diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 1b4315f60..27f389d33 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -20,7 +20,7 @@ builds: goarch: arm tags: - load_wintun_from_rsrc - - + - id: wiretrustee-mgmt dir: management env: [CGO_ENABLED=0] @@ -84,7 +84,7 @@ dockers: - "--label=org.opencontainers.image.version={{.Version}}" - "--label=maintainer=wiretrustee@wiretrustee.com" - image_templates: - - wiretrustee/wiretrustee:management-{{ .Version }}-amd64 + - wiretrustee/management:{{ .Version }}-amd64 ids: - wiretrustee-mgmt goarch: amd64 @@ -99,7 +99,7 @@ dockers: - "--label=org.opencontainers.image.version={{.Version}}" - "--label=maintainer=wiretrustee@wiretrustee.com" - image_templates: - - wiretrustee/wiretrustee:management-{{ .Version }}-arm64v8 + - wiretrustee/management:{{ .Version }}-arm64v8 ids: - wiretrustee-mgmt goarch: arm64 @@ -113,6 +113,36 @@ dockers: - "--label=org.opencontainers.image.revision={{.FullCommit}}" - "--label=org.opencontainers.image.version={{.Version}}" - "--label=maintainer=wiretrustee@wiretrustee.com" + - image_templates: + - wiretrustee/management:{{ .Version }}-debug-amd64 + ids: + - wiretrustee-mgmt + goarch: amd64 + use: buildx + dockerfile: management/Dockerfile.debug + build_flag_templates: + - "--platform=linux/arm64" + - "--label=org.opencontainers.image.created={{.Date}}" + - "--label=org.opencontainers.image.title={{.ProjectName}}" + - "--label=org.opencontainers.image.version={{.Version}}" + - "--label=org.opencontainers.image.revision={{.FullCommit}}" + - "--label=org.opencontainers.image.version={{.Version}}" + - "--label=maintainer=wiretrustee@wiretrustee.com" + - image_templates: + - wiretrustee/management:{{ .Version }}-debug-arm64v8 + ids: + - wiretrustee-mgmt + goarch: arm64 + use: buildx + dockerfile: management/Dockerfile.debug + build_flag_templates: + - "--platform=linux/arm64" + - "--label=org.opencontainers.image.created={{.Date}}" + - "--label=org.opencontainers.image.title={{.ProjectName}}" + - "--label=org.opencontainers.image.version={{.Version}}" + - "--label=org.opencontainers.image.revision={{.FullCommit}}" + - "--label=org.opencontainers.image.version={{.Version}}" + - "--label=maintainer=wiretrustee@wiretrustee.com" docker_manifests: - name_template: wiretrustee/wiretrustee:signal-{{ .Version }} @@ -125,12 +155,17 @@ docker_manifests: - wiretrustee/wiretrustee:signal-{{ .Version }}-arm64v8 - wiretrustee/wiretrustee:signal-{{ .Version }}-amd64 - - name_template: wiretrustee/wiretrustee:management-{{ .Version }} + - name_template: wiretrustee/management:{{ .Version }} image_templates: - - wiretrustee/wiretrustee:management-{{ .Version }}-arm64v8 - - wiretrustee/wiretrustee:management-{{ .Version }}-amd64 + - wiretrustee/management:{{ .Version }}-arm64v8 + - wiretrustee/management:{{ .Version }}-amd64 - - name_template: wiretrustee/wiretrustee:management-latest + - name_template: wiretrustee/management:latest image_templates: - - wiretrustee/wiretrustee:management-{{ .Version }}-arm64v8 - - wiretrustee/wiretrustee:management-{{ .Version }}-amd64 \ No newline at end of file + - wiretrustee/management:{{ .Version }}-arm64v8 + - wiretrustee/management:{{ .Version }}-amd64 + + - name_template: wiretrustee/management:debug-latest + image_templates: + - wiretrustee/management:{{ .Version }}-debug-arm64v8 + - wiretrustee/management:{{ .Version }}-debug-amd64 \ No newline at end of file diff --git a/README.md b/README.md index 759acf828..0f74babb6 100644 --- a/README.md +++ b/README.md @@ -158,16 +158,17 @@ The default log-level is set to INFO, if you need you can change it using by upd docker run -d --name wiretrustee-signal -p 10000:10000 wiretrustee/wiretrustee:signal-latest --log-level DEBUG ```` -### Running Signal and Coturn -Under infrastructure_files we have a