Initial commit.

14 files changed, 306 insertions, 0 deletions

diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..187cc40
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,5 @@
+catlfish-dev:
+	docker build --no-cache --rm -t catlfish-dev:latest catlfish-dev
+
+catlfish:
+	FIXME
diff --git a/README b/README
new file mode 100644
index 0000000..368a8a8
--- /dev/null
+++ b/README
@@ -0,0 +1,54 @@
+Information about creating a docker image for running catlfish from a
+binary release or with catlfish built from source.
+
+
+Requirements
+------------
+
+- lack of expectations regarding security -- docker doesn't verify
+  downloaded images
+- a 64-bit Linux system
+- lxc-docker version 1.3 or later
+
+
+Building an image
+-----------------
+
+    $ make catlfish-dev		# development image
+
+or
+
+    $ make catlfish             # release image
+
+
+Configuring a log
+-----------------
+
+XXX create CA and certs; create logkey (possibly in softhsm); create
+XXX auth keys; run compileconfig.py for each node
+
+
+Running
+-------
+
+Example:
+
+    $ docker run -d --name mylog-signing \
+      -v $(pwd)/signing:/usr/local/etc/catlfish:ro \
+      -p $SIGNING_IP:8288:8288 \
+      catlfish mylog signing mylog-signing
+    $ docker run -d --name mylog-storage \
+      -v $(pwd)/storage:/usr/local/etc/catlfish:ro \
+      -p $STORAGE_IP:8081:8081 \
+      catlfish mylog storage mylog-storage
+    $ docker run -d --name mylog-frontend \
+      -v $(pwd)/frontend:/usr/local/etc/catlfish:ro \
+      -v /path/to/dbdir:/var/local/db/catlfish
+      -p $FRONTEND_IP:8080:8080 \
+      -p $FRONTEND_IP:8082:8082 \
+      catlfish mylog frontend mylog-frontend
+    $ docker run -d --name mylog-merge \
+      -e MERGE_DB_DIR=/var/local/db/catlfish-merge
+      -v $(pwd)/merge:/usr/local/etc/catlfish:ro \
+      -v /path/to/merge-dbdir:/var/local/db/catlfish-merge
+      catlfish mylog merge mylog-merge
diff --git a/base-debian:jessie/Dockerfile b/base-debian:jessie/Dockerfile
new file mode 100644
index 0000000..864c239
--- /dev/null
+++ b/base-debian:jessie/Dockerfile
@@ -0,0 +1,4 @@
+FROM debian:jessie
+RUN apt-get update
+RUN echo 'debconf debconf/frontend select noninteractive' | debconf-set-selections
+RUN apt-get -y -q upgrade
diff --git a/build-from-release.sh b/build-from-release.sh
new file mode 100755
index 0000000..87218c2
--- /dev/null
+++ b/build-from-release.sh
@@ -0,0 +1,3 @@
+#! /bin/sh
+
+docker build -t catlfish catlfish-rel
diff --git a/build-from-source.sh b/build-from-source.sh
new file mode 100755
index 0000000..2b47222
--- /dev/null
+++ b/build-from-source.sh
@@ -0,0 +1,5 @@
+#! /bin/sh
+
+docker build -t base base-debian:jessie
+docker build -t erlang erlang
+docker build -t catlfish catlfish-dev
diff --git a/catlfish-dev/Dockerfile b/catlfish-dev/Dockerfile
new file mode 100644
index 0000000..e9080c4
--- /dev/null
+++ b/catlfish-dev/Dockerfile
@@ -0,0 +1,89 @@
+# Catlfish expects to find a large part of its configuration in
+# /usr/local/etc/catlfish/, so mounting that directory is
+# recommended. This can be achieved by using the `-v' flag to `docker
+# run'.
+
+# NOTE: The directory in the _host_ system that's mounted at
+# /var/db/catlfish in the container has to be writable by a _host_
+# user with uid 147.
