extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2024-11-22 16:13:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Mgmt docker and document (#72)

Browse Source 
* debug image and use wiretrustee/management repository

* Update documentation and docker-compose to include management

* improve documentation and add debug image build

* update docker-compose section with management service notes.

* fix broken doc link
This commit is contained in:
Maycon Santos 2021-07-31 10:29:49 +02:00 committed by GitHub
parent 2c2c1e19df
commit f51a79d3b3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 126 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
.goreleaser.yaml
View File

@ -20,7 +20,7 @@ builds:
goarch: arm goarch: arm
tags: tags:
- load_wintun_from_rsrc - load_wintun_from_rsrc
-
- id: wiretrustee-mgmt - id: wiretrustee-mgmt
dir: management dir: management
env: [CGO_ENABLED=0] env: [CGO_ENABLED=0]
@ -84,7 +84,7 @@ dockers:
- "--label=org.opencontainers.image.version={{.Version}}" - "--label=org.opencontainers.image.version={{.Version}}"
- "--label=maintainer=wiretrustee@wiretrustee.com" - "--label=maintainer=wiretrustee@wiretrustee.com"
- image_templates: - image_templates:
- wiretrustee/wiretrustee:management-{{ .Version }}-amd64 - wiretrustee/management:{{ .Version }}-amd64
ids: ids:
- wiretrustee-mgmt - wiretrustee-mgmt
goarch: amd64 goarch: amd64
@ -99,7 +99,7 @@ dockers:
- "--label=org.opencontainers.image.version={{.Version}}" - "--label=org.opencontainers.image.version={{.Version}}"
- "--label=maintainer=wiretrustee@wiretrustee.com" - "--label=maintainer=wiretrustee@wiretrustee.com"
- image_templates: - image_templates:
- wiretrustee/wiretrustee:management-{{ .Version }}-arm64v8 - wiretrustee/management:{{ .Version }}-arm64v8
ids: ids:
- wiretrustee-mgmt - wiretrustee-mgmt
goarch: arm64 goarch: arm64
@ -113,6 +113,36 @@ dockers:
- "--label=org.opencontainers.image.revision={{.FullCommit}}" - "--label=org.opencontainers.image.revision={{.FullCommit}}"
- "--label=org.opencontainers.image.version={{.Version}}" - "--label=org.opencontainers.image.version={{.Version}}"
- "--label=maintainer=wiretrustee@wiretrustee.com" - "--label=maintainer=wiretrustee@wiretrustee.com"
- image_templates:
- wiretrustee/management:{{ .Version }}-debug-amd64
ids:
- wiretrustee-mgmt
goarch: amd64
use: buildx
dockerfile: management/Dockerfile.debug
build_flag_templates:
- "--platform=linux/arm64"
- "--label=org.opencontainers.image.created={{.Date}}"
- "--label=org.opencontainers.image.title={{.ProjectName}}"
- "--label=org.opencontainers.image.version={{.Version}}"
- "--label=org.opencontainers.image.revision={{.FullCommit}}"
- "--label=org.opencontainers.image.version={{.Version}}"
- "--label=maintainer=wiretrustee@wiretrustee.com"
- image_templates:
- wiretrustee/management:{{ .Version }}-debug-arm64v8
ids:
- wiretrustee-mgmt
goarch: arm64
use: buildx
dockerfile: management/Dockerfile.debug
build_flag_templates:
- "--platform=linux/arm64"
- "--label=org.opencontainers.image.created={{.Date}}"
- "--label=org.opencontainers.image.title={{.ProjectName}}"
- "--label=org.opencontainers.image.version={{.Version}}"
- "--label=org.opencontainers.image.revision={{.FullCommit}}"
- "--label=org.opencontainers.image.version={{.Version}}"
- "--label=maintainer=wiretrustee@wiretrustee.com"
docker_manifests: docker_manifests:
- name_template: wiretrustee/wiretrustee:signal-{{ .Version }} - name_template: wiretrustee/wiretrustee:signal-{{ .Version }}
@ -125,12 +155,17 @@ docker_manifests:
- wiretrustee/wiretrustee:signal-{{ .Version }}-arm64v8 - wiretrustee/wiretrustee:signal-{{ .Version }}-arm64v8
- wiretrustee/wiretrustee:signal-{{ .Version }}-amd64 - wiretrustee/wiretrustee:signal-{{ .Version }}-amd64
- name_template: wiretrustee/wiretrustee:management-{{ .Version }} - name_template: wiretrustee/management:{{ .Version }}
image_templates: image_templates:
- wiretrustee/wiretrustee:management-{{ .Version }}-arm64v8 - wiretrustee/management:{{ .Version }}-arm64v8
- wiretrustee/wiretrustee:management-{{ .Version }}-amd64 - wiretrustee/management:{{ .Version }}-amd64
- name_template: wiretrustee/wiretrustee:management-latest - name_template: wiretrustee/management:latest
image_templates: image_templates:
- wiretrustee/wiretrustee:management-{{ .Version }}-arm64v8 - wiretrustee/management:{{ .Version }}-arm64v8
- wiretrustee/wiretrustee:management-{{ .Version }}-amd64 - wiretrustee/management:{{ .Version }}-amd64
- name_template: wiretrustee/management:debug-latest
image_templates:
- wiretrustee/management:{{ .Version }}-debug-arm64v8
- wiretrustee/management:{{ .Version }}-debug-amd64

