forked from realiotech/realio-network
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement basic containerized build and arrange for cosmos's secrets
management. - Implement a buildprocess not using starport CLI so we can take advantage of download and binary caches. - Implement a container image providing a headless implementation of secret service to manage validator keys. On Linux, cosmos devolves to either the D-Bus secret service API, or asking for passwords on standard out/in for managing key secrets. Since neither running a desktop or implementing stdin/out based interactive solutions is attractive, we pull in a headless secret-service implementation, and tie it in with s6-supervise for runtime managmement. This lets us feed in a master key for the container for secret storage, and have in implementation that lets us leave the desired secrets encrypted at rest, in our case, to be provided via a kubernetes secret projected as a file.
- Loading branch information
Showing
5 changed files
with
128 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| docker/Dockerfile | ||
| .dockerignore | ||
| .*.swp | ||
| *.swp | ||
| realio-networkd | ||
|
|
||
| .idea | ||
|
|
||
| s6/.s6-svscan/control | ||
| s6/.s6-svscan/lock | ||
| s6/*/supervise | ||
| s6/*/event |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,89 @@ | ||
| FROM starport/cli:0.19.1 AS starport-cli | ||
|
|
||
| #FROM node:16-alpine3.15 | ||
| # | ||
| #WORKDIR /node/vue | ||
| # | ||
| #COPY vue/package.json . | ||
|
|
||
| # TODO: reimplement vue ui | ||
| #RUN echo "prepping realio-network vue builder" ; \ | ||
| # apk update && \ | ||
| # apk add --no-cache --virtual .gyp python2 make g++ && \ | ||
| # npm install && \ | ||
| # apk del .gyp && \ | ||
| # echo "done" | ||
|
|
||
| #COPY vue/ . | ||
|
|
||
| #RUN npm run build | ||
|
|
||
| FROM golang:1.16-buster AS secret-service-builder | ||
|
|
||
| ARG APTOPT | ||
| WORKDIR /go/src | ||
|
|
||
| RUN echo "building secret-service" ; \ | ||
| #mkdir -p github.com/yousefvand && \ | ||
| #git clone https://github.com/kainz/secret-service --depth 1 -b fix_collections_pathtypes github.com/yousefvand/secret-service && \ | ||
| #cd github.com/yousefvand/secret-service && \ | ||
| #go build -race --mod=readonly -o /go/bin/secretserviced ./cmd/app/secretserviced && \ | ||
| #go build -race --mod=readonly -o /go/bin/secretservice ./cmd/app/secretservice && \ | ||
| go install -race github.com/yousefvand/secret-service/cmd/app/[email protected] && \ | ||
| go install -race github.com/yousefvand/secret-service/cmd/app/[email protected] && \ | ||
| echo done | ||
|
|
||
| FROM golang:1.16-buster AS realio-network-builder | ||
|
|
||
| # use something like --build-arg APTOPT='-o Acquire::HTTP::Proxy=http://proxy:3142' to use an apt-cacher for example | ||
| ARG APTOPT | ||
|
|
||
| WORKDIR /go/src/github.com/realiotech/realio-network | ||
|
|
||
| RUN echo "prepping realio-network builder" ; \ | ||
| apt-get $APTOPT update && \ | ||
| apt-get $APTOPT install -y --no-install-recommends --no-install-suggests \ | ||
| time && \ | ||
| rm -rf /var/lib/apt/lists/* && \ | ||
| echo "done" | ||
|
|
||
| ## only copy go.mod and go.sum | ||
| COPY go.mod go.mod | ||
| COPY go.sum go.sum | ||
|
|
||
| RUN time go mod download | ||
|
|
||
| COPY . . | ||
|
|
||
| RUN echo "doing build" ; \ | ||
| go build -v --mod=readonly -o /go/bin/realio-networkd ./cmd/realio-networkd | ||
|
|
||
| FROM debian:buster | ||
|
|
||
| # use something like --build-arg APTOPT='-o Acquire::HTTP::Proxy=http://proxy:3142' to use an apt-cacher for example | ||
| ARG APTOPT | ||
| ENV DBUS_SESSION_BUS_ADDRESS=unix:path=/tmp/dbus-docker-session | ||
|
|
||
| RUN useradd -ms /bin/bash -d /data realio-cosmos && \ | ||
| apt-get $APTOPT update && \ | ||
| apt-get $APTOPT -y install --no-install-recommends --no-install-suggests \ | ||
| dbus \ | ||
| libsecret-tools \ | ||
| procps \ | ||
| s6 \ | ||
| && \ | ||
| apt-get $APTOPT clean && \ | ||
| rm -rf /var/lib/apt/lists && \ | ||
| echo done | ||
|
|
||
| COPY --from=realio-network-builder /go/bin/realio-networkd /usr/local/bin/ | ||
| COPY --from=secret-service-builder /go/bin/secretservice* /usr/local/bin/ | ||
| COPY genesis-testnet.json /usr/local/share/doc/realio-networkd/genesis-testnet.json | ||
| COPY s6 /usr/local/etc/s6/ | ||
|
|
||
| VOLUME /data | ||
|
|
||
| run chown realio-cosmos:realio-cosmos /data | ||
|
|
||
| EXPOSE 9090 9091 26656 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| #!/bin/sh | ||
|
|
||
| HOME=/data | ||
|
|
||
| export HOME | ||
|
|
||
| exec s6-setuidgid realio-cosmos dbus-daemon --session --address="$DBUS_SESSION_BUS_ADDRESS" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| #!/bin/sh | ||
|
|
||
| if [ -r /etc/realio-secrets/realio-network/secretspassword ]; then | ||
| export MASTERPASSWORD="$(cat /etc/realio-secrets/realio-network/secretspassword)" | ||
| fi | ||
|
|
||
| HOME=/data | ||
|
|
||
| export HOME | ||
|
|
||
| exec s6-setuidgid realio-cosmos secretserviced |