diff options
-rw-r--r-- | Makefile | 2 | ||||
-rw-r--r-- | packaging/docker/README | 31 | ||||
-rw-r--r-- | packaging/docker/base-debian:jessie/Dockerfile | 4 | ||||
-rwxr-xr-x | packaging/docker/build-from-source.sh | 5 | ||||
-rw-r--r-- | packaging/docker/catlfish-dev/Dockerfile | 83 | ||||
-rwxr-xr-x | packaging/docker/catlfish-dev/merge.sh | 28 | ||||
-rwxr-xr-x | packaging/docker/catlfish-dev/start.sh | 32 | ||||
-rw-r--r-- | packaging/docker/erlang/Dockerfile | 14 | ||||
-rw-r--r-- | packaging/docker/onion/Dockerfile | 11 | ||||
-rw-r--r-- | packaging/docker/onion/start.sh | 20 | ||||
-rw-r--r-- | tools/certtools.py | 7 | ||||
-rwxr-xr-x | tools/check-sth.py | 2 | ||||
-rwxr-xr-x | tools/merge.py | 6 |
13 files changed, 14 insertions, 231 deletions
@@ -48,7 +48,7 @@ tests-prepare: mv $(INSTDIR)/tests/privatekeys/merge-1.pem $(INSTDIR)/tests/publickeys/ -test -x $(SOFTHSM) && $(SOFTHSM) --init-token --slot=0 --label=mylabel --so-pin=ffff --pin=ffff -test -x $(SOFTHSM) && $(SOFTHSM) --import $(INSTDIR)/tests/keys/logkey-private.pkcs8 --slot 0 --label mylabel --pin ffff --id 00 - rm $(INSTDIR)/cur-sth.json + rm -f $(INSTDIR)/cur-sth.json tests-start: @for node in $(NODES); do \ diff --git a/packaging/docker/README b/packaging/docker/README deleted file mode 100644 index 147fa41..0000000 --- a/packaging/docker/README +++ /dev/null @@ -1,31 +0,0 @@ -Information about creating a docker image for running catlfish from a -binary release or with catlfish built from source. - - -Requirements ------------- - -- lack of expectations regarding security -- docker doesn't verify - downloaded images -- a 64-bit Linux system -- lxc-docker version 1.3 or later - - -Building an image ------------------ - -Run build-from-release.sh or build-from-source.sh to build a docker -image with catlfish. Note that you will have to cd into this -directory, catlfish/packaging/docker, in order for docker to find the -appropriate docker files. - - -Running it ----------- - -Run the resulting image in interactive mode. - - $ docker run -it --rm catlfish /bin/bash - -See catlfish/examples/docker-single-node/README for an example of how -to set up a single node catlfish instance. diff --git a/packaging/docker/base-debian:jessie/Dockerfile b/packaging/docker/base-debian:jessie/Dockerfile deleted file mode 100644 index 864c239..0000000 --- a/packaging/docker/base-debian:jessie/Dockerfile +++ /dev/null @@ -1,4 +0,0 @@ -FROM debian:jessie -RUN apt-get update -RUN echo 'debconf debconf/frontend select noninteractive' | debconf-set-selections -RUN apt-get -y -q upgrade diff --git a/packaging/docker/build-from-source.sh b/packaging/docker/build-from-source.sh deleted file mode 100755 index 2b47222..0000000 --- a/packaging/docker/build-from-source.sh +++ /dev/null @@ -1,5 +0,0 @@ -#! /bin/sh - -docker build -t base base-debian:jessie -docker build -t erlang erlang -docker build -t catlfish catlfish-dev diff --git a/packaging/docker/catlfish-dev/Dockerfile b/packaging/docker/catlfish-dev/Dockerfile deleted file mode 100644 index ba90e7b..0000000 --- a/packaging/docker/catlfish-dev/Dockerfile +++ /dev/null @@ -1,83 +0,0 @@ -# Catlfish expects to find its configuration in -# /usr/local/etc/catlfish/catlfish.config so mounting -# /usr/local/etc/catlfish is recommended. This can be done using the -# `-v' flag to `docker run'. -# -# NOTE: The directory on the host system that's mounted at -# /var/db/catlfish in the container has to be writable by a host -# user with uid 147. -# -# Example, running a frontend node: -# $ docker run -v /etc/catlfish:/usr/local/etc/catlfish:ro catlfish -# frontend /usr/local/catlfish -# -# Example, running a merge node: -# $ docker run -v /etc/catlfish:/usr/local/etc/catlfish:ro catlfish -# merge /usr/local/catlfish /var/db/catlfish-merge - -FROM erlang -RUN apt-get update -RUN echo 'debconf debconf/frontend select noninteractive' | debconf-set-selections - -# For building. g++ and OpenSSL is for SoftHSMv2. -RUN apt-get -y -q install gcc git make curl g++ libssl-dev - -# For merge. -RUN apt-get -y -q install git python-ecdsa python-yaml - -# Build all dependencies. - -WORKDIR /usr/local/src -RUN curl https://www.ct.nordu.net/dist/mochiweb-v2.12.2.tar.gz | tar xzf - -RUN ln -s mochiweb-2.12.2 mochiweb -RUN make -C mochiweb - -WORKDIR /usr/local/src -RUN curl https://www.ct.nordu.net/dist/lager-2.1.1.tar.gz | tar xzf - -RUN ln -s lager-2.1.1 lager -RUN mkdir lager/deps -RUN curl https://www.ct.nordu.net/dist/goldrush-0.1.6.tar.gz | tar xzf - -C lager/deps && ln -s goldrush-0.1.6 lager/deps/goldrush -RUN make -C lager - -WORKDIR /usr/local/src -RUN curl https://www.ct.nordu.net/dist/hackney-1.1.0.tar.gz | tar xzf - -RUN ln -s hackney-1.1.0 hackney -RUN mkdir hackney/deps -RUN curl https://www.ct.nordu.net/dist/erlang-idna-1.0.2.tar.gz | tar xzf - -C hackney/deps && ln -s erlang-idna-1.0.2 hackney/deps/idna -RUN curl https://www.ct.nordu.net/dist/ssl_verify_hostname-1.0.4.tar.gz | tar xzf - -C hackney/deps && ln -s ssl_verify_hostname-1.0.4 hackney/deps/ssl_verify_hostname -RUN make -C hackney REBAR=../lager/rebar - -WORKDIR /usr/local/src -RUN curl https://www.ct.nordu.net/dist/SoftHSMv2-2.0.0b3-ndn1.tar.gz | tar xzf - -WORKDIR /usr/local/src/SoftHSMv2-2.0.0b3 -RUN ./configure --prefix=/usr/local && make all install -ADD softhsm2.conf /usr/local/etc/ - -# Build plop and catlfish. -WORKDIR /usr/local/src -RUN git clone https://git.nordu.net/plop.git -RUN make -C plop - -WORKDIR /usr/local/src -RUN git clone https://git.nordu.net/catlfish.git -RUN make -C catlfish PREFIX=/usr/local all release - -# Config dir is mounted from host using `-v' to 'docker run'. -VOLUME /usr/local/etc/catlfish - -# Create a catlfish user. -RUN groupadd --gid 147 catlfish -RUN useradd --uid 147 --gid 147 catlfish - -# Working has to be where catlfish.config is. We want to run in -# /var/run/catlfish and not in /usr/local/etc/catlfish, so symlink. -RUN mkdir /var/run/catlfish -WORKDIR /var/run/catlfish -RUN mkdir erlang_log sasl_log merge_log -RUN chown -R catlfish:catlfish /var/run/catlfish -RUN ln -s /usr/local/etc/catlfish/catlfish.config /var/run/catlfish/ - -ADD merge.sh /usr/local/catlfish/ -ADD start.sh /var/run/catlfish/ -USER catlfish -ENTRYPOINT ["/var/run/catlfish/start.sh"] diff --git a/packaging/docker/catlfish-dev/merge.sh b/packaging/docker/catlfish-dev/merge.sh deleted file mode 100755 index 40f623c..0000000 --- a/packaging/docker/catlfish-dev/merge.sh +++ /dev/null @@ -1,28 +0,0 @@ -#! /bin/sh - -# Default intervals -# - 5m before first merge -# - 20m between subsequent merges -S1=300; [ -n "$1" ] && S1=$1 -S2=1200; [ -n "$2" ] && S2=$2 - -DBDIR="$3" - -[ -d $DBDIR ] || mkdir $DBDIR -[ -d $DBDIR/chains ] || mkdir $DBDIR/chains -[ -e $DBDIR/logorder ] || touch $DBDIR/logorder - -date -echo "merge: waiting $(expr $S1 / 60)m$(expr $S1 % 60)s before merging for the first time" -sleep $S1 - -while true; do - echo "$0: merging" - date - python /usr/local/src/catlfish/tools/merge.py \ - --config /usr/local/etc/catlfish/system.cfg \ - --localconfig /usr/local/etc/catlfish/merge.cfg - date - echo "merge: waiting $(expr $S2 / 60)m$(expr $S2 % 60)s before merging again" - sleep $S2 -done diff --git a/packaging/docker/catlfish-dev/start.sh b/packaging/docker/catlfish-dev/start.sh deleted file mode 100755 index c232f47..0000000 --- a/packaging/docker/catlfish-dev/start.sh +++ /dev/null @@ -1,32 +0,0 @@ -#! /bin/sh - -role=$1; [ -n "$1" ] && shift -database=$1; [ -n "$1" ] && shift -erlbase=$1; [ -n "$1" ] && shift - -# Set sane defaults. -[ -z "$database" ] && database=/var/db/catlfish-merge -[ -z "$erlbase" ] && erlbase=/usr/local/catlfish - -case $role in - frontend|storage|signing) - $erlbase/bin/run_erl \ - /var/run/catlfish/ \ - /var/run/catlfish/erlang_log/ \ - "exec $erlbase/bin/erl -config catlfish" - ;; - merge) - # Catlfish version is included in filename of archive and - # filename in that archive. Example: lib/catlfish-0.6.0.ez - # contains catlfish-0.6.0. - ver=$(ls $erlbase/lib/catlfish-*.ez | sed 's/.*catlfish-\(.*\)\.ez/\1/1') - ERL_LIBS=$erlbase/lib/catlfish-${ver}.ez/catlfish-${ver} - ERL_LIBS=$ERL_LIBS:$erlbase/lib/lager-2.1.1.ez/lager-2.1.1 - export ERL_LIBS - - $erlbase/merge.sh 60 3600 $database > merge_log/stdout 2> merge_log/stderr - ;; - *) - echo "catlfish: unknown role: $role" - ;; -esac diff --git a/packaging/docker/erlang/Dockerfile b/packaging/docker/erlang/Dockerfile deleted file mode 100644 index 531064d..0000000 --- a/packaging/docker/erlang/Dockerfile +++ /dev/null @@ -1,14 +0,0 @@ -FROM base -RUN apt-get update -RUN echo 'debconf debconf/frontend select noninteractive' | debconf-set-selections -RUN apt-get -y -q install \ - erlang-base \ - erlang-crypto \ - erlang-dev \ - erlang-eunit \ - erlang-inets \ - erlang-public-key \ - erlang-reltool \ - erlang-runtime-tools \ - erlang-ssl \ - erlang-xmerl diff --git a/packaging/docker/onion/Dockerfile b/packaging/docker/onion/Dockerfile deleted file mode 100644 index c1cadcd..0000000 --- a/packaging/docker/onion/Dockerfile +++ /dev/null @@ -1,11 +0,0 @@ -FROM debian:jessie -RUN apt-get update -RUN echo 'debconf debconf/frontend select noninteractive' | debconf-set-selections -RUN apt-get -y -q install tor -RUN systemctl disable tor -ADD start.sh /start.sh -RUN chmod a+rx /start.sh -VOLUME /etc/tor -VOLUME /var/lib/tor/hs -RUN chown -R