From bcd4069481d30eb58545f8b096f55dbd14cb510f Mon Sep 17 00:00:00 2001 From: Christoff Visser Date: Wed, 27 Nov 2024 15:11:40 +0900 Subject: [PATCH 1/4] Update alpine in base image to 3.20 --- platform/docker_images/base/Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/platform/docker_images/base/Dockerfile b/platform/docker_images/base/Dockerfile index 42620aa9..d79f45b9 100644 --- a/platform/docker_images/base/Dockerfile +++ b/platform/docker_images/base/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.19 +FROM alpine:3.20 # Install and configure packages which are required in every container # and make bash the default shell. @@ -8,7 +8,7 @@ RUN apk add --no-cache tini bash bash-completion util-linux coreutils \ && echo "export PS1=\"\[\033[38;5;2m\]\u@\h \[\033[38;5;75m\]\w\e[m> \"" > /root/.bashrc \ && sed -i -e "s/bin\/ash/bin\/bash/" /etc/passwd -ENV LANG en_US.UTF-8 -ENV LANGUAGE en_US:en -ENV LC_ALL en_US.UTF-8 +ENV LANG=en_US.UTF-8 +ENV LANGUAGE=en_US:en +ENV LC_ALL=en_US.UTF-8 ENV TZ="Europe/Paris" \ No newline at end of file From b41b21b14578edd1530ca41ab97b0be1d0ab76ca Mon Sep 17 00:00:00 2001 From: Christoff Visser Date: Wed, 27 Nov 2024 15:41:41 +0900 Subject: [PATCH 2/4] Updated krill and removed platform specific target --- platform/docker_images/krill/Dockerfile | 23 +++++++++-------------- platform/setup/rpki_config.sh | 2 +- platform/setup/rpki_setup.sh | 18 +++++++++--------- 3 files changed, 19 insertions(+), 24 deletions(-) diff --git a/platform/docker_images/krill/Dockerfile b/platform/docker_images/krill/Dockerfile index c626854c..e6afb7f1 100644 --- a/platform/docker_images/krill/Dockerfile +++ b/platform/docker_images/krill/Dockerfile @@ -1,29 +1,24 @@ # -- stage 1: build static krill with musl libc for alpine -FROM d_base:latest as build +FROM d_base:latest AS build # Specify what version of krill should be built. -ARG KRILL_VERSION=0.9.0-rc2 +ARG KRILL_VERSION=0.14.5 RUN apk add wget openssl-dev patch rust cargo WORKDIR /tmp/krill -COPY krill_cli.patch / - RUN wget "https://github.com/NLnetLabs/krill/archive/refs/tags/v${KRILL_VERSION}.tar.gz" -O - | tar -xz --strip-components=1 -RUN patch -p1 < /krill_cli.patch -RUN cargo build \ - --target x86_64-alpine-linux-musl \ - --features multi-user \ - --release \ - --locked +# Build krill based on the krill's docker image build instructions +RUN CARGO_HTTP_MULTIPLEXING=false cargo install \ + --locked \ + --features multi-user \ + --path . \ + --root /tmp/out/ # -- stage 2: create image with the static krill executable FROM d_base_supervisor:latest -COPY --from=build /tmp/krill/target/x86_64-alpine-linux-musl/release/krill /usr/local/bin/ -COPY --from=build /tmp/krill/target/x86_64-alpine-linux-musl/release/krillc /usr/local/bin/ -COPY --from=build /tmp/krill/target/x86_64-alpine-linux-musl/release/krillpubd /usr/local/bin/ -COPY --from=build /tmp/krill/target/x86_64-alpine-linux-musl/release/krillpubc /usr/local/bin/ +COPY --from=build /tmp/out/bin/* /usr/local/bin/ RUN apk add --no-cache haproxy curl rsync libgcc ca-certificates openssl openssh-server \ && ssh-keygen -A \ diff --git a/platform/setup/rpki_config.sh b/platform/setup/rpki_config.sh index c1a56a5b..0fde1bc5 100755 --- a/platform/setup/rpki_config.sh +++ b/platform/setup/rpki_config.sh @@ -240,7 +240,7 @@ for ((j = 0; j < n_groups; j++)); do # Register CA with local publication server echo "krillc repo