secret
- ./kafka/generate-certs.sh:/bin/generate-certs.sh
entrypoint: /bin/sh
command: /bin/generate-certs.sh
kdc:
hostname: kdc.emqx.net
image: ghcr.io/emqx/emqx-builder/5.0-28:1.13.4-24.3.4.2-2-ubuntu20.04
@ -36,7 +35,7 @@ services:
- ./kerberos/run.sh:/usr/bin/run.sh
command: run.sh
kafka_1:
image: wurstmeister/kafka:2.13-2.7.0
image: wurstmeister/kafka:2.13-2.8.1
# ports:
# - "9192-9195:9192-9195"
container_name: kafka-1.emqx.net

2
.ci/docker-compose-file/docker-compose.yaml
View File

@ -23,7 +23,7 @@ services:
- ./kerberos/krb5.conf:/etc/krb5.conf
working_dir: /emqx
tty: true
user: "${UID_GID}"
user: "${DOCKER_USER:-root}"
networks:
emqx_bridge:

46
.ci/docker-compose-file/kafka/generate-certs.sh
View File

@ -1,46 +0,0 @@
#!/usr/bin/bash
set -euo pipefail
set -x
# Source https://github.com/zmstone/docker-kafka/blob/master/generate-certs.sh
HOST="*."
DAYS=3650
PASS="password"
cd /var/lib/secret/
# Delete old files
(rm ca.key ca.crt server.key server.csr server.crt client.key client.csr client.crt server.p12 kafka.keystore.jks kafka.truststore.jks 2>/dev/null || true)
ls
echo '== Generate self-signed server and client certificates'
echo '= generate CA'
openssl req -new -x509 -keyout ca.key -out ca.crt -days $DAYS -nodes -subj "/C=SE/ST=Stockholm/L=Stockholm/O=brod/OU=test/CN=$HOST"
echo '= generate server certificate request'
openssl req -newkey rsa:2048 -sha256 -keyout server.key -out server.csr -days "$DAYS" -nodes -subj "/C=SE/ST=Stockholm/L=Stockholm/O=brod/OU=test/CN=$HOST"
echo '= sign server certificate'
openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -days "$DAYS" -CAcreateserial
echo '= generate client certificate request'
openssl req -newkey rsa:2048 -sha256 -keyout client.key -out client.csr -days "$DAYS" -nodes -subj "/C=SE/ST=Stockholm/L=Stockholm/O=brod/OU=test/CN=$HOST"
echo '== sign client certificate'
openssl x509 -req -CA ca.crt -CAkey ca.key -in client.csr -out client.crt -days $DAYS -CAserial ca.srl
echo '= Convert self-signed certificate to PKCS#12 format'
openssl pkcs12 -export -name "$HOST" -in server.crt -inkey server.key -out server.p12 -CAfile ca.crt -passout pass:"$PASS"
echo '= Import PKCS#12 into a java keystore'
echo $PASS | keytool -importkeystore -destkeystore kafka.keystore.jks -srckeystore server.p12 -srcstoretype pkcs12 -alias "$HOST" -storepass "$PASS"
echo '= Import CA into java truststore'
echo yes | keytool -keystore kafka.truststore.jks -alias CARoot -import -file ca.crt -storepass "$PASS"

1
.ci/docker-compose-file/kafka/kafka-entrypoint.sh
View File

@ -17,6 +17,7 @@ timeout $TIMEOUT bash -c 'until [ -f /var/lib/secret/kafka.keytab ]; do sleep 1;
echo "+++++++ Wait until SSL certs are generated ++++++++"
timeout $TIMEOUT bash -c 'until [ -f /var/lib/secret/kafka.truststore.jks ]; do sleep 1; done'
keytool -list -v -keystore /var/lib/secret/kafka.keystore.jks -storepass password
sleep 3

38
scripts/ct/run.sh
View File

@ -154,9 +154,6 @@ for dep in ${CT_DEPS}; do
'.ci/docker-compose-file/docker-compose-pgsql-tls.yaml' )
;;
kafka)
# Kafka container generates root owned ssl files
# the files are shared with EMQX (with a docker volume)
NEED_ROOT=yes
FILES+=( '.ci/docker-compose-file/docker-compose-kafka.yaml' )
;;
tdengine)
@ -180,35 +177,14 @@ F_OPTIONS=""
for file in "${FILES[@]}"; do
F_OPTIONS="$F_OPTIONS -f $file"
done
ORIG_UID_GID="$UID:$UID"
if [[ "${NEED_ROOT:-}" == 'yes' ]]; then
export UID_GID='root:root'
else
# Passing $UID to docker-compose to be used in erlang container
# as owner of the main process to avoid git repo permissions issue.
# Permissions issue happens because we are mounting local filesystem
# where files are owned by $UID to docker container where it's using
# root (UID=0) by default, and git is not happy about it.
export UID_GID="$ORIG_UID_GID"
fi
# /emqx is where the source dir is mounted to the Erlang container
# in .ci/docker-compose-file/docker-compose.yaml
export DOCKER_USER="$(id -u)"
TTY=''
if [[ -t 1 ]]; then
TTY='-t'
fi
function restore_ownership {
if [[ -n ${EMQX_TEST_DO_NOT_RUN_SUDO+x} ]] || ! sudo chown -R "$ORIG_UID_GID" . >/dev/null 2>&1; then
docker exec -i $TTY -u root:root "$ERLANG_CONTAINER" bash -c "chown -R $ORIG_UID_GID /emqx" >/dev/null 2>&1 || true
fi
}
restore_ownership
trap restore_ownership EXIT
if [ "$STOP" = 'no' ]; then
# some left-over log file has to be deleted before a new docker-compose up
rm -f '.ci/docker-compose-file/redis/*.log'
@ -216,11 +192,10 @@ if [ "$STOP" = 'no' ]; then
$DC $F_OPTIONS up -d --build --remove-orphans
fi
echo "Fixing file owners and permissions for $UID_GID"
# rebar and hex cache directory need to be writable by $UID
docker exec -i $TTY -u root:root "$ERLANG_CONTAINER" bash -c "mkdir -p /.cache && chown $UID_GID /.cache && chown -R $UID_GID /emqx/.git /emqx/.ci /emqx/_build/default/lib"
# need to initialize .erlang.cookie manually here because / is not writable by $UID
docker exec -i $TTY -u root:root "$ERLANG_CONTAINER" bash -c "openssl rand -base64 16 > /.erlang.cookie && chown $UID_GID /.erlang.cookie && chmod 0400 /.erlang.cookie"
# rebar and hex cache directory need to be writable by $DOCKER_USER
docker exec -i $TTY -u root:root "$ERLANG_CONTAINER" bash -c "mkdir -p /.cache && chown $DOCKER_USER /.cache"
# need to initialize .erlang.cookie manually here because / is not writable by $DOCKER_USER
docker exec -i $TTY -u root:root "$ERLANG_CONTAINER" bash -c "openssl rand -base64 16 > /.erlang.cookie && chown $DOCKER_USER /.erlang.cookie && chmod 0400 /.erlang.cookie"
if [ "$ONLY_UP" = 'yes' ]; then
exit 0
@ -242,7 +217,6 @@ else
docker exec -e IS_CI="$IS_CI" -e PROFILE="$PROFILE" -i $TTY "$ERLANG_CONTAINER" bash -c "./rebar3 ct $REBAR3CT"
fi
RESULT=$?
restore_ownership
if [ $RESULT -ne 0 ]; then
LOG='_build/test/logs/docker-compose.log'
echo "Dumping docker-compose log to $LOG"