debian-tor:debian-tor /var/lib/tor/hs -ENTRYPOINT ["/start.sh"] diff --git a/packaging/docker/onion/start.sh b/packaging/docker/onion/start.sh deleted file mode 100644 index dce48af..0000000 --- a/packaging/docker/onion/start.sh +++ /dev/null @@ -1,20 +0,0 @@ -#! /bin/sh - -# BACKEND_PORT is set by `docker run --link BACKEND:foo' on the form -# tcp://<ip>:<port>. See https://docs.docker.com/userguide/dockerlinks/. - -if [ -n "${HSPORT}" ]; then - HSPORT=80 # Default localhost:80 -> .onion:80 - if [ -n "${BACKEND_PORT}" ]; then - HSPORT="80 "$(echo ${BACKEND_PORT} | sed 's|^.*://||1') - fi -fi - -if ! [ -e /etc/tor/torrc ]; then - echo "SocksPort 0" >> /etc/tor/torrc - echo "DataDirectory /var/lib/tor" >> /etc/tor/torrc - echo "HiddenServiceDir /var/lib/tor/hs" >> /etc/tor/torrc - echo "HiddenServicePort ${HSPORT}" >> /etc/tor/torrc -fi - -/usr/bin/tor -f /etc/tor/torrc --user debian-tor diff --git a/tools/certtools.py b/tools/certtools.py index 3a1e582..045bc55 100644 --- a/tools/certtools.py +++ b/tools/certtools.py @@ -261,7 +261,12 @@ def encode_signature(hash_alg, signature_alg, unpacked_signature): def check_signature(baseurl, signature, data, publickey=None): if publickey == None: - publickey = base64.decodestring(publickeys[baseurl]) + if baseurl in publickeys: + publickey = base64.decodestring(publickeys[baseurl]) + else: + print >>sys.stderr, "Public key for", baseurl, \ + "not found, specify key file with --publickey" + sys.exit(1) (hash_alg, signature_alg, unpacked_signature) = decode_signature(signature) assert hash_alg == 4, \ "hash_alg is %d, expected 4" % (hash_alg,) # sha256 diff --git a/tools/check-sth.py b/tools/check-sth.py index 0cdc031..dacd8e6 100755 --- a/tools/check-sth.py +++ b/tools/check-sth.py @@ -26,8 +26,8 @@ parser.add_argument('--cur-sth', metavar='file', default=DEFAULT_CUR_FILE, help="File containing current STH (default=%s)" % DEFAULT_CUR_FILE) -parser.add_argument('publickey', help='File containing the public key for the CT log') parser.add_argument('baseurl', help="Base URL for CT log") +parser.add_argument('--publickey', default=None, metavar='file', help='Public key for the CT log') parser.add_argument('--cafile', default=None, metavar='file', help='File containing the CA cert') parser.add_argument('--allow-lag', action='store_true', help='Allow node to lag behind previous STH') parser.add_argument('--quiet-ok', action='store_true', help="Don't print status if OK") diff --git a/tools/merge.py b/tools/merge.py index b426039..8766491 100755 --- a/tools/merge.py +++ b/tools/merge.py @@ -73,6 +73,11 @@ def add_to_logorder(key): f.write(base64.b16encode(key) + "\n") f.close() +def fsync_logorder(): + f = open(logorderfile, "a") + os.fsync(f.fileno()) + f.close() + def get_new_entries(node, baseurl): try: result = http_request(baseurl + "ct/storage/fetchnewentries", key=own_key, verifynode=node, publickeydir=paths["publickeys"]) @@ -228,6 +233,7 @@ for storagenode in storagenodes: logorder.append(hash) certsinlog.add(hash) added_entries += 1 +fsync_logorder() timing_point(timing, "add entries") print "added", added_entries, "entries" |