+
+# Example, running a frontend node named frontend-1:
+# $ docker run \
+#       -v /etc/catlfish:/usr/local/etc/catlfish:ro \
+#       -v /var/local/db/catlfish:/db/catlfish \
+#       -p 8080:8080 -p 8082:8082 \
+#       catlfish:latest frontend frontend-1
+#
+# Example, running a merge node named merge-1:
+# $ docker run \
+#       -e MERGE_DB_DIR=/db/catlfish-merge \
+#       -v /etc/catlfish:/usr/local/etc/catlfish:ro \
+#       -v /var/local/db/catlfish-merge:/db/catlfish-merge \
+#       catlfish merge merge-1
+
+FROM erlang
+RUN apt-get update
+RUN echo 'debconf debconf/frontend select noninteractive' | debconf-set-selections
+
+# For building. g++ and OpenSSL is for SoftHSMv2.
+RUN apt-get -y -q install gcc git make curl g++ libssl-dev
+
+# For merge.
+RUN apt-get -y -q install git python-ecdsa python-yaml
+
+# Build all dependencies.
+
+WORKDIR /usr/local/src
+RUN curl https://www.ct.nordu.net/dist/mochiweb-v2.12.2.tar.gz | tar xzf -
+RUN ln -s mochiweb-2.12.2 mochiweb
+RUN make -C mochiweb
+
+WORKDIR /usr/local/src
+RUN curl https://www.ct.nordu.net/dist/lager-2.1.1.tar.gz | tar xzf -
+RUN ln -s lager-2.1.1 lager
+RUN mkdir lager/deps
+RUN curl https://www.ct.nordu.net/dist/goldrush-0.1.6.tar.gz | tar xzf - -C lager/deps && ln -s goldrush-0.1.6 lager/deps/goldrush
+RUN make -C lager
+
+WORKDIR /usr/local/src
+RUN curl https://www.ct.nordu.net/dist/hackney-1.1.0.tar.gz | tar xzf -
+RUN ln -s hackney-1.1.0 hackney
+RUN mkdir hackney/deps
+RUN curl https://www.ct.nordu.net/dist/erlang-idna-1.0.2.tar.gz | tar xzf - -C hackney/deps && ln -s erlang-idna-1.0.2 hackney/deps/idna
+RUN curl https://www.ct.nordu.net/dist/ssl_verify_hostname-1.0.4.tar.gz | tar xzf - -C hackney/deps && ln -s ssl_verify_hostname-1.0.4 hackney/deps/ssl_verify_hostname
+RUN make -C hackney REBAR=../lager/rebar
+
+WORKDIR /usr/local/src
+RUN curl https://www.ct.nordu.net/dist/SoftHSMv2-2.0.0b3-ndn1.tar.gz | tar xzf -
+WORKDIR /usr/local/src/SoftHSMv2-2.0.0b3
+RUN ./configure --prefix=/usr/local && make all install
+ADD softhsm2.conf /usr/local/etc/
+
+# Build plop and catlfish.
+WORKDIR /usr/local/src
+RUN git clone https://git.nordu.net/plop.git
+RUN make -C plop
+
+WORKDIR /usr/local/src
+RUN git clone https://git.nordu.net/catlfish.git
+RUN make -C catlfish PREFIX=/usr/local all release
+
+# Config dir is mounted from host using `-v' to 'docker run'.
+VOLUME /usr/local/etc/catlfish
+
+# Create a catlfish user.
+RUN groupadd --gid 147 catlfish
+RUN useradd --uid 147 --gid 147 catlfish
+
+# Working has to be where catlfish.config is. We want to run in
+# /var/run/catlfish and not in /usr/local/etc/catlfish, so symlink.
