A service to replicate and serve requests for site configurations based on site ID, public IP, and the on-site lead contact's OTP.
Révision | bb055c8af410cee38fe1577a58b4dfca5ae70822 (tree) |
---|---|
l'heure | 2021-10-12 22:55:11 |
Auteur | S. Seago <sseago-dev@proj...> |
Commiter | S. Seago |
Add IPFS w/ SSL. Wrangle with formatting.
@@ -1,8 +1,14 @@ | ||
1 | +:source-highlighter: CodeRay | |
2 | + | |
3 | + | |
1 | 4 | == Docker Notes |
2 | 5 | |
6 | + | |
3 | 7 | === PXE Server |
4 | 8 | :source: https://github.com/particleKIT/pxe-docker/blob/master/Dockerfile |
5 | 9 | |
10 | +[source, Dockerfile] | |
11 | +--- | |
6 | 12 | FROM httpd |
7 | 13 | |
8 | 14 | RUN apt-get update && apt-get upgrade -y && apt-get install -y \ |
@@ -17,4 +23,127 @@ | ||
17 | 23 | ADD init.sh / |
18 | 24 | |
19 | 25 | CMD ["/init.sh"] |
26 | +--- | |
20 | 27 | |
28 | + | |
29 | +=== IPFS w/ SSL on Debian Buster | |
30 | +:source: https://github.com/ipfs/go-ipfs/blob/master/Dockerfile | |
31 | + | |
32 | +[source, Dockerfile] | |
33 | +--- | |
34 | +# Note: when updating the go minor version here, also update the go-channel in snap/snapcraft.yml | |
35 | +FROM golang:1.16.7-buster | |
36 | +LABEL maintainer="Steven Allen <steven@stebalien.com>" | |
37 | + | |
38 | +# Install deps | |
39 | +RUN apt-get update && apt-get install -y \ | |
40 | + libssl-dev \ | |
41 | + ca-certificates \ | |
42 | + fuse | |
43 | + | |
44 | +ENV SRC_DIR /go-ipfs | |
45 | + | |
46 | +# Download packages first so they can be cached. | |
47 | +COPY go.mod go.sum $SRC_DIR/ | |
48 | +RUN cd $SRC_DIR \ | |
49 | + && go mod download | |
50 | + | |
51 | +COPY . $SRC_DIR | |
52 | + | |
53 | +# Preload an in-tree but disabled-by-default plugin by adding it to the IPFS_PLUGINS variable | |
54 | +# e.g. docker build --build-arg IPFS_PLUGINS="foo bar baz" | |
55 | +ARG IPFS_PLUGINS | |
56 | + | |
57 | +# Build the thing. | |
58 | +# Also: fix getting HEAD commit hash via git rev-parse. | |
59 | +RUN cd $SRC_DIR \ | |
60 | + && mkdir -p .git/objects \ | |
61 | + && make build GOTAGS=openssl IPFS_PLUGINS=$IPFS_PLUGINS | |
62 | + | |
63 | +# Get su-exec, a very minimal tool for dropping privileges, | |
64 | +# and tini, a very minimal init daemon for containers | |
65 | +ENV SUEXEC_VERSION v0.2 | |
66 | +ENV TINI_VERSION v0.19.0 | |
67 | +RUN set -eux; \ | |
68 | + dpkgArch="$(dpkg --print-architecture)"; \ | |
69 | + case "${dpkgArch##*-}" in \ | |
70 | + "amd64" | "armhf" | "arm64") tiniArch="tini-static-$dpkgArch" ;;\ | |
71 | + *) echo >&2 "unsupported architecture: ${dpkgArch}"; exit 1 ;; \ | |
72 | + esac; \ | |
73 | + cd /tmp \ | |
74 | + && git clone https://github.com/ncopa/su-exec.git \ | |
75 | + && cd su-exec \ | |
76 | + && git checkout -q $SUEXEC_VERSION \ | |
77 | + && make su-exec-static \ | |
78 | + && cd /tmp \ | |
79 | + && wget -q -O tini https://github.com/krallin/tini/releases/download/$TINI_VERSION/$tiniArch \ | |
80 | + && chmod +x tini | |
81 | + | |
82 | +# Now comes the actual target image, which aims to be as small as possible. | |
83 | +FROM busybox:1.31.1-glibc | |
84 | +LABEL maintainer="Steven Allen <steven@stebalien.com>" | |
85 | + | |