docker-compose example to run both, Wiretrustee Signal server and an instance of [Coturn](https://github.com/coturn/coturn), it also provides a turnserver.conf file as a simple example of Coturn configuration. +### Running Management, Signal and Coturn +Under infrastructure_files we have a docker-compose example to run both, Wiretrustee Management and Signal services, plus an instance of [Coturn](https://github.com/coturn/coturn), it also provides a turnserver.conf file as a simple example of Coturn configuration. You can edit the turnserver.conf file and change its Realm setting (defaults to wiretrustee.com) to your own domain and user setting (defaults to username1:password1) to **proper credentials**. -The example is set to use the official images from Wiretrustee and Coturn, you can find our documentation to run the signal server in docker in [Running the Signal service](#Running the Signal service) and the Coturn official documentation [here](https://hub.docker.com/r/coturn/coturn). +The example is set to use the official images from Wiretrustee and Coturn, you can find our documentation to run the signal server in docker in [Running the Signal service](#running-the-signal-service), the management in [Management](./management/README.md), and the Coturn official documentation [here](https://hub.docker.com/r/coturn/coturn). > Run Coturn at your own risk, we are just providing an example, be sure to follow security best practices and to configure proper credentials as this service can be exploited and you may face large data transfer charges. -Also, if you have an SSL certificate you can modify the docker-compose.yml file to point to its files in your host machine, then switch the domainname to your own SSL domain. If you don't already have an SSL certificate, you can follow [Certbot's](https://certbot.eff.org/docs/intro.html) official documentation +Also, if you have an SSL certificate for Coturn, you can modify the docker-compose.yml file to point to its files in your host machine, then switch the domainname to your own SSL domain. If you don't already have an SSL certificate, you can follow [Certbot's](https://certbot.eff.org/docs/intro.html) official documentation to generate one from [Let’s Encrypt](https://letsencrypt.org/), or, we found that the example provided by [BigBlueButton](https://docs.bigbluebutton.org/2.2/setup-turn-server.html#generating-tls-certificates) covers the basics to configure Coturn with Let's Encrypt certs. +> The Wiretrustee Management service can generate and maintain the certificates automatically, all you need to do is run the servicein a host with a public IP, configure a valid DNS record pointing to that IP and uncomment the 443 ports and command lines in the docker-compose.yml file. Simple docker-composer execution: ````shell @@ -178,6 +179,7 @@ You can check logs by running: ````shell cd infrastructure_files docker-compose logs signal +docker-compose logs management docker-compose logs coturn ```` If you need to stop the services, run the following: diff --git a/infrastructure_files/docker-compose.yml b/infrastructure_files/docker-compose.yml index 74a3cc548..6edfffbeb 100644 --- a/infrastructure_files/docker-compose.yml +++ b/infrastructure_files/docker-compose.yml @@ -6,7 +6,17 @@ services: restart: unless-stopped ports: - 10000:10000 - + # Management + management: + image: wiretrustee/management:latest + restart: unless-stopped + volumes: + - wiretrustee-mgmt:/var/lib/wiretrustee + ports: + - 33073:33073 +# # port and command for Let's Encrypt validation +# - 443:443 +# command: ["--letsencrypt-domain", ""] # Coturn coturn: image: coturn/coturn @@ -17,3 +27,5 @@ services: # - ./privkey.pem:/etc/coturn/private/privkey.pem:ro # - ./cert.pem:/etc/coturn/certs/cert.pem:ro network_mode: host +volumes: + wiretrustee-mgmt: \ No newline at end of file diff --git a/management/Dockerfile b/management/Dockerfile index 1c599dbfa..9f25173e0 100644 --- a/management/Dockerfile +++ b/management/Dockerfile @@ -1,3 +1,3 @@ -FROM gcr.io/distroless/base:debug +FROM gcr.io/distroless/base ENTRYPOINT [ "/go/bin/wiretrustee","management"] COPY wiretrustee /go/bin/wiretrustee \ No newline at end of file diff --git a/management/Dockerfile.debug b/management/Dockerfile.debug new file mode 100644 index 000000000..c67820a2e --- /dev/null +++ b/management/Dockerfile.debug @@ -0,0 +1,3 @@ +FROM gcr.io/distroless/base:debug +ENTRYPOINT [ "/go/bin/wiretrustee","management","--log-level","debug"] +COPY wiretrustee /go/bin/wiretrustee \ No newline at end of file diff --git a/management/README.md b/management/README.md index 9bd41a18e..023368111 100644 --- a/management/README.md +++ b/management/README.md @@ -1,28 +1,46 @@ # Wiretrustee Management Server +Wiretrustee management server will control and synchronize peers configuration within your wiretrustee account and network. +## Command Options +The CLI accepts the command **management** with the following options: +```shell +start Wiretrustee Management Server + +Usage: + wiretrustee management [flags] + +Flags: + --datadir string server data directory location (default "/var/lib/wiretrustee/") + -h, --help help for management + --letsencrypt-domain string a domain to issue Let's Encrypt certificate for. Enables TLS using Let's Encrypt. Will fetch and renew certificate, and run the server with TLS + --port int server port to listen on (default 33073) + +Global Flags: + --config string Wiretrustee config file location to write new config to (default "/etc/wiretrustee/config.json") + --log-level string (default "info") +``` ## Run Management service (Docker) You can run service in 2 modes - with TLS or without (not recommended). ### Run with TLS (Let's Encrypt). +By specifying the **--letsencrypt-domain** the daemon will handle SSL certificate request and configuration. -The server where you are running a container has to have a public IP (for Let's Encrypt certificate challenge). -In the following example ```33073``` is a gRpc port, ```443``` is a port for Let's Encrypt challenge and HTTP API. +In the following example ```33073``` is the management service **default** port, and ```443``` will be used as port for Let's Encrypt challenge and HTTP API. +> The server where you are running a container has to have a public IP (for Let's Encrypt certificate challenge). Replace with your server's public domain (e.g. mydomain.com or subdomain sub.mydomain.com). ```bash +# create a volume +docker volume create wiretrustee-mgmt +# run the docker container docker run -d --name wiretrustee-management \ -p 33073:33073 \ -p 443:443 \ --v /var/lib/wiretrustee/:/var/lib/wiretrustee/ \ --v /etc/wiretrustee/:/etc/wiretrustee/ \ -wiretrustee/wiretrustee:management-v0.0.8-SNAPSHOT-079d35e-amd64 \ ---port 33073 \ ---datadir /var/lib/wiretrustee/ \ ---hosts-config /etc/wiretrustee/hosts-config.json \ ---letsencrypt-domain \ ---log-level info +-v wiretrustee-mgmt:/var/lib/wiretrustee \ +wiretrustee/management:latest \ +--letsencrypt-domain ``` Trigger Let's encrypt certificate generation: @@ -30,110 +48,47 @@ Trigger Let's encrypt certificate generation: curl https:// ``` -The certificate will be persisted in the ```datadir/letsencrypt/``` folder (e.g. ```/var/lib/wiretrustee/letsencrypt/```). Make sure that the ```datadir``` is mapped to some folder on a host machine. +The certificate will be persisted in the ```datadir/letsencrypt/``` folder (e.g. ```/var/lib/wiretrustee/letsencrypt/```) inside the container. + +Make sure that the ```datadir``` is mapped to some folder on a host machine. In case you used the volume command, you can run the following to retrieve the Mountpoint: +```shell +docker volume inspect wiretrustee-mgmt +[ + { + "CreatedAt": "2021-07-25T20:45:28Z", + "Driver": "local", + "Labels": {}, + "Mountpoint": "/var/lib/docker/volumes/mgmt/_data", + "Name": "wiretrustee-mgmt", + "Options": {}, + "Scope": "local" + } +] +``` Consequent restarts of the container will pick up previously generated certificate so there is no need to trigger certificate generation with the ```curl``` command on every restart. -**Below are optional steps (some checks).