+RUN mkdir /var/run/catlfish
+WORKDIR /var/run/catlfish
+RUN mkdir erlang_log sasl_log merge_log
+RUN chown -R catlfish:catlfish /var/run/catlfish
+RUN ln -s /usr/local/etc/catlfish/catlfish.config /var/run/catlfish/
+
+ADD merge.sh /usr/local/catlfish/
+ADD start.sh /var/run/catlfish/
+USER catlfish
+ENTRYPOINT ["/var/run/catlfish/start.sh"]
diff --git a/catlfish-dev/merge.sh b/catlfish-dev/merge.sh
new file mode 100755
index 0000000..9ca4d69
--- /dev/null
+++ b/catlfish-dev/merge.sh
@@ -0,0 +1,32 @@
+#! /bin/sh
+
+LOGNAME=$1
+NODENAME=$3
+
+[ -z "$NODENAME" ] && NODENAME=merge
+[ -z "$LOGNAME" ] && LOGNAME=catlfish
+[ -z "$MERGE_DB_DIR" ] && MERGE_DB_DIR=merge-db
+[ -z "$MERGE_INTERVAL_FIRST" ] && MERGE_INTERVAL_FIRST=60
+[ -z "$MERGE_INTERVAL_FREQ" ] && MERGE_INTERVAL_FREQ=3600
+
+[ -d $MERGE_DB_DIR ] || mkdir $MERGE_DB_DIR
+[ -d $MERGE_DB_DIR/chains ] || mkdir $MERGE_DB_DIR/chains
+[ -e $MERGE_DB_DIR/logorder ] || touch $MERGE_DB_DIR/logorder
+
+S1=$MERGE_INTERVAL_FIRST
+S2=$MERGE_INTERVAL_FREQ
+
+date
+echo "merge: waiting $(expr $S1 / 60)m$(expr $S1 % 60)s before merging for the first time"
+sleep $S1
+
+while true; do
+    echo "$0: merging"
+    date
+    python /usr/local/src/catlfish/tools/merge.py \
+           --config /usr/local/etc/catlfish/${LOGNAME}.cfg \
+           --localconfig /usr/local/etc/catlfish/${NODENAME}.cfg
+    date
+    echo "merge: waiting $(expr $S2 / 60)m$(expr $S2 % 60)s before merging again"
+    sleep $S2
+done
diff --git a/catlfish-dev/softhsm2.conf b/catlfish-dev/softhsm2.conf
new file mode 100644
index 0000000..02bc2d8
--- /dev/null
+++ b/catlfish-dev/softhsm2.conf
@@ -0,0 +1,3 @@
+directories.tokendir = /usr/local/etc/catlfish/softhsm/tokens/
+objectstore.backend = file
+log.level = INFO
diff --git a/catlfish-dev/start.sh b/catlfish-dev/start.sh
new file mode 100755
index 0000000..d673b9d
--- /dev/null
+++ b/catlfish-dev/start.sh
@@ -0,0 +1,45 @@
+#! /bin/sh
+
+logname=$1; [ -n "$1" ] && shift
+role=$1; [ -n "$1" ] && shift
+nodename=$1; [ -n "$1" ] && shift
+database=$CATLFISH_DB_DIR
+erlbase=$ERLANG_BASE_DIR
+
+# Use some reasonable default values.
+[ -z "$database" ] && database=/var/db/catlfish-merge
+[ -z "$erlbase" ] && erlbase=/usr/local/catlfish
+
+# We should probably grab this from the
+# $erlbase/lib/catlfish-$VERSION.ez (zip archive) instead of requiring
+# source code to be unpacked in the container.
+COMPILECONFIG=/usr/local/src/catlfish/tools/compileconfig.py
+
+case $role in
+    frontend|storage|signing)
+        $COMPILECONFIG --config ${logname}.cfg \
+                       --localconfig ${nodename}.cfg;
+        $erlbase/bin/run_erl \
+            /var/run/catlfish/ \
+            /var/run/catlfish/erlang_log/ \
+            "exec $erlbase/bin/erl -config $nodename"
+        ;;
+    merge)
+        # Catlfish version is included in filename of archive and
+        # filename in that archive. Example: lib/catlfish-0.6.0.ez
+        # contains catlfish-0.6.0.