10
README.md
View File

@ -158,16 +158,17 @@ The default log-level is set to INFO, if you need you can change it using by upd
docker run -d --name wiretrustee-signal -p 10000:10000 wiretrustee/wiretrustee:signal-latest --log-level DEBUG docker run -d --name wiretrustee-signal -p 10000:10000 wiretrustee/wiretrustee:signal-latest --log-level DEBUG
```` ````
### Running Signal and Coturn ### Running Management, Signal and Coturn
Under infrastructure_files we have a docker-compose example to run both, Wiretrustee Signal server and an instance of [Coturn](https://github.com/coturn/coturn), it also provides a turnserver.conf file as a simple example of Coturn configuration. Under infrastructure_files we have a docker-compose example to run both, Wiretrustee Management and Signal services, plus an instance of [Coturn](https://github.com/coturn/coturn), it also provides a turnserver.conf file as a simple example of Coturn configuration.
You can edit the turnserver.conf file and change its Realm setting (defaults to wiretrustee.com) to your own domain and user setting (defaults to username1:password1) to **proper credentials**. You can edit the turnserver.conf file and change its Realm setting (defaults to wiretrustee.com) to your own domain and user setting (defaults to username1:password1) to **proper credentials**.
The example is set to use the official images from Wiretrustee and Coturn, you can find our documentation to run the signal server in docker in [Running the Signal service](#Running the Signal service) and the Coturn official documentation [here](https://hub.docker.com/r/coturn/coturn). The example is set to use the official images from Wiretrustee and Coturn, you can find our documentation to run the signal server in docker in [Running the Signal service](#running-the-signal-service), the management in [Management](./management/README.md), and the Coturn official documentation [here](https://hub.docker.com/r/coturn/coturn).
> Run Coturn at your own risk, we are just providing an example, be sure to follow security best practices and to configure proper credentials as this service can be exploited and you may face large data transfer charges. > Run Coturn at your own risk, we are just providing an example, be sure to follow security best practices and to configure proper credentials as this service can be exploited and you may face large data transfer charges.
Also, if you have an SSL certificate you can modify the docker-compose.yml file to point to its files in your host machine, then switch the domainname to your own SSL domain. If you don't already have an SSL certificate, you can follow [Certbot's](https://certbot.eff.org/docs/intro.html) official documentation Also, if you have an SSL certificate for Coturn, you can modify the docker-compose.yml file to point to its files in your host machine, then switch the domainname to your own SSL domain. If you don't already have an SSL certificate, you can follow [Certbot's](https://certbot.eff.org/docs/intro.html) official documentation
to generate one from [Lets Encrypt](https://letsencrypt.org/), or, we found that the example provided by [BigBlueButton](https://docs.bigbluebutton.org/2.2/setup-turn-server.html#generating-tls-certificates) covers the basics to configure Coturn with Let's Encrypt certs. to generate one from [Lets Encrypt](https://letsencrypt.org/), or, we found that the example provided by [BigBlueButton](https://docs.bigbluebutton.org/2.2/setup-turn-server.html#generating-tls-certificates) covers the basics to configure Coturn with Let's Encrypt certs.
> The Wiretrustee Management service can generate and maintain the certificates automatically, all you need to do is run the servicein a host with a public IP, configure a valid DNS record pointing to that IP and uncomment the 443 ports and command lines in the docker-compose.yml file.
Simple docker-composer execution: Simple docker-composer execution:
````shell ````shell
@ -178,6 +179,7 @@ You can check logs by running:
````shell ````shell
cd infrastructure_files cd infrastructure_files
docker-compose logs signal docker-compose logs signal
docker-compose logs management
docker-compose logs coturn docker-compose logs coturn
```` ````
If you need to stop the services, run the following: If you need to stop the services, run the following:

