diff options
author | Florian Dold <florian@dold.me> | 2023-10-16 23:03:07 +0200 |
---|---|---|
committer | Florian Dold <florian@dold.me> | 2023-10-16 23:03:07 +0200 |
commit | a44f235aaa876d02567d21535ec6831f5022c875 (patch) | |
tree | adb72b882bc37a8fa938184052332a23703e872e | |
parent | 102d0c5ed9298731e97708416c43e586cf7a7080 (diff) | |
download | deployment-a44f235aaa876d02567d21535ec6831f5022c875.tar.gz deployment-a44f235aaa876d02567d21535ec6831f5022c875.tar.bz2 deployment-a44f235aaa876d02567d21535ec6831f5022c875.zip |
WIP
-rw-r--r-- | sandcastle-ng/Dockerfile | 3 | ||||
-rw-r--r-- | sandcastle-ng/README.md | 30 | ||||
-rwxr-xr-x | sandcastle-ng/backup.sh | 42 | ||||
-rw-r--r-- | sandcastle-ng/buildconfig/exchange.tag | 2 | ||||
-rw-r--r-- | sandcastle-ng/buildconfig/gnunet.tag | 2 | ||||
-rw-r--r-- | sandcastle-ng/buildconfig/merchant.tag | 2 | ||||
-rwxr-xr-x | sandcastle-ng/run-container | 8 | ||||
-rwxr-xr-x | sandcastle-ng/sandcastle-build (renamed from sandcastle-ng/build-container) | 0 | ||||
-rwxr-xr-x | sandcastle-ng/sandcastle-run | 50 | ||||
-rwxr-xr-x | sandcastle-ng/scripts/setup-sandcastle.sh | 38 | ||||
-rw-r--r-- | sandcastle-ng/systemd/setup-sandcastle.service | 10 |
11 files changed, 124 insertions, 63 deletions
diff --git a/sandcastle-ng/Dockerfile b/sandcastle-ng/Dockerfile index 6c47ae3..2cbef2b 100644 --- a/sandcastle-ng/Dockerfile +++ b/sandcastle-ng/Dockerfile @@ -221,7 +221,8 @@ RUN apt-get update && apt-get -y upgrade && apt-get --no-install-recommends inst systemd-coredump \ libnss3-tools \ latexmk \ - texlive-latex-extra + texlive-latex-extra \ + tex-gyre RUN mkdir -p /packages COPY --from=gnunet /packages/gnunet/* /packages/ COPY --from=exchange /packages/exchange/* /packages/ diff --git a/sandcastle-ng/README.md b/sandcastle-ng/README.md index c0f77da..f52045d 100644 --- a/sandcastle-ng/README.md +++ b/sandcastle-ng/README.md @@ -5,18 +5,21 @@ The sandcastle is a containerized deployment of GNU Taler It uses podman to build an image and run a single container that has systemd running inside. + # Prerequisites You need (on your host system): * podman * bash + # Building the Container Image 1. Set builconfig/$component.tag to the right git tag you want to build -2. Run ./build-container to build the Taler container. The resulting container +2. Run ./sandcastle-build to build the Taler container. The resulting container is tagged as taler-base-all + # Configuring the Deployment It is recommended that for each deployment, you clone the deployment.git @@ -27,15 +30,17 @@ Currently there is not much configuration. The main adjustments to be made are: * scripts/setup-sandcastle.sh has the currency on top of the file -* run-container has variables for the port that'll be exposed ("published") on +* sandcastle-run has variables for the port that'll be exposed ("published") on the host. They can be overwritten with environment variables (``TALER_SANDCASTLE_PORT_$COMPONENT``). + # Running the Deployment -Run ``./run-container`` to run the single container. The container will be +Run ``./sandcastle-run`` to run the single container. The container will be called taler-sandcastle. + # Poking Around You can poke around in a running sandcastle instance by running @@ -47,18 +52,33 @@ podman exec -it taler-sandcastle /bin/bash This will drop you into a shell inside the running container, where you have access to systemd, journalctl, etc. + # Data Storage All persistent data is stored in a podman volume called talerdata. You can see where it is in your filesystem by running ``podman volume inspect talerdata``. + # Provisioning Details The whole deployment is configured by the script ``scripts/setup-sandcastle.sh``. This script will be run as a oneshot systemd service and will disable itself after the first success. -To troubleshoot, run `journalctl -u setup-sandcastle.service`. +To troubleshoot, run ``journalctl -u setup-sandcastle.service``. + +To run the container without any automatic provisioning, run ``./sandcastle-run -e SANDCASTLE_SKIP_SETUP=1``. + +You can always manually run the script inside the container as ``/scripts/setup-sandcastle.sh``. + + +# Future Extensions -To run the container without any automatic provisioning, run XXX. +* more self-tests using the wallet CLI +* Running the auditor +* Running a currency conversion setup with multiple libeufin-bank instances +* Allow a localhost-only, non-tls setup for being able to access a non-tls + Taler deployment on the podman host. +* Instead of exposing HTTP ports, we could expose everything via unix domain sockets, + avoiding port collision problems. diff --git a/sandcastle-ng/backup.sh b/sandcastle-ng/backup.sh deleted file mode 100755 index 3ad3972..0000000 --- a/sandcastle-ng/backup.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/bash - -set -eu - -usage () { - echo - echo Usage: ./backup.sh [-h, --help] - echo - echo This utility extracts a TAR backup of data and logs - echo produced by the Taler services running inside this Docker - echo Compose setup. The backup is saved in /tmp/YYYY-MM-DD-taler-backup.tar -} - -for helpOpt in "-h" "--help"; do - if test "$helpOpt" = "${1:-}"; then - usage - exit 0 - fi -done - -if ! which docker > /dev/null; then - echo docker not found. - exit 1 -fi - -BACKUP_FILE="/tmp/$(date +%Y-%m-%d)-taler-backup.tar" - -if test -a $BACKUP_FILE; then - echo "Backup file $BACKUP_FILE exists already, please move it and run the script again." - exit 3 -fi - -# 'chown' should still help rootful runs to -# have the TAR owned by the user invoking the command. -docker run \ - -v /tmp:/tmp \ - -v demo_talerdata:/taler-data \ - -v demo_talerlogs:/taler-logs \ - -it debian:stable \ - /bin/bash -c "tar --no-same-owner --no-same-permissions -c -f ${BACKUP_FILE} /taler-data /taler-logs" > /dev/null - -echo Backup at: ${BACKUP_FILE} diff --git a/sandcastle-ng/buildconfig/exchange.tag b/sandcastle-ng/buildconfig/exchange.tag index 5373159..37cffb3 100644 --- a/sandcastle-ng/buildconfig/exchange.tag +++ b/sandcastle-ng/buildconfig/exchange.tag @@ -1 +1 @@ -v0.9.4-dev.2 +v0.9.4-dev.3 diff --git a/sandcastle-ng/buildconfig/gnunet.tag b/sandcastle-ng/buildconfig/gnunet.tag index 1847373..46def34 100644 --- a/sandcastle-ng/buildconfig/gnunet.tag +++ b/sandcastle-ng/buildconfig/gnunet.tag @@ -1 +1 @@ -v0.20.0 +v0.20.1-talerdev.1 diff --git a/sandcastle-ng/buildconfig/merchant.tag b/sandcastle-ng/buildconfig/merchant.tag index 6f00e66..5373159 100644 --- a/sandcastle-ng/buildconfig/merchant.tag +++ b/sandcastle-ng/buildconfig/merchant.tag @@ -1 +1 @@ -v0.9.4-dev.1 +v0.9.4-dev.2 diff --git a/sandcastle-ng/run-container b/sandcastle-ng/run-container deleted file mode 100755 index ebc7e1f..0000000 --- a/sandcastle-ng/run-container +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/env bash - -# Run the Taler container with all the right mounts and preset parameters - - -# We need to be careful with SELinux when using volume mounts, relabel! - -exec podman run --systemd=always -v talerdata:/talerdata:Z -v $PWD/scripts:/scripts:Z "$@" taler-base-all diff --git a/sandcastle-ng/build-container b/sandcastle-ng/sandcastle-build index 7a655dd..7a655dd 100755 --- a/sandcastle-ng/build-container +++ b/sandcastle-ng/sandcastle-build diff --git a/sandcastle-ng/sandcastle-run b/sandcastle-ng/sandcastle-run new file mode 100755 index 0000000..4d6a689 --- /dev/null +++ b/sandcastle-ng/sandcastle-run @@ -0,0 +1,50 @@ +#!/usr/bin/env bash + +# Run the Taler container with all the right mounts and preset parameters + +set -eu + +SANDCASTLE_PORT_MERCHANT=16000 +SANDCASTLE_PORT_EXCHANGE=16001 +SANDCASTLE_PORT_BLOG=16002 +SANDCASTLE_PORT_DONATIONS=16003 +SANDCASTLE_PORT_SURVEY=16004 +SANDCASTLE_PORT_LANDING=16005 +SANDCASTLE_PORT_LIBEUFIN_BANK=16007 + +# Container-internal ports, should by synced with scripts/setup-sandcastle.sh +PORT_INTERNAL_EXCHANGE=8201 +PORT_INTERNAL_MERCHANT=8301 +PORT_INTERNAL_LIBEUFIN_BANK=8080 +PORT_INTERNAL_LANDING=8501 +PORT_INTERNAL_BLOG=8502 +PORT_INTERNAL_DONATIONS=8503 +PORT_INTERNAL_SURVEY=8504 + +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +cd $SCRIPT_DIR + +existing_id=$(podman ps -q -a -f=name=taler-sandcastle) + +if [[ ! -z "$existing_id" ]]; then + echo "removing existing taler-sandcastle container $existing_id" + podman rm "$existing_id" +fi + +# We need to be careful with SELinux when using volume mounts, relabel! + +exec podman run \ + -p=$SANDCASTLE_PORT_MERCHANT:$PORT_INTERNAL_MERCHANT \ + -p=$SANDCASTLE_PORT_EXCHANGE:$PORT_INTERNAL_EXCHANGE \ + -p=$SANDCASTLE_PORT_LIBEUFIN_BANK:$PORT_INTERNAL_LIBEUFIN_BANK \ + -p=$SANDCASTLE_PORT_LANDING:$PORT_INTERNAL_LANDING \ + -p=$SANDCASTLE_PORT_BLOG:$PORT_INTERNAL_BLOG \ + -p=$SANDCASTLE_PORT_DONATIONS:$PORT_INTERNAL_DONATIONS \ + -p=$SANDCASTLE_PORT_SURVEY:$PORT_INTERNAL_SURVEY \ + --name taler-sandcastle \ + --systemd=always \ + -v talerdata:/talerdata:Z \ + -v $PWD/scripts:/scripts:Z \ + --entrypoint /sbin/init \ + "$@" \ + taler-base-all diff --git a/sandcastle-ng/scripts/setup-sandcastle.sh b/sandcastle-ng/scripts/setup-sandcastle.sh index 5afa20c..099238f 100755 --- a/sandcastle-ng/scripts/setup-sandcastle.sh +++ b/sandcastle-ng/scripts/setup-sandcastle.sh @@ -10,14 +10,31 @@ set -eu set -x +if [[ ! -z "${SANDCASTLE_SKIP_SETUP:-}" ]]; then + echo "skipping sandcastle setup, requested by environment var SANDCASTLE_SKIP_SETUP" + exit 1 +fi + echo "Provisioning sandcastle" +# General configuration. +# Might eventually be moved to an external file. CURRENCY=KUDOS EXCHANGE_IBAN=DE159593 EXCHANGE_PLAIN_PAYTO=payto://iban/$EXCHANGE_IBAN EXCHANGE_FULL_PAYTO="payto://iban/$EXCHANGE_IBAN?receiver-name=Sandcastle+Echange+Inc" EXCHANGE_BANK_PASSWORD=sandbox +# Ports of the services running inside the container. +# Should be synchronized with the sandcastle-run script. +PORT_INTERNAL_EXCHANGE=8201 +PORT_INTERNAL_MERCHANT=8301 +PORT_INTERNAL_LIBEUFIN_BANK=8080 +PORT_INTERNAL_LANDING=8501 +PORT_INTERNAL_BLOG=8502 +PORT_INTERNAL_DONATIONS=8503 +PORT_INTERNAL_SURVEY=8504 + # Just make sure the services are stopped systemctl stop taler-exchange.target systemctl stop taler-merchant-httpd.service @@ -96,6 +113,17 @@ https://$MERCHANT_DOMAIN { tls internal reverse_proxy unix//run/taler/merchant-httpd/merchant-http.sock } + +# Services that only listen on unix domain sockets +# are reverse-proxied to serve on a TCP port. + +http://localhost:$PORT_INTERNAL_EXCHANGE { + reverse_proxy unix//run/taler/exchange-httpd/exchange-http.sock +} + +http://localhost:$PORT_INTERNAL_MERCHANT { + reverse_proxy unix//run/taler/merchant-httpd/merchant-http.sock +} EOF cat <<EOF >> /etc/hosts @@ -216,6 +244,8 @@ if [[ ! -e "$TOS_PATH/stamp-generated" ]]; then cd $TOS_PATH taler-terms-generator -i exchange-tos-v0 -a "Taler Systems SA" -C "Taler Systems SA" -p a4 -o $TOS_PATH -l en taler-terms-generator -i exchange-pp-v0 -a "Taler Systems SA" -C "Taler Systems SA" -p a4 -o $TOS_PATH -l en + taler-terms-generator -i exchange-tos-v0 -a "Taler Systems SA" -C "Taler Systems SA" -p a4 -o $TOS_PATH + taler-terms-generator -i exchange-pp-v0 -a "Taler Systems SA" -C "Taler Systems SA" -p a4 -o $TOS_PATH touch "$TOS_PATH/stamp-generated" cd - fi @@ -283,16 +313,16 @@ BACKEND = https://backend.demo.taler.net/ BACKEND_APIKEY = secret-token:sandbox [landing] SERVE = http -HTTP_PORT = 8501 +HTTP_PORT = $PORT_INTERNAL_LANDING [blog] SERVE = http -HTTP_PORT = 8502 +HTTP_PORT = $PORT_INTERNAL_BLOG [donations] SERVE = http -HTTP_PORT = 8503 +HTTP_PORT = $PORT_INTERNAL_DONATIONS [survey] SERVE = http -HTTP_PORT = 8504 +HTTP_PORT = $PORT_INTERNAL_SURVEY EOF systemctl enable --now taler-demo-landing diff --git a/sandcastle-ng/systemd/setup-sandcastle.service b/sandcastle-ng/systemd/setup-sandcastle.service new file mode 100644 index 0000000..c3d22ca --- /dev/null +++ b/sandcastle-ng/systemd/setup-sandcastle.service @@ -0,0 +1,10 @@ +[Unit] +Description=Provision the sandcastle + +[Service] +Type=oneshot +ExecStart=/scripts/setup-sandcastle.sh +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target |