request --server \$KRILL_SERVER \\" echo " --ca \"${ca_name}\" > /tmp/${ca_name}_publisher_request.xml" - echo "krillpubc add \\" + echo "krillc pubserver publishers add \\" echo " --server \$KRILL_SERVER \\" echo " --publisher \"${ca_name}\" \\" echo " --request /tmp/${ca_name}_publisher_request.xml > /tmp/${ca_name}_repository_response.xml" diff --git a/platform/setup/rpki_setup.sh b/platform/setup/rpki_setup.sh index bf86ad22..444b97ec 100755 --- a/platform/setup/rpki_setup.sh +++ b/platform/setup/rpki_setup.sh @@ -81,14 +81,15 @@ for ((j = 0; j < n_krill_containers; j++)); do krill_config_location="${krill_group_location}/krill.conf" # Add one admin account and one readonly account which can see all certificate authorities - admin_passwd=$(awk "\$1 == \"admin\" { print \$0 }" "${DIRECTORY}/groups/krill_passwords.txt" | cut -f 2 -d ' ') - readonly_passwd=$(awk "\$1 == \"readonly\" { print \$0 }" "${DIRECTORY}/groups/krill_passwords.txt" | cut -f 2 -d ' ') + admin_passwd=$(awk '$1 == "admin" { print $2 }' "${DIRECTORY}/groups/krill_passwords.txt") + readonly_passwd=$(awk '$1 == "readonly" { print $2 }' "${DIRECTORY}/groups/krill_passwords.txt") { - echo "${admin_passwd}" | docker exec -i $krill_container_name krillc config user --id "admin@ethz.ch" \ - -a "role=admin" | grep "admin" | tr -d '\r' - echo "${readonly_passwd}" | docker exec -i $krill_container_name krillc config user --id "readonly@ethz.ch" \ - -a "role=readonly" | grep "readonly" | tr -d '\r' - } >> $krill_config_location + # Add admin user + docker exec -i "$krill_container_name" bash -c "script -q -c 'krillc config user --id \"admin@ethz.ch\" -a \"role=admin\"' /dev/null" <<< "${admin_passwd}" | grep "admin" | tr -d '\r' + + # Add readonly user + docker exec -i "$krill_container_name" bash -c "script -q -c 'krillc config user --id \"readonly@ethz.ch\" -a \"role=readonly\"' /dev/null" <<< "${readonly_passwd}" | grep "readonly" | tr -d '\r' + } >> "$krill_config_location" fi done @@ -127,8 +128,7 @@ for ((k = 0; k < group_numbers; k++)); do passwd=$(awk "\$1 == \"${group_number}\" { print \$0 }" "${DIRECTORY}/groups/passwords.txt" | cut -f 2 -d ' ') { # Emulate a fake tty because krillc only reads input from a tty but not STDIN. - echo "${passwd}" | docker exec -i $krill_container_name krillc config user --id "group${group_number}@ethz.ch" \ - -a "role=readwrite" -a "inc_cas=group${group_number}" | grep "group${group_number}" | tr -d '\r' + docker exec -i "$krill_container_name" bash -c "script -q -c 'krillc config user --id \"group${group_number}@ethz.ch\" -a \"role=readwrite\" -a \"inc_cas=group${group_number}\"' /dev/null" <<< "${passwd}" | grep "group${group_number}" | tr -d '\r' } >> $krill_config_location if [ "$group_config" == "Config" ]; then From 22373e6b5f187fa4e79805c74e763ae6ffde5d9b Mon Sep 17 00:00:00 2001 From: Christoff Visser Date: Tue, 3 Dec 2024 11:37:23 +0900 Subject: [PATCH 3/4] Update routinator to 0.14.0 and remove platform specific build commands --- platform/docker_images/routinator/Dockerfile | 15 ++++++++------- platform/docker_images/routinator/routinator.conf | 3 ++- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/platform/docker_images/routinator/Dockerfile b/platform/docker_images/routinator/Dockerfile index 15a36a41..fb51cc05 100644 --- a/platform/docker_images/routinator/Dockerfile +++ b/platform/docker_images/routinator/Dockerfile @@ -1,23 +1,24 @@ # -- stage 1: build static routinator with musl libc for alpine -FROM d_base:latest as build +FROM d_base:latest AS build # Specify what version of routinator should be built. -ARG ROUTINATOR_VERSION=0.10.2 +ARG ROUTINATOR_VERSION=0.14.0 RUN apk add wget openssl-dev rust cargo WORKDIR /tmp/routinator RUN wget "https://github.com/NLnetLabs/routinator/archive/refs/tags/v${ROUTINATOR_VERSION}.tar.gz" -O - | tar -xz --strip-components=1 -RUN cargo build \ - --target x86_64-alpine-linux-musl \ + +RUN CARGO_HTTP_MULTIPLEXING=false cargo install \ --features socks,native-tls \ - --release \ - --locked + --locked \ + --path . \ + --root /tmp/out/ # -- stage 2: create image with the static routinator executable FROM d_base_supervisor:latest -COPY --from=build /tmp/routinator/target/x86_64-alpine-linux-musl/release/routinator /usr/local/bin/ +COPY --from=build /tmp/out/bin/* /usr/local/bin/ # Install rsync and ca-certificates as routinator depends on it # Use Tini to ensure that Routinator responds to CTRL-C when run in the diff --git a/platform/docker_images/routinator/routinator.conf b/platform/docker_images/routinator/routinator.conf index 4560cafd..92f6e9c0 100644 --- a/platform/docker_images/routinator/routinator.conf +++ b/platform/docker_images/routinator/routinator.conf @@ -22,7 +22,8 @@ stale = "reject" strict = false syslog-facility = "daemon" systemd-listen = false -tal-dir = "/root/.rpki-cache/tals" +extra-tals-dir = "/root/.rpki-cache/tals" unknown-objects = "warn" unsafe-vrps = "warn" validation-threads = 1 +no-rir-tals = true \ No newline at end of file From b9b8a05a8d6d1c6257e356a8c2de17b44df3d195 Mon Sep 17 00:00:00 2001 From: Christoff Visser Date: Tue, 3 Dec 2024 13:09:20 +0900 Subject: [PATCH 4/4] Add optional multithreading for building images --- platform/docker_images/krill/Dockerfile | 2 ++ platform/docker_images/routinator/Dockerfile | 2 ++ 2 files changed, 4 insertions(+) diff --git a/platform/docker_images/krill/Dockerfile b/platform/docker_images/krill/Dockerfile index e6afb7f1..fa2cdd5f 100644 --- a/platform/docker_images/krill/Dockerfile +++ b/platform/docker_images/krill/Dockerfile @@ -3,6 +3,7 @@ FROM d_base:latest AS build # Specify what version of krill should be built. ARG KRILL_VERSION=0.14.5 +ARG BUILD_THREADS=2 RUN apk add wget openssl-dev patch rust cargo @@ -11,6 +12,7 @@ WORKDIR /tmp/krill RUN wget "https://github.com/NLnetLabs/krill/archive/refs/tags/v${KRILL_VERSION}.tar.gz" -O - | tar -xz --strip-components=1 # Build krill based on the krill's docker image build instructions RUN CARGO_HTTP_MULTIPLEXING=false cargo install \ + --jobs ${BUILD_THREADS} \ --locked \ --features multi-user \ --path . \ diff --git a/platform/docker_images/routinator/Dockerfile b/platform/docker_images/routinator/Dockerfile index fb51cc05..20f7774b 100644 --- a/platform/docker_images/routinator/Dockerfile +++ b/platform/docker_images/routinator/Dockerfile @@ -3,6 +3,7 @@ FROM d_base:latest AS build # Specify what version of routinator should be built. ARG ROUTINATOR_VERSION=0.14.0 +ARG BUILD_THREADS=2 RUN apk add wget openssl-dev rust cargo @@ -11,6 +12,7 @@ WORKDIR /tmp/routinator RUN wget "https://github.com/NLnetLabs/routinator/archive/refs/tags/v${ROUTINATOR_VERSION}.tar.gz" -O - | tar -xz --strip-components=1 RUN CARGO_HTTP_MULTIPLEXING=false cargo install \ + --jobs ${BUILD_THREADS} \ --features socks,native-tls \ --locked \ --path . \