** - -Inspect ```datadir``` to see if the folder contains Let's Encrypt certificate: -```bash -ls /var/lib/wiretrustee/letsencrypt/ -``` - -The output should be something similar to this: - -```bash -root@wiretrustee-test-2:~# ls /var/lib/wiretrustee/letsencrypt/ -acme_account+key +rsa -``` - -Check certificate: -```bash -echo | openssl s_client -showcerts -servername -connect :33073 2>/dev/null | openssl x509 -inform pem -noout -text -``` - -The output should be something similar to this: -```bash -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 04:07:7a:8e:f3:78:0d:bc:4d:f0:82:9b:1a:a3:c1:89:6c:ae - Signature Algorithm: sha256WithRSAEncryption - Issuer: C = US, O = Let's Encrypt, CN = R3 - Validity - Not Before: Jul 17 14:19:45 2021 GMT - Not After : Oct 15 14:19:43 2021 GMT - Subject: CN = - - ... - - Signature Algorithm: sha256WithRSAEncryption - 3a:a3:27:5c:aa:35:11:b0:9a:89:d4:da:03:30:16:bc:3e:01: - 9f:7a:14:0a:1c:f3:c3:1c:67:86:31:bd:63:0f:19:81:66:77: - 34:32:e8:ac:be:16:1d:55:5e:d5:71:73:d7:50:b4:fb:56:6d: - 14:b3:2f:ae:04:52:e5:f4:e2:86:dd:fe:b8:b0:bf:52:84:bf: - 5f:d2:56:9f:7b:70:6c:b8:f4:e8:c8:94:7f:89:e9:0d:37:55: - c7:c7:6c:51:88:09:9a:40:4a:52:88:c6:8b:1b:9c:d4:a2:a5: - 4d:c7:23:4b:81:b8:4a:90:3f:a3:50:80:6e:bb:1f:1c:c2:19: - 99:d4:57:7b:82:07:f3:ca:71:6d:83:e8:5a:98:70:98:13:a1: - 64:81:0d:01:db:41:37:46:6f:a5:c6:e5:cf:7d:ba:f8:26:b1: - 53:58:fc:7d:48:2a:55:f3:14:e7:5e:7d:0f:3d:23:98:83:00: - 08:19:b0:62:93:a4:66:96:db:25:3f:e7:02:44:25:c1:62:4d: - 75:90:5b:b6:59:68:42:58:37:88:2f:84:c2:77:8f:9f:50:ed: - b5:f7:b1:31:8a:b6:ca:9e:5a:90:e9:3f:5b:eb:d4:c3:f6:82: - 42:16:5f:f4:62:ed:51:9c:ac:b1:ba:4e:6f:ea:ec:ab:43:ba: - d1:25:ab:28 - -``` - ### Run without TLS. ```bash +# create a volume +docker volume create wiretrustee-mgmt +# run the docker container docker run -d --name wiretrustee-management \ -p 33073:33073 \ --v /var/lib/wiretrustee/:/var/lib/wiretrustee/ \ --v /etc/wiretrustee/:/etc/wiretrustee/ \ -wiretrustee/wiretrustee:management-v0.0.8-SNAPSHOT-079d35e-amd64 \ ---port 33073 \ ---datadir /var/lib/wiretrustee/ \ ---hosts-config /etc/wiretrustee/hosts-config.json \ ---letsencrypt-domain app.wiretrustee.com \ ---log-level debug +-v wiretrustee-mgmt:/var/lib/wiretrustee \ +wiretrustee/management:latest ``` +### Debug tag +We also publish a docker image with the debug tag which has the log-level set to default, plus it uses the ```gcr.io/distroless/base:debug``` image that can be used with docker exec in order to run some commands in the Management container. +```shell +shell $ docker run -d --name wiretrustee-management-debug \ +-p 33073:33073 \ +-v wiretrustee-mgmt:/var/lib/wiretrustee \ +wiretrustee/management:debug-latest -### hosts-config.json file example: - -```json -{ - "Stuns": [ - { - "Proto": 2, - "Host": "stun.wiretrustee.com", - "Port": 3468, - "Username": "", - "Password": null - } - ], - "Turns": [ - { - "Proto": 2, - "Host": "stun.wiretrustee.com", - "Port": 3468, - "Username": "some_user", - "Password": "c29tZV9wYXNzd29yZA==" - } - ], - "Signal": { - "Proto": 2, - "Host": "signal.wiretrustee.com", - "Port": 10000, - "Username": "", - "Password": null - } -} +shell $ docker exec -ti wiretrustee-management-debug /bin/sh +container-shell $ ``` - ## For development purposes: Install golang gRpc tools: