From 83f9bc5e1314c32422d4030763853e76fd56290c Mon Sep 17 00:00:00 2001 From: jwijenbergh Date: Thu, 5 Jan 2023 13:30:07 +0100 Subject: CI: Support Podman as an alternative to Docker Podman-compose (can be aliased to docker-compose now) does not have the exact same options. We move the compose file to the root to support podman. This is also better because users can just execute docker-compose in the root. --- ci/docker/docker-compose.yml | 52 ----------------------------- ci/docker/eduvpn-server.docker | 76 ------------------------------------------ ci/docker/eduvpnserver.docker | 76 ++++++++++++++++++++++++++++++++++++++++++ ci/docker/go-test.docker | 59 -------------------------------- ci/docker/gotest.docker | 59 ++++++++++++++++++++++++++++++++ ci/startcompose.sh | 13 +++++--- docker-compose.yml | 38 +++++++++++++++++++++ 7 files changed, 182 insertions(+), 191 deletions(-) delete mode 100644 ci/docker/docker-compose.yml delete mode 100644 ci/docker/eduvpn-server.docker create mode 100644 ci/docker/eduvpnserver.docker delete mode 100644 ci/docker/go-test.docker create mode 100644 ci/docker/gotest.docker create mode 100644 docker-compose.yml diff --git a/ci/docker/docker-compose.yml b/ci/docker/docker-compose.yml deleted file mode 100644 index 066c41d..0000000 --- a/ci/docker/docker-compose.yml +++ /dev/null @@ -1,52 +0,0 @@ -version: '3' - -# Common environment vars -# These are the credentials for the portal -# And the URI of the server -x-common-env: &common-env - PORTAL_USER: ${PORTAL_USER} - PORTAL_PASS: ${PORTAL_PASS} - OAUTH_EXPIRED_TTL: ${OAUTH_EXPIRED_TTL} - SERVER_URI: "https://eduvpnserver" - -# Define a network so that the containers can talk with eachother using their service name -networks: - eduvpn_network: - ipam: - driver: default - config: - - subnet: 172.20.0.0/24 - -# Defines the services -services: - # The eduvpn server with portal - eduvpnserver: - build: - context: "." - dockerfile: 'ci/docker/eduvpn-server.docker' - sysctls: # needed for wireguard permissions, otherwise we get a permisison failed - - net.ipv6.conf.all.disable_ipv6=0 - networks: - eduvpn_network: - ipv4_address: 172.20.0.6 - cap_add: # needed for wireguard - - NET_ADMIN - environment: *common-env - healthcheck: - test: ["CMD", "/eduvpn/server/healthcheck.sh"] # Wait for wireguard to come online - interval: 5s - timeout: 10s - retries: 10 - # The container for testing the go code - gotest: - build: - context: "." - dockerfile: 'ci/docker/go-test.docker' - environment: *common-env - networks: - eduvpn_network: - ipv4_address: 172.20.0.5 - # Wait for eduvpn server to come online - depends_on: - eduvpnserver: - condition: service_healthy diff --git a/ci/docker/eduvpn-server.docker b/ci/docker/eduvpn-server.docker deleted file mode 100644 index fd9891d..0000000 --- a/ci/docker/eduvpn-server.docker +++ /dev/null @@ -1,76 +0,0 @@ -FROM fedora:36 - -# This dockerfile was adapted from https://github.com/eduvpn/documentation/blob/v3/deploy_fedora.sh -# DO NOT USE THIS IN PRODUCTION, ONLY FOR TESTING - -# Install git to clone the documentation repo -RUN dnf -y install git - -WORKDIR /eduvpn - -# Clone the documentation -RUN git clone https://github.com/eduvpn/documentation - -WORKDIR /eduvpn/documentation - -# Checkout v3 branch -RUN git checkout v3 - -# import PGP key -RUN rpm --import resources/repo+v3@eduvpn.org.asc - -# configure repository -RUN echo -e '[eduVPN_v3]\n\ -name=eduVPN 3.x Packages (Fedora $releasever)\n\ -baseurl=https://repo.eduvpn.org/v3/rpm/fedora-$releasever-$basearch\n\ -gpgcheck=1\n\ -gpgkey=https://repo.tuxed.net/fkooman+repo@tuxed.net.asc\n\ -enabled=1'\ ->> /etc/yum.repos.d/eduVPN_v3.repo - -# Install dependencies -RUN dnf -y install mod_ssl php-opcache httpd iptables-nft pwgen cronie \ - iptables-services php-fpm php-cli policycoreutils-python-utils chrony \ - ipcalc tmux wget iproute - -# Install vpn packages -RUN dnf -y install vpn-server-node vpn-user-portal vpn-maint-scripts - -# Set webserver name -ARG WEB_FQDN=eduvpnserver - -# Copy and apply configurations -RUN cp resources/ssl.fedora.conf /etc/httpd/conf.d/ssl.conf -RUN cp resources/localhost.fedora.conf /etc/httpd/conf.d/localhost.conf -RUN cp resources/vpn.example.fedora.conf "/etc/httpd/conf.d/${WEB_FQDN}.conf" - -# Otherwise we get: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.20.0.6. Set the 'ServerName' directive globally to suppress this message -RUN echo "ServerName 127.0.0.1" >> /etc/httpd/conf/httpd.conf - -RUN sed -i "s/vpn.example/${WEB_FQDN}/" "/etc/httpd/conf.d/${WEB_FQDN}.conf" -RUN sed -i "s/vpn.example/${WEB_FQDN}/" "/etc/vpn-user-portal/config.php" - -# Update ip ranges -RUN sed -i "s|10.42.42.0|$(ipcalc -4 -r 24 -n --no-decorate)|" "/etc/vpn-user-portal/config.php" -RUN sed -i "s|fd42::|$(ipcalc -6 -r 64 -n --no-decorate)|" "/etc/vpn-user-portal/config.php" -RUN sed -i "s|10.43.43.0|$(ipcalc -4 -r 24 -n --no-decorate)|" "/etc/vpn-user-portal/config.php" -RUN sed -i "s|fd43::|$(ipcalc -6 -r 64 -n --no-decorate)|" "/etc/vpn-user-portal/config.php" - -# Update secrets -RUN cp /etc/vpn-user-portal/keys/node.0.key /etc/vpn-server-node/keys/node.key - -# Copy self signed cert and key -COPY ./ci/docker/selfsigned/${WEB_FQDN}.key /etc/pki/tls/private/${WEB_FQDN}.key -COPY ./ci/docker/selfsigned/${WEB_FQDN}.crt /etc/pki/tls/certs/${WEB_FQDN}.crt - -# Add the start script and expiry script -WORKDIR /eduvpn/server -ADD ci/docker/starteduvpn.sh /eduvpn/server -ADD ci/docker/replaceexpiry.sh /eduvpn/server -ADD ci/docker/healthcheck.sh /eduvpn/server - -RUN chmod +x ./starteduvpn.sh -RUN chmod +x ./replaceexpiry.sh -RUN chmod +x ./healthcheck.sh - -CMD ["./starteduvpn.sh"] diff --git a/ci/docker/eduvpnserver.docker b/ci/docker/eduvpnserver.docker new file mode 100644 index 0000000..fd9891d --- /dev/null +++ b/ci/docker/eduvpnserver.docker @@ -0,0 +1,76 @@ +FROM fedora:36 + +# This dockerfile was adapted from https://github.com/eduvpn/documentation/blob/v3/deploy_fedora.sh +# DO NOT USE THIS IN PRODUCTION, ONLY FOR TESTING + +# Install git to clone the documentation repo +RUN dnf -y install git + +WORKDIR /eduvpn + +# Clone the documentation +RUN git clone https://github.com/eduvpn/documentation + +WORKDIR /eduvpn/documentation + +# Checkout v3 branch +RUN git checkout v3 + +# import PGP key +RUN rpm --import resources/repo+v3@eduvpn.org.asc + +# configure repository +RUN echo -e '[eduVPN_v3]\n\ +name=eduVPN 3.x Packages (Fedora $releasever)\n\ +baseurl=https://repo.eduvpn.org/v3/rpm/fedora-$releasever-$basearch\n\ +gpgcheck=1\n\ +gpgkey=https://repo.tuxed.net/fkooman+repo@tuxed.net.asc\n\ +enabled=1'\ +>> /etc/yum.repos.d/eduVPN_v3.repo + +# Install dependencies +RUN dnf -y install mod_ssl php-opcache httpd iptables-nft pwgen cronie \ + iptables-services php-fpm php-cli policycoreutils-python-utils chrony \ + ipcalc tmux wget iproute + +# Install vpn packages +RUN dnf -y install vpn-server-node vpn-user-portal vpn-maint-scripts + +# Set webserver name +ARG WEB_FQDN=eduvpnserver + +# Copy and apply configurations +RUN cp resources/ssl.fedora.conf /etc/httpd/conf.d/ssl.conf +RUN cp resources/localhost.fedora.conf /etc/httpd/conf.d/localhost.conf +RUN cp resources/vpn.example.fedora.conf "/etc/httpd/conf.d/${WEB_FQDN}.conf" + +# Otherwise we get: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.20.0.6. Set the 'ServerName' directive globally to suppress this message +RUN echo "ServerName 127.0.0.1" >> /etc/httpd/conf/httpd.conf + +RUN sed -i "s/vpn.example/${WEB_FQDN}/" "/etc/httpd/conf.d/${WEB_FQDN}.conf" +RUN sed -i "s/vpn.example/${WEB_FQDN}/" "/etc/vpn-user-portal/config.php" + +# Update ip ranges +RUN sed -i "s|10.42.42.0|$(ipcalc -4 -r 24 -n --no-decorate)|" "/etc/vpn-user-portal/config.php" +RUN sed -i "s|fd42::|$(ipcalc -6 -r 64 -n --no-decorate)|" "/etc/vpn-user-portal/config.php" +RUN sed -i "s|10.43.43.0|$(ipcalc -4 -r 24 -n --no-decorate)|" "/etc/vpn-user-portal/config.php" +RUN sed -i "s|fd43::|$(ipcalc -6 -r 64 -n --no-decorate)|" "/etc/vpn-user-portal/config.php" + +# Update secrets +RUN cp /etc/vpn-user-portal/keys/node.0.key /etc/vpn-server-node/keys/node.key + +# Copy self signed cert and key +COPY ./ci/docker/selfsigned/${WEB_FQDN}.key /etc/pki/tls/private/${WEB_FQDN}.key +COPY ./ci/docker/selfsigned/${WEB_FQDN}.crt /etc/pki/tls/certs/${WEB_FQDN}.crt + +# Add the start script and expiry script +WORKDIR /eduvpn/server +ADD ci/docker/starteduvpn.sh /eduvpn/server +ADD ci/docker/replaceexpiry.sh /eduvpn/server +ADD ci/docker/healthcheck.sh /eduvpn/server + +RUN chmod +x ./starteduvpn.sh +RUN chmod +x ./replaceexpiry.sh +RUN chmod +x ./healthcheck.sh + +CMD ["./starteduvpn.sh"] diff --git a/ci/docker/go-test.docker b/ci/docker/go-test.docker deleted file mode 100644 index ec98d0c..0000000 --- a/ci/docker/go-test.docker +++ /dev/null @@ -1,59 +0,0 @@ -FROM debian:bullseye - -# This docker image is for testing the go code with go test and the needed dependencies for selenium - -WORKDIR /eduvpn - -# Dependencies -RUN apt-get update -RUN apt-get -y install openjdk-11-jre xvfb python3-selenium firefox-esr python3-pip wget - -# Install go from go.dev -# Get -RUN wget https://go.dev/dl/go1.19.4.linux-amd64.tar.gz -O go.tar.gz - -# Verify hash -RUN echo "c9c08f783325c4cf840a94333159cc937f05f75d36a8b307951d5bd959cf2ab8 go.tar.gz" | sha256sum --check - -# Untar -RUN tar -C /usr/local -xzf go.tar.gz - -# Update PATH -ENV PATH="/usr/local/go/bin:$PATH" - -# Install geckodriver and add to path -WORKDIR /eduvpn/vendor -RUN wget https://github.com/mozilla/geckodriver/releases/download/v0.30.0/geckodriver-v0.30.0-linux64.tar.gz -RUN tar xzvf geckodriver-v0.30.0-linux64.tar.gz -ENV PATH="/eduvpn/vendor:$PATH" - -# Update certificates -COPY ./ci/docker/selfsigned/eduvpnserver.crt /usr/local/share/ca-certificates/eduvpnserver.crt -RUN update-ca-certificates - -# Run tests as a new user for pip -RUN useradd --create-home test -USER test - -WORKDIR /home/test - -# Copy sources with correct permissions -COPY --chown=test:test . ./ - -# Vendor go dependencies -RUN go mod vendor - -# Clean because there might be previous builds copied over -RUN make clean - -# Build go -RUN make build - -# Make python lib -RUN make -C wrappers/python - -# Install python lib -RUN pip3 install wrappers/python/dist/*.whl - -# Run the tests -CMD ["make", "test"] diff --git a/ci/docker/gotest.docker b/ci/docker/gotest.docker new file mode 100644 index 0000000..ec98d0c --- /dev/null +++ b/ci/docker/gotest.docker @@ -0,0 +1,59 @@ +FROM debian:bullseye + +# This docker image is for testing the go code with go test and the needed dependencies for selenium + +WORKDIR /eduvpn + +# Dependencies +RUN apt-get update +RUN apt-get -y install openjdk-11-jre xvfb python3-selenium firefox-esr python3-pip wget + +# Install go from go.dev +# Get +RUN wget https://go.dev/dl/go1.19.4.linux-amd64.tar.gz -O go.tar.gz + +# Verify hash +RUN echo "c9c08f783325c4cf840a94333159cc937f05f75d36a8b307951d5bd959cf2ab8 go.tar.gz" | sha256sum --check + +# Untar +RUN tar -C /usr/local -xzf go.tar.gz + +# Update PATH +ENV PATH="/usr/local/go/bin:$PATH" + +# Install geckodriver and add to path +WORKDIR /eduvpn/vendor +RUN wget https://github.com/mozilla/geckodriver/releases/download/v0.30.0/geckodriver-v0.30.0-linux64.tar.gz +RUN tar xzvf geckodriver-v0.30.0-linux64.tar.gz +ENV PATH="/eduvpn/vendor:$PATH" + +# Update certificates +COPY ./ci/docker/selfsigned/eduvpnserver.crt /usr/local/share/ca-certificates/eduvpnserver.crt +RUN update-ca-certificates + +# Run tests as a new user for pip +RUN useradd --create-home test +USER test + +WORKDIR /home/test + +# Copy sources with correct permissions +COPY --chown=test:test . ./ + +# Vendor go dependencies +RUN go mod vendor + +# Clean because there might be previous builds copied over +RUN make clean + +# Build go +RUN make build + +# Make python lib +RUN make -C wrappers/python + +# Install python lib +RUN pip3 install wrappers/python/dist/*.whl + +# Run the tests +CMD ["make", "test"] diff --git a/ci/startcompose.sh b/ci/startcompose.sh index 5f0338f..e65fa86 100755 --- a/ci/startcompose.sh +++ b/ci/startcompose.sh @@ -13,9 +13,14 @@ fi # Get absolute path to current directory this script is in SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +pushd "$SCRIPT_DIR"/.. + # Create self-signed certificate -mkdir -p "$SCRIPT_DIR"/docker/selfsigned -"$SCRIPT_DIR"/docker/createcert.sh +mkdir -p ci/docker/selfsigned +./ci/docker/createcert.sh + +# Up the containers and abort on exit. Also rebuild the necessary steps if there are changes +# You can symlink docker-compose to podman-compose to use Podman +docker-compose up --build --force-recreate --abort-on-container-exit -# Get the parent directory to get the root directory -docker-compose --file ci/docker/docker-compose.yml --project-directory "$SCRIPT_DIR"/.. up --build --force-recreate --abort-on-container-exit +popd diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..6483a7a --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,38 @@ +version: '3' + +# Common environment vars +# These are the credentials for the portal +# And the URI of the server +x-common-env: &common-env + PORTAL_USER: ${PORTAL_USER} + PORTAL_PASS: ${PORTAL_PASS} + OAUTH_EXPIRED_TTL: ${OAUTH_EXPIRED_TTL} + SERVER_URI: "https://eduvpnserver" + +# Defines the services +services: + # The eduvpn server with portal + eduvpnserver: + build: + context: . + dockerfile: ci/docker/eduvpnserver.docker + sysctls: # needed for wireguard permissions, otherwise we get a permisison failed + - net.ipv6.conf.all.disable_ipv6=0 + cap_add: # needed for wireguard + - NET_ADMIN + environment: *common-env + healthcheck: + test: ["CMD", "/eduvpn/server/healthcheck.sh"] # Wait for wireguard to come online + interval: 5s + timeout: 10s + retries: 10 + # The container for testing the go code + gotest: + build: + context: . + dockerfile: ci/docker/gotest.docker + environment: *common-env + # Wait for eduvpn server to come online + depends_on: + eduvpnserver: + condition: service_healthy -- cgit v1.2.3