14
infrastructure_files/docker-compose.yml
View File

@ -6,7 +6,17 @@ services:
restart: unless-stopped restart: unless-stopped
ports: ports:
- 10000:10000 - 10000:10000
# Management
management:
image: wiretrustee/management:latest
restart: unless-stopped
volumes:
- wiretrustee-mgmt:/var/lib/wiretrustee
ports:
- 33073:33073
# # port and command for Let's Encrypt validation
# - 443:443
# command: ["--letsencrypt-domain", "<YOUR-DOMAIN>"]
# Coturn # Coturn
coturn: coturn:
image: coturn/coturn image: coturn/coturn
@ -17,3 +27,5 @@ services:
# - ./privkey.pem:/etc/coturn/private/privkey.pem:ro # - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
# - ./cert.pem:/etc/coturn/certs/cert.pem:ro # - ./cert.pem:/etc/coturn/certs/cert.pem:ro
network_mode: host network_mode: host
volumes:
wiretrustee-mgmt:

2
management/Dockerfile
View File

@ -1,3 +1,3 @@
FROM gcr.io/distroless/base:debug FROM gcr.io/distroless/base
ENTRYPOINT [ "/go/bin/wiretrustee","management"] ENTRYPOINT [ "/go/bin/wiretrustee","management"]
COPY wiretrustee /go/bin/wiretrustee COPY wiretrustee /go/bin/wiretrustee

3
management/Dockerfile.debug Normal file
View File

@ -0,0 +1,3 @@
FROM gcr.io/distroless/base:debug
ENTRYPOINT [ "/go/bin/wiretrustee","management","--log-level","debug"]
COPY wiretrustee /go/bin/wiretrustee