+        ver=$(ls $erlbase/lib/catlfish-*.ez | sed 's/.*catlfish-\(.*\)\.ez/\1/1')
+        ERL_LIBS=$erlbase/lib/catlfish-${ver}.ez/catlfish-${ver}
+        ERL_LIBS=$ERL_LIBS:$erlbase/lib/lager-2.1.1.ez/lager-2.1.1
+        export ERL_LIBS
+
+        export MERGE_INTERVAL_FIRST=60
+        export MERGE_INTERVAL_FREQ=3600
+        export MERGE_DB_DIR=$database
+
+        $erlbase/merge.sh $logname $nodename > merge_log/stdout 2> merge_log/stderr
+        ;;
+    *)
+        echo "catlfish: unknown role: $role"
+        ;;
+esac
diff --git a/catlfish-rel/Dockerfile b/catlfish-rel/Dockerfile
new file mode 100644
index 0000000..07b3fe4
--- /dev/null
+++ b/catlfish-rel/Dockerfile
@@ -0,0 +1,16 @@
+FROM base
+RUN apt-get update
+RUN echo 'debconf debconf/frontend select noninteractive' | debconf-set-selections
+RUN apt-get -y -q install gpg
+
+WORKDIR /tmp
+
+RUN curl -O https://www.ct.nordu.net/releases/catlfish-0.3.0.amd64.tar.xz.asc
+RUN curl -O https://www.ct.nordu.net/releases/catlfish-0.3.0.amd64.tar.xz
+RUN gpg --verify catlfish.tar.xz.asc catlfish.tar.xz || exit 1
+
+WORKDIR /var/run/catlfish
+ADD merge.sh /usr/local/catlfish/
+ADD start.sh /var/run/catlfish/
+USER catlfish
+ENTRYPOINT ["/var/run/catlfish/start.sh"]
diff --git a/catlfish-rel/supervisord.conf b/catlfish-rel/supervisord.conf
new file mode 100644
index 0000000..c973bff
--- /dev/null
+++ b/catlfish-rel/supervisord.conf
@@ -0,0 +1,5 @@
+[supervisord]
+nodaemon=true
+
+[program:catlfish]
+command=/opt/catlfish/rel/bin/erl -config catlfish
diff --git a/erlang/Dockerfile b/erlang/Dockerfile
new file mode 100644
index 0000000..531064d
--- /dev/null
+++ b/erlang/Dockerfile
@@ -0,0 +1,14 @@
+FROM base
+RUN apt-get update
+RUN echo 'debconf debconf/frontend select noninteractive' | debconf-set-selections
+RUN apt-get -y -q install \
+    erlang-base \
+    erlang-crypto \
+    erlang-dev \
+    erlang-eunit \
+    erlang-inets \
+    erlang-public-key \
+    erlang-reltool \
+    erlang-runtime-tools \
+    erlang-ssl \
+    erlang-xmerl
diff --git a/onion/Dockerfile b/onion/Dockerfile
new file mode 100644
index 0000000..c1cadcd
--- /dev/null
+++ b/onion/Dockerfile
@@ -0,0 +1,11 @@
+FROM debian:jessie
+RUN apt-get update
+RUN echo 'debconf debconf/frontend select noninteractive' | debconf-set-selections
+RUN apt-get -y -q install tor
+RUN systemctl disable tor
+ADD start.sh /start.sh
+RUN chmod a+rx /start.sh
+VOLUME /etc/tor
+VOLUME /var/lib/tor/hs
+RUN chown -R debian-tor:debian-tor /var/lib/tor/hs
+ENTRYPOINT ["/start.sh"]
diff --git a/onion/start.sh b/onion/start.sh
new file mode 100644
index 0000000..dce48af
--- /dev/null
+++ b/onion/start.sh
@@ -0,0 +1,20 @@
+#! /bin/sh
+
+# BACKEND_PORT is set by `docker run --link BACKEND:foo' on the form
+# tcp://<ip>:<port>. See https://docs.docker.com/userguide/dockerlinks/.
+
+if  [ -n "${HSPORT}" ]; then
+    HSPORT=80                   # Default localhost:80 -> .onion:80
+    if [ -n "${BACKEND_PORT}" ]; then
+        HSPORT="80 "$(echo ${BACKEND_PORT} | sed 's|^.*://||1')
+    fi
+fi    
+
+if ! [ -e /etc/tor/torrc ]; then
+    echo "SocksPort 0" >> /etc/tor/torrc
+    echo "DataDirectory /var/lib/tor" >> /etc/tor/torrc
+    echo "HiddenServiceDir /var/lib/tor/hs" >> /etc/tor/torrc
+    echo "HiddenServicePort ${HSPORT}" >> /etc/tor/torrc
+fi
+
+/usr/bin/tor -f /etc/tor/torrc --user debian-tor