sandcastle-ng

Scripts for the deployment of Sandcastle (GNU Taler)
Log | Files | Refs | README
commit 244b536f0392510843494c7bd080624ca4f081dc
parent 0fc077fc8f132b4f6c47c79519ebc0405a2c9255
Author: Florian Dold <florian@dold.me>
Date:   Tue,  4 Feb 2025 19:44:01 +0100

implement and document import

Diffstat:

MREADME.md | 20+++++++++++++++-----


Msandcastle-export | 3++-


Msandcastle-run | 6++++++


Mscripts/demo/setup-sandcastle.sh | 59++++++++++++++++++++++++++++++++++++++++++++---------------


4 files changed, 67 insertions(+), 21 deletions(-)

diff --git a/README.md b/README.md
@@ -198,6 +198,21 @@ when running ``./sandcastle-run``.
 You can always manually run the provisioning script inside the container as
 ``/scripts/$SANDCASTLE_SETUP_NAME/setup-sandcastle.sh``.
 
+# Importing / exporting
+
+To migrate a sandcastle deployment, export / import can be used.
+
+```
+# Requires taler-sandcastle to be running.
+# Export the sandcastle data to ./exported/
+./sandcastle-export
+
+# Other host:
+# Request an import
+touch exported/import-request
+# Now the deployment script will pick up the data to import
+./sandcastle-run
+```
 
 # Neat Things That Already Work
 
@@ -212,9 +227,6 @@ You can always manually run the provisioning script inside the container as
 
 # Future Extensions
 
-* Fix rewards by deploying Javier's reward topup script inside the container via a systemd timer!
-* Variant where credentials use proper secret management instead of hard-coding all
-  passwords to "sandbox".
 * Better way to access logs, better way to expose errors during provisioning
 * The Dockerfile should introduce nightly tags for debian packages it builds.
   Currently it just uses the latest defined version, which is confusing.
@@ -222,8 +234,6 @@ You can always manually run the provisioning script inside the container as
 * Do self-tests of the deployment using the wallet CLI
 * Running the auditor
 * Running a currency conversion setup with multiple libeufin-bank instances
-* Allow a localhost-only, non-tls setup for being able to access a non-tls
-  Taler deployment on the podman host.
 * Instead of exposing HTTP ports, we could expose everything via unix domain sockets,
   avoiding port collision problems.
 * Instead of requiring the reverse proxy to handle TLS,
diff --git a/sandcastle-export b/sandcastle-export
@@ -12,8 +12,9 @@ mkdir -p "$target/libeufin"
 podman cp taler-sandcastle:/var/lib/taler-exchange/offline/ $target/taler-exchange/.
 podman cp taler-sandcastle:/var/lib/taler-exchange/secmod-rsa/ $target/taler-exchange/.
 podman cp taler-sandcastle:/var/lib/taler-exchange/secmod-eddsa/ $target/taler-exchange/.
+podman cp taler-sandcastle:/var/lib/taler-exchange/secmod-cs/ $target/taler-exchange/.
 
-podman exec taler-sandcastle sudo -u postgres pg_dump taler-exchange > $target/taler-exchange.sql
+podman exec taler-sandcastle sudo -u postgres pg_dump taler-exchange > $target/taler-exchange/taler-exchange.sql
 
 podman exec taler-sandcastle sudo -u postgres pg_dump taler-merchant > $target/taler-merchant/taler-merchant.sql
 
diff --git a/sandcastle-run b/sandcastle-run
@@ -60,6 +60,11 @@ mkdir -p credentials
 # That's why we mount the right start-up script and override
 # to a well-known location.
 
+MOUNT_EXPORTED=
+if [[ -d "$PWD/exported" ]]; then
+  MOUNT_EXPORTED="-v $PWD/exported:/exported:z"
+fi
+
 exec podman run \
   -d \
   -p=$SANDCASTLE_PORT_MERCHANT:$PORT_INTERNAL_MERCHANT \
@@ -81,6 +86,7 @@ exec podman run \
   -v $PWD/data:/data:Z \
   -v $PWD/scripts:/scripts:Z \
   -v $PWD/scripts/$SETUP_NAME:/provision:Z \
+  $MOUNT_EXPORTED \
   --entrypoint /sbin/init \
   --sdnotify=conmon \
   "$@" \
diff --git a/scripts/demo/setup-sandcastle.sh b/scripts/demo/setup-sandcastle.sh
@@ -74,16 +74,18 @@ PORT_INTERNAL_AUDITOR=8507
 ENABLE_AUDITOR=0
 