163
management/README.md
View File

@ -1,28 +1,46 @@
# Wiretrustee Management Server # Wiretrustee Management Server
Wiretrustee management server will control and synchronize peers configuration within your wiretrustee account and network.
## Command Options
The CLI accepts the command **management** with the following options:
```shell
start Wiretrustee Management Server
Usage:
wiretrustee management [flags]
Flags:
--datadir string server data directory location (default "/var/lib/wiretrustee/")
-h, --help help for management
--letsencrypt-domain string a domain to issue Let's Encrypt certificate for. Enables TLS using Let's Encrypt. Will fetch and renew certificate, and run the server with TLS
--port int server port to listen on (default 33073)
Global Flags:
--config string Wiretrustee config file location to write new config to (default "/etc/wiretrustee/config.json")
--log-level string (default "info")
```
## Run Management service (Docker) ## Run Management service (Docker)
You can run service in 2 modes - with TLS or without (not recommended). You can run service in 2 modes - with TLS or without (not recommended).
### Run with TLS (Let's Encrypt). ### Run with TLS (Let's Encrypt).
By specifying the **--letsencrypt-domain** the daemon will handle SSL certificate request and configuration.
The server where you are running a container has to have a public IP (for Let's Encrypt certificate challenge). In the following example ```33073``` is the management service **default** port, and ```443``` will be used as port for Let's Encrypt challenge and HTTP API.
In the following example ```33073``` is a gRpc port, ```443``` is a port for Let's Encrypt challenge and HTTP API. > The server where you are running a container has to have a public IP (for Let's Encrypt certificate challenge).
Replace <YOUR-DOMAIN> with your server's public domain (e.g. mydomain.com or subdomain sub.mydomain.com). Replace <YOUR-DOMAIN> with your server's public domain (e.g. mydomain.com or subdomain sub.mydomain.com).
```bash ```bash
# create a volume
docker volume create wiretrustee-mgmt
# run the docker container
docker run -d --name wiretrustee-management \ docker run -d --name wiretrustee-management \
-p 33073:33073 \ -p 33073:33073 \
-p 443:443 \ -p 443:443 \
-v /var/lib/wiretrustee/:/var/lib/wiretrustee/ \ -v wiretrustee-mgmt:/var/lib/wiretrustee \
-v /etc/wiretrustee/:/etc/wiretrustee/ \ wiretrustee/management:latest \
wiretrustee/wiretrustee:management-v0.0.8-SNAPSHOT-079d35e-amd64 \ --letsencrypt-domain <YOUR-DOMAIN>
--port 33073 \
--datadir /var/lib/wiretrustee/ \
--hosts-config /etc/wiretrustee/hosts-config.json \
--letsencrypt-domain <YOUR-DOMAIN> \
--log-level info
``` ```
Trigger Let's encrypt certificate generation: Trigger Let's encrypt certificate generation:
@ -30,110 +48,47 @@ Trigger Let's encrypt certificate generation:
curl https://<YOUR-DOMAIN> curl https://<YOUR-DOMAIN>
``` ```
The certificate will be persisted in the ```datadir/letsencrypt/``` folder (e.g. ```/var/lib/wiretrustee/letsencrypt/```). Make sure that the ```datadir``` is mapped to some folder on a host machine. The certificate will be persisted in the ```datadir/letsencrypt/``` folder (e.g. ```/var/lib/wiretrustee/letsencrypt/```) inside the container.
Make sure that the ```datadir``` is mapped to some folder on a host machine. In case you used the volume command, you can run the following to retrieve the Mountpoint:
```shell
docker volume inspect wiretrustee-mgmt
[
{
"CreatedAt": "2021-07-25T20:45:28Z",
"Driver": "local",
"Labels": {},
"Mountpoint": "/var/lib/docker/volumes/mgmt/_data",
"Name": "wiretrustee-mgmt",
"Options": {},
"Scope": "local"
}
]
```