86 | +# Get the ipfs binary, entrypoint script, and TLS CAs from the build container. | |
87 | +ENV SRC_DIR /go-ipfs | |
88 | +COPY --from=0 $SRC_DIR/cmd/ipfs/ipfs /usr/local/bin/ipfs | |
89 | +COPY --from=0 $SRC_DIR/bin/container_daemon /usr/local/bin/start_ipfs | |
90 | +COPY --from=0 /tmp/su-exec/su-exec-static /sbin/su-exec | |
91 | +COPY --from=0 /tmp/tini /sbin/tini | |
92 | +COPY --from=0 /bin/fusermount /usr/local/bin/fusermount | |
93 | +COPY --from=0 /etc/ssl/certs /etc/ssl/certs | |
94 | + | |
95 | +# Add suid bit on fusermount so it will run properly | |
96 | +RUN chmod 4755 /usr/local/bin/fusermount | |
97 | + | |
98 | +# Fix permissions on start_ipfs (ignore the build machine's permissions) | |
99 | +RUN chmod 0755 /usr/local/bin/start_ipfs | |
100 | + | |
101 | +# This shared lib (part of glibc) doesn't seem to be included with busybox. | |
102 | +COPY --from=0 /lib/*-linux-gnu*/libdl.so.2 /lib/ | |
103 | + | |
104 | +# Copy over SSL libraries. | |
105 | +COPY --from=0 /usr/lib/*-linux-gnu*/libssl.so* /usr/lib/ | |
106 | +COPY --from=0 /usr/lib/*-linux-gnu*/libcrypto.so* /usr/lib/ | |
107 | + | |
108 | +# Swarm TCP; should be exposed to the public | |
109 | +EXPOSE 4001 | |
110 | +# Swarm UDP; should be exposed to the public | |
111 | +EXPOSE 4001/udp | |
112 | +# Daemon API; must not be exposed publicly but to client services under you control | |
113 | +EXPOSE 5001 | |
114 | +# Web Gateway; can be exposed publicly with a proxy, e.g. as https://ipfs.example.org | |
115 | +EXPOSE 8080 | |
116 | +# Swarm Websockets; must be exposed publicly when the node is listening using the websocket transport (/ipX/.../tcp/8081/ws). | |
117 | +EXPOSE 8081 | |
118 | + | |
119 | +# Create the fs-repo directory and switch to a non-privileged user. | |
120 | +ENV IPFS_PATH /data/ipfs | |
121 | +RUN mkdir -p $IPFS_PATH \ | |
122 | + && adduser -D -h $IPFS_PATH -u 1000 -G users ipfs \ | |
123 | + && chown ipfs:users $IPFS_PATH | |
124 | + | |
125 | +# Create mount points for `ipfs mount` command | |
126 | +RUN mkdir /ipfs /ipns \ | |
127 | + && chown ipfs:users /ipfs /ipns | |
128 | + | |
129 | +# Expose the fs-repo as a volume. | |
130 | +# start_ipfs initializes an fs-repo if none is mounted. | |
131 | +# Important this happens after the USER directive so permissions are correct. | |
132 | +VOLUME $IPFS_PATH | |
133 | + | |
134 | +# The default logging level | |
135 | +ENV IPFS_LOGGING "" | |
136 | + | |
137 | +# This just makes sure that: | |
138 | +# 1. There's an fs-repo, and initializes one if there isn't. | |
139 | +# 2. The API and Gateway are accessible from outside the container. | |
140 | +ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/start_ipfs"] | |
141 | + | |
142 | +# Heathcheck for the container | |
143 | +# QmUNLLsPACCz1vLxQVkXqqLX5R1X345qqfHbsf67hvA3Nn is the CID of empty folder | |
144 | +HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ | |
145 | + CMD ipfs dag stat /ipfs/QmUNLLsPACCz1vLxQVkXqqLX5R1X345qqfHbsf67hvA3Nn || exit 1 | |
146 | + | |
147 | +# Execute the daemon subcommand by default | |
148 | +CMD ["daemon", "--migrate=true"] | |
149 | +--- | |
\ No newline at end of file |