WIP

author: Florian Dold <florian@dold.me> 2023-10-16 23:03:07 +0200
committer: Florian Dold <florian@dold.me> 2023-10-16 23:03:07 +0200
commit: a44f235aaa876d02567d21535ec6831f5022c875 (patch)
tree: adb72b882bc37a8fa938184052332a23703e872e
parent: 102d0c5ed9298731e97708416c43e586cf7a7080 (diff)
download: deployment-a44f235aaa876d02567d21535ec6831f5022c875.tar.gz
deployment-a44f235aaa876d02567d21535ec6831f5022c875.tar.bz2
deployment-a44f235aaa876d02567d21535ec6831f5022c875.zip
11 files changed, 124 insertions, 63 deletions
diff --git a/sandcastle-ng/Dockerfile b/sandcastle-ng/Dockerfile
index 6c47ae3..2cbef2b 100644
--- a/sandcastle-ng/Dockerfile
+++ b/sandcastle-ng/Dockerfile
@@ -221,7 +221,8 @@ RUN apt-get update && apt-get -y upgrade && apt-get --no-install-recommends inst
   systemd-coredump \
   libnss3-tools \
   latexmk \
-  texlive-latex-extra
+  texlive-latex-extra \
+  tex-gyre
 RUN mkdir -p /packages
 COPY --from=gnunet /packages/gnunet/* /packages/
 COPY --from=exchange /packages/exchange/* /packages/
diff --git a/sandcastle-ng/README.md b/sandcastle-ng/README.md
index c0f77da..f52045d 100644
--- a/sandcastle-ng/README.md
+++ b/sandcastle-ng/README.md
@@ -5,18 +5,21 @@ The sandcastle is a containerized deployment of GNU Taler
 It uses podman to build an image and run a single container that
 has systemd running inside.
 
+
 # Prerequisites
 
 You need (on your host system):
 * podman
 * bash
 
+
 # Building the Container Image
 
 1. Set builconfig/$component.tag to the right git tag you want to build
-2. Run ./build-container to build the Taler container.  The resulting container
+2. Run ./sandcastle-build to build the Taler container.  The resulting container
    is tagged as taler-base-all
 
+
 # Configuring the Deployment
 
 It is recommended that for each deployment, you clone the deployment.git
@@ -27,15 +30,17 @@ Currently there is not much configuration.
 The main adjustments to be made are:
 
 * scripts/setup-sandcastle.sh has the currency on top of the file
-* run-container has variables for the port that'll be exposed ("published") on
+* sandcastle-run has variables for the port that'll be exposed ("published") on
   the host.  They can be overwritten with environment variables
   (``TALER_SANDCASTLE_PORT_$COMPONENT``).
 
+
 # Running the Deployment
 
-Run ``./run-container`` to run the single container.  The container will be
+Run ``./sandcastle-run`` to run the single container.  The container will be
 called taler-sandcastle.
 
+
 # Poking Around
 
 You can poke around in a running sandcastle instance by running
@@ -47,18 +52,33 @@ podman exec -it taler-sandcastle /bin/bash
 This will drop you into a shell inside the running container,
 where you have access to systemd, journalctl, etc.
 
+
 # Data Storage
 
 All persistent data is stored in a podman volume called
 talerdata.  You can see where it is in your filesystem
 by running ``podman volume inspect talerdata``.
 
+
 # Provisioning Details
 
 The whole deployment is configured by the script ``scripts/setup-sandcastle.sh``.
 This script will be run as a oneshot systemd service and will disable itself after
 the first success.
 
-To troubleshoot, run `journalctl -u setup-sandcastle.service`.
+To troubleshoot, run ``journalctl -u setup-sandcastle.service``.
+
+To run the container without any automatic provisioning, run ``./sandcastle-run -e SANDCASTLE_SKIP_SETUP=1``.
+
+You can always manually run the script inside the container as ``/scripts/setup-sandcastle.sh``.
+
+
+# Future Extensions
 
-To run the container without any automatic provisioning, run XXX.
+* more self-tests using the wallet CLI
+* Running the auditor
+* Running a currency conversion setup with multiple libeufin-bank instances
+* Allow a localhost-only, non-tls setup for being able to access a non-tls
+  Taler deployment on the podman host.
+* Instead of exposing HTTP ports, we could expose everything via unix domain sockets,
+  avoiding port collision problems.
diff --git a/sandcastle-ng/backup.sh b/sandcastle-ng/backup.sh
deleted file mode 100755
index 3ad3972..0000000
--- a/sandcastle-ng/backup.sh
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/bin/bash
-
-set -eu
-
-usage () {
-  echo
-  echo Usage: ./backup.sh [-h,  --help]
-  echo 
-  echo This utility extracts a TAR backup of data and logs
-  echo produced by the Taler services running inside this Docker
-  echo Compose setup.  The backup is saved in /tmp/YYYY-MM-DD-taler-backup.tar
-}
-
-for helpOpt in "-h" "--help"; do
-  if test "$helpOpt" = "${1:-}"; then
-    usage
-    exit 0
-  fi
-done
-
-if ! which docker > /dev/null; then
-  echo docker not found.
-  exit 1
-fi
-
-BACKUP_FILE="/tmp/$(date +%Y-%m-%d)-taler-backup.tar"
-
-if test -a $BACKUP_FILE; then 
-  echo "Backup file $BACKUP_FILE exists already, please move it and run the script again."
-  exit 3 
-fi
-
-# 'chown' should still help rootful runs to
-# have the TAR owned by the user invoking the command.
-docker run \
-  -v /tmp:/tmp \
-  -v demo_talerdata:/taler-data \
-  -v demo_talerlogs:/taler-logs \
-  -it debian:stable \
-  /bin/bash -c "tar --no-same-owner --no-same-permissions -c -f ${BACKUP_FILE} /taler-data /taler-logs" > /dev/null
-
-echo Backup at: ${BACKUP_FILE}
diff --git a/sandcastle-ng/buildconfig/exchange.tag b/sandcastle-ng/buildconfig/exchange.tag
index 5373159..37cffb3 100644
--- a/sandcastle-ng/buildconfig/exchange.tag
+++ b/sandcastle-ng/buildconfig/exchange.tag
@@ -1 +1 @@
-v0.9.4-dev.2
+v0.9.4-dev.3
diff --git a/sandcastle-ng/buildconfig/gnunet.tag b/sandcastle-ng/buildconfig/gnunet.tag
index 1847373..46def34 100644
--- a/sandcastle-ng/buildconfig/gnunet.tag
+++ b/sandcastle-ng/buildconfig/gnunet.tag
@@ -1 +1 @@
-v0.20.0
+v0.20.1-talerdev.1
diff --git a/sandcastle-ng/buildconfig/merchant.tag b/sandcastle-ng/buildconfig/merchant.tag
index 6f00e66..5373159 100644
--- a/sandcastle-ng/buildconfig/merchant.tag
+++ b/sandcastle-ng/buildconfig/merchant.tag
@@ -1 +1 @@
-v0.9.4-dev.1
+v0.9.4-dev.2
diff --git a/sandcastle-ng/run-container b/sandcastle-ng/run-container
deleted file mode 100755
index ebc7e1f..0000000
--- a/sandcastle-ng/run-container
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-
-# Run the Taler container with all the right mounts and preset parameters
-
-
-# We need to be careful with SELinux when using volume mounts, relabel!
-
-exec podman run --systemd=always -v talerdata:/talerdata:Z -v $PWD/scripts:/scripts:Z "$@" taler-base-all
diff --git a/sandcastle-ng/build-container b/sandcastle-ng/sandcastle-build
index 7a655dd..7a655dd 100755
--- a/sandcastle-ng/build-container
+++ b/sandcastle-ng/sandcastle-build
diff --git a/sandcastle-ng/sandcastle-run b/sandcastle-ng/sandcastle-run
new file mode 100755
index 0000000..4d6a689
--- /dev/null
+++ b/sandcastle-ng/sandcastle-run
@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+# Run the Taler container with all the right mounts and preset parameters
+
+set -eu
+
+SANDCASTLE_PORT_MERCHANT=16000
+SANDCASTLE_PORT_EXCHANGE=16001
+SANDCASTLE_PORT_BLOG=16002
+SANDCASTLE_PORT_DONATIONS=16003
+SANDCASTLE_PORT_SURVEY=16004
+SANDCASTLE_PORT_LANDING=16005
+SANDCASTLE_PORT_LIBEUFIN_BANK=16007
+
+# Container-internal ports, should by synced with scripts/setup-sandcastle.sh
+PORT_INTERNAL_EXCHANGE=8201
+PORT_INTERNAL_MERCHANT=8301
+PORT_INTERNAL_LIBEUFIN_BANK=8080
+PORT_INTERNAL_LANDING=8501
+PORT_INTERNAL_BLOG=8502
+PORT_INTERNAL_DONATIONS=8503
+PORT_INTERNAL_SURVEY=8504
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+cd $SCRIPT_DIR
+
+existing_id=$(podman ps -q -a -f=name=taler-sandcastle)
+
+if [[ ! -z "$existing_id" ]]; then
+  echo "removing existing taler-sandcastle container $existing_id"
+  podman rm "$existing_id"
+fi
+
+# We need to be careful with SELinux when using volume mounts, relabel!
+
+exec podman run \
+  -p=$SANDCASTLE_PORT_MERCHANT:$PORT_INTERNAL_MERCHANT \
+  -p=$SANDCASTLE_PORT_EXCHANGE:$PORT_INTERNAL_EXCHANGE \
+  -p=$SANDCASTLE_PORT_LIBEUFIN_BANK:$PORT_INTERNAL_LIBEUFIN_BANK \
+  -p=$SANDCASTLE_PORT_LANDING:$PORT_INTERNAL_LANDING \
+  -p=$SANDCASTLE_PORT_BLOG:$PORT_INTERNAL_BLOG \
+  -p=$SANDCASTLE_PORT_DONATIONS:$PORT_INTERNAL_DONATIONS \
+  -p=$SANDCASTLE_PORT_SURVEY:$PORT_INTERNAL_SURVEY \
+  --name taler-sandcastle \
+  --systemd=always \
+  -v talerdata:/talerdata:Z \
+  -v $PWD/scripts:/scripts:Z \
+  --entrypoint /sbin/init \
+  "$@" \
+  taler-base-all
diff --git a/sandcastle-ng/scripts/setup-sandcastle.sh b/sandcastle-ng/scripts/setup-sandcastle.sh
index 5afa20c..099238f 100755
--- a/sandcastle-ng/scripts/setup-sandcastle.sh
+++ b/sandcastle-ng/scripts/setup-sandcastle.sh
@@ -10,14 +10,31 @@
 set -eu
 set -x
 
+if [[ ! -z "${SANDCASTLE_SKIP_SETUP:-}" ]]; then
+  echo "skipping sandcastle setup, requested by environment var SANDCASTLE_SKIP_SETUP"
+  exit 1
+fi
+
 echo "Provisioning sandcastle"
 
+# General configuration.
+# Might eventually be moved to an external file.
 CURRENCY=KUDOS
 EXCHANGE_IBAN=DE159593
 EXCHANGE_PLAIN_PAYTO=payto://iban/$EXCHANGE_IBAN
 EXCHANGE_FULL_PAYTO="payto://iban/$EXCHANGE_IBAN?receiver-name=Sandcastle+Echange+Inc"
 EXCHANGE_BANK_PASSWORD=sandbox
 
+# Ports of the services running inside the container.
+# Should be synchronized with the sandcastle-run script.
+PORT_INTERNAL_EXCHANGE=8201
+PORT_INTERNAL_MERCHANT=8301
+PORT_INTERNAL_LIBEUFIN_BANK=8080
+PORT_INTERNAL_LANDING=8501
+PORT_INTERNAL_BLOG=8502
+PORT_INTERNAL_DONATIONS=8503
+PORT_INTERNAL_SURVEY=8504
+
 # Just make sure the services are stopped
 systemctl stop taler-exchange.target
 systemctl stop taler-merchant-httpd.service
@@ -96,6 +113,17 @@ https://$MERCHANT_DOMAIN {
   tls internal
   reverse_proxy unix//run/taler/merchant-httpd/merchant-http.sock
 }
+
+# Services that only listen on unix domain sockets
+# are reverse-proxied to serve on a TCP port.
+
+http://localhost:$PORT_INTERNAL_EXCHANGE {
+  reverse_proxy unix//run/taler/exchange-httpd/exchange-http.sock
+}
+
+http://localhost:$PORT_INTERNAL_MERCHANT {
+  reverse_proxy unix//run/taler/merchant-httpd/merchant-http.sock
+}
 EOF
 
 cat <<EOF >> /etc/hosts
@@ -216,6 +244,8 @@ if [[ ! -e "$TOS_PATH/stamp-generated" ]]; then
   cd $TOS_PATH
   taler-terms-generator -i exchange-tos-v0 -a "Taler Systems SA" -C "Taler Systems SA" -p a4 -o $TOS_PATH -l en
   taler-terms-generator -i exchange-pp-v0 -a "Taler Systems SA" -C "Taler Systems SA" -p a4 -o $TOS_PATH -l en
+  taler-terms-generator -i exchange-tos-v0 -a "Taler Systems SA" -C "Taler Systems SA" -p a4 -o $TOS_PATH
+  taler-terms-generator -i exchange-pp-v0 -a "Taler Systems SA" -C "Taler Systems SA" -p a4 -o $TOS_PATH
   touch "$TOS_PATH/stamp-generated"
   cd -
 fi
@@ -283,16 +313,16 @@ BACKEND = https://backend.demo.taler.net/
 BACKEND_APIKEY = secret-token:sandbox
 [landing]
 SERVE = http
-HTTP_PORT = 8501
+HTTP_PORT = $PORT_INTERNAL_LANDING
 [blog]
 SERVE = http
-HTTP_PORT = 8502
+HTTP_PORT = $PORT_INTERNAL_BLOG
 [donations]
 SERVE = http
-HTTP_PORT = 8503
+HTTP_PORT = $PORT_INTERNAL_DONATIONS
 [survey]
 SERVE = http
-HTTP_PORT = 8504
+HTTP_PORT = $PORT_INTERNAL_SURVEY
 EOF
 
 systemctl enable --now taler-demo-landing
diff --git a/sandcastle-ng/systemd/setup-sandcastle.service b/sandcastle-ng/systemd/setup-sandcastle.service
new file mode 100644
index 0000000..c3d22ca
--- /dev/null
+++ b/sandcastle-ng/systemd/setup-sandcastle.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Provision the sandcastle
+
+[Service]
+Type=oneshot
+ExecStart=/scripts/setup-sandcastle.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
author	Florian Dold <florian@dold.me>	2023-10-16 23:03:07 +0200
committer	Florian Dold <florian@dold.me>	2023-10-16 23:03:07 +0200
commit	a44f235aaa876d02567d21535ec6831f5022c875 (patch)
tree	adb72b882bc37a8fa938184052332a23703e872e
parent	102d0c5ed9298731e97708416c43e586cf7a7080 (diff)
download	deployment-a44f235aaa876d02567d21535ec6831f5022c875.tar.gz deployment-a44f235aaa876d02567d21535ec6831f5022c875.tar.bz2 deployment-a44f235aaa876d02567d21535ec6831f5022c875.zip