 # Just make sure the services are stopped
+systemctl stop postgresql.service
 systemctl stop taler-auditor.target
 systemctl stop taler-exchange.target
 systemctl stop taler-exchange-offline.timer
 systemctl stop taler-merchant-httpd.service
 systemctl stop taler-merchant.target
-systemctl stop postgresql.service
 systemctl stop taler-demo-landing.service
 systemctl stop taler-demo-blog.service
 systemctl stop taler-demo-donations.service
 systemctl stop libeufin-bank.service
+
+# libeufin-nexus is not used
 systemctl stop libeufin-nexus-ebics-fetch.service
 systemctl disable libeufin-nexus-ebics-fetch.service
 systemctl stop libeufin-nexus-ebics-submit.service
@@ -127,23 +129,52 @@ lift_dir talerdata /etc/libeufin etc-libeufin
 lift_dir talerdata /var/lib/postgresql var-lib-postgresql
 lift_dir talerdata_persistent /var/lib/taler-exchange/offline exchange-offline
 
-# We need to adjust file ownership, as the container might have different user and group
-# IDs than the volume. That can happen when the packages in the container are installed
-# in a different order.
-# This is only relevant for non-root ownership.
+# Now that the /var/lib/postgres is available, we can start postgres
 
-chown taler-exchange-offline:taler-exchange-offline /talerdata_persistent/exchange-offline
-chown --recursive taler-exchange-offline:taler-exchange-offline /var/lib/taler-exchange/offline/* || true
+systemctl start postgresql.service
 
-chown --recursive taler-exchange-secmod-cs:taler-exchange-secmod /var/lib/taler-exchange/secmod-cs
-chown --recursive taler-exchange-secmod-rsa:taler-exchange-secmod /var/lib/taler-exchange/secmod-rsa
-chown --recursive taler-exchange-secmod-eddsa:taler-exchange-secmod /var/lib/taler-exchange/secmod-eddsa
 
-chown root:taler-exchange-db /etc/taler-exchange/secrets/exchange-db.secret.conf
+# Now all the basic stuff has been set up, we can try to import if required
+
+
+if [[ -d /exported && -e /exported/import-request ]]; then
+  echo "Import requested"
+
+  sudo -u postgres psql taler-exchange -f exported/taler-exchange/taler-exchange.sql
+  sudo -u postgres psql taler-merchant -f exported/taler-merchant/taler-merchant.sql
+  sudo -u postgres psql libeufin -f exported/libeufin/libeufin.sql
+
+  cp exported/taler-exchange/offline/* /var/lib/taler-exchange/offline/
 
-chown root:taler-auditor-httpd /etc/taler-auditor/secrets/auditor-db.secret.conf
+  rm -rf /var/lib/taler-exchange/secmod-eddsa/*
+  cp -r exported/taler-exchange/secmod-eddsa/* /var/lib/taler-exchange/secmod-eddsa/
 
-# FIXME: More permissions to adjust!
+  rm -rf /var/lib/taler-exchange/secmod-rsa/*
+  cp -r exported/taler-exchange/secmod-rsa/* /var/lib/taler-exchange/secmod-rsa/
+
+  rm -rf /var/lib/taler-exchange/secmod-cs/*
+  cp -r exported/taler-exchange/secmod-cs/* /var/lib/taler-exchange/secmod-cs/
+
+  rm /exported/import-request
+fi
+
+
+# We need to adjust file ownership, as the container might have different user and group
+# IDs than the volume. That can happen when the packages in the container are installed
+# in a different order.
+# This is only relevant for non-root ownership.
+function adjust_permissions() {
+  chown taler-exchange-offline:taler-exchange-offline /talerdata_persistent/exchange-offline
+  chown --recursive taler-exchange-offline:taler-exchange-offline /var/lib/taler-exchange/offline/* || true
+  chown --recursive taler-exchange-secmod-cs:taler-exchange-secmod /var/lib/taler-exchange/secmod-cs
+  chown --recursive taler-exchange-secmod-rsa:taler-exchange-secmod /var/lib/taler-exchange/secmod-rsa
+  chown --recursive taler-exchange-secmod-eddsa:taler-exchange-secmod /var/lib/taler-exchange/secmod-eddsa
+  chown root:taler-exchange-db /etc/taler-exchange/secrets/exchange-db.secret.conf
+  chown root:taler-auditor-httpd /etc/taler-auditor/secrets/auditor-db.secret.conf
+  # FIXME: More permissions to adjust!?
+}
+
+adjust_permissions
 
 # Usage: get_credential_pw COMPONENT/ACCOUNT
 function get_credential_pw() {
@@ -315,8 +346,6 @@ systemctl start caddy.service
 # Install local, internal CA certs for caddy
 caddy trust
 
-systemctl start postgresql.service
-
 # Set up challenger
 
 challenger-dbconfig