Consequent restarts of the container will pick up previously generated certificate so there is no need to trigger certificate generation with the ```curl``` command on every restart. Consequent restarts of the container will pick up previously generated certificate so there is no need to trigger certificate generation with the ```curl``` command on every restart.
**Below are optional steps (some checks).**
Inspect ```datadir``` to see if the folder contains Let's Encrypt certificate:
```bash
ls /var/lib/wiretrustee/letsencrypt/
```
The output should be something similar to this:
```bash
root@wiretrustee-test-2:~# ls /var/lib/wiretrustee/letsencrypt/
acme_account+key <YOUR-DOMAIN> <YOUR-DOMAIN>+rsa
```
Check certificate:
```bash
echo | openssl s_client -showcerts -servername <YOUR-DOMAIN> -connect <YOUR-DOMAIN>:33073 2>/dev/null | openssl x509 -inform pem -noout -text
```
The output should be something similar to this:
```bash
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:07:7a:8e:f3:78:0d:bc:4d:f0:82:9b:1a:a3:c1:89:6c:ae
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Jul 17 14:19:45 2021 GMT
Not After : Oct 15 14:19:43 2021 GMT
Subject: CN = <YOUR-DOMAIN>
...
Signature Algorithm: sha256WithRSAEncryption
3a:a3:27:5c:aa:35:11:b0:9a:89:d4:da:03:30:16:bc:3e:01:
9f:7a:14:0a:1c:f3:c3:1c:67:86:31:bd:63:0f:19:81:66:77:
34:32:e8:ac:be:16:1d:55:5e:d5:71:73:d7:50:b4:fb:56:6d:
14:b3:2f:ae:04:52:e5:f4:e2:86:dd:fe:b8:b0:bf:52:84:bf:
5f:d2:56:9f:7b:70:6c:b8:f4:e8:c8:94:7f:89:e9:0d:37:55:
c7:c7:6c:51:88:09:9a:40:4a:52:88:c6:8b:1b:9c:d4:a2:a5:
4d:c7:23:4b:81:b8:4a:90:3f:a3:50:80:6e:bb:1f:1c:c2:19:
99:d4:57:7b:82:07:f3:ca:71:6d:83:e8:5a:98:70:98:13:a1:
64:81:0d:01:db:41:37:46:6f:a5:c6:e5:cf:7d:ba:f8:26:b1:
53:58:fc:7d:48:2a:55:f3:14:e7:5e:7d:0f:3d:23:98:83:00:
08:19:b0:62:93:a4:66:96:db:25:3f:e7:02:44:25:c1:62:4d:
75:90:5b:b6:59:68:42:58:37:88:2f:84:c2:77:8f:9f:50:ed:
b5:f7:b1:31:8a:b6:ca:9e:5a:90:e9:3f:5b:eb:d4:c3:f6:82:
42:16:5f:f4:62:ed:51:9c:ac:b1:ba:4e:6f:ea:ec:ab:43:ba:
d1:25:ab:28
```
### Run without TLS. ### Run without TLS.
```bash ```bash
# create a volume
docker volume create wiretrustee-mgmt
# run the docker container
docker run -d --name wiretrustee-management \ docker run -d --name wiretrustee-management \
-p 33073:33073 \ -p 33073:33073 \
-v /var/lib/wiretrustee/:/var/lib/wiretrustee/ \ -v wiretrustee-mgmt:/var/lib/wiretrustee \
-v /etc/wiretrustee/:/etc/wiretrustee/ \ wiretrustee/management:latest
wiretrustee/wiretrustee:management-v0.0.8-SNAPSHOT-079d35e-amd64 \
--port 33073 \
--datadir /var/lib/wiretrustee/ \
--hosts-config /etc/wiretrustee/hosts-config.json \
--letsencrypt-domain app.wiretrustee.com \
--log-level debug
``` ```
### Debug tag
We also publish a docker image with the debug tag which has the log-level set to default, plus it uses the ```gcr.io/distroless/base:debug``` image that can be used with docker exec in order to run some commands in the Management container.
```shell
shell $ docker run -d --name wiretrustee-management-debug \
-p 33073:33073 \
-v wiretrustee-mgmt:/var/lib/wiretrustee \
wiretrustee/management:debug-latest
### hosts-config.json file example: shell $ docker exec -ti wiretrustee-management-debug /bin/sh
container-shell $
```json
{
"Stuns": [
{
"Proto": 2,
"Host": "stun.wiretrustee.com",
"Port": 3468,
"Username": "",
"Password": null
}
],
"Turns": [
{
"Proto": 2,
"Host": "stun.wiretrustee.com",
"Port": 3468,
"Username": "some_user",
"Password": "c29tZV9wYXNzd29yZA=="
}
],
"Signal": {
"Proto": 2,
"Host": "signal.wiretrustee.com",
"Port": 10000,
"Username": "",
"Password": null
}
}
``` ```
## For development purposes: ## For development purposes:
Install golang gRpc tools: Install golang gRpc tools: