• R/O
  • SSH

manifest: Commit

A service to replicate and serve requests for site configurations based on site ID, public IP, and the on-site lead contact's OTP.


Commit MetaInfo

Revisionbb055c8af410cee38fe1577a58b4dfca5ae70822 (tree)
Time2021-10-12 22:55:11
AuthorS. Seago <sseago-dev@proj...>
CommiterS. Seago

Log Message

Add IPFS w/ SSL. Wrangle with formatting.

Change Summary

Incremental Difference

diff -r de5e52ccc088 -r bb055c8af410 container/Docker Notes.adoc
--- a/container/Docker Notes.adoc Tue Oct 12 08:31:58 2021 -0500
+++ b/container/Docker Notes.adoc Tue Oct 12 08:55:11 2021 -0500
@@ -1,8 +1,14 @@
1+:source-highlighter: CodeRay
2+
3+
14 == Docker Notes
25
6+
37 === PXE Server
48 :source: https://github.com/particleKIT/pxe-docker/blob/master/Dockerfile
59
10+[source, Dockerfile]
11+---
612 FROM httpd
713
814 RUN apt-get update && apt-get upgrade -y && apt-get install -y \
@@ -17,4 +23,127 @@
1723 ADD init.sh /
1824
1925 CMD ["/init.sh"]
26+---
2027
28+
29+=== IPFS w/ SSL on Debian Buster
30+:source: https://github.com/ipfs/go-ipfs/blob/master/Dockerfile
31+
32+[source, Dockerfile]
33+---
34+# Note: when updating the go minor version here, also update the go-channel in snap/snapcraft.yml
35+FROM golang:1.16.7-buster
36+LABEL maintainer="Steven Allen <steven@stebalien.com>"
37+
38+# Install deps
39+RUN apt-get update && apt-get install -y \
40+ libssl-dev \
41+ ca-certificates \
42+ fuse
43+
44+ENV SRC_DIR /go-ipfs
45+
46+# Download packages first so they can be cached.
47+COPY go.mod go.sum $SRC_DIR/
48+RUN cd $SRC_DIR \
49+ && go mod download
50+
51+COPY . $SRC_DIR
52+
53+# Preload an in-tree but disabled-by-default plugin by adding it to the IPFS_PLUGINS variable
54+# e.g. docker build --build-arg IPFS_PLUGINS="foo bar baz"
55+ARG IPFS_PLUGINS
56+
57+# Build the thing.
58+# Also: fix getting HEAD commit hash via git rev-parse.
59+RUN cd $SRC_DIR \
60+ && mkdir -p .git/objects \
61+ && make build GOTAGS=openssl IPFS_PLUGINS=$IPFS_PLUGINS
62+
63+# Get su-exec, a very minimal tool for dropping privileges,
64+# and tini, a very minimal init daemon for containers
65+ENV SUEXEC_VERSION v0.2
66+ENV TINI_VERSION v0.19.0
67+RUN set -eux; \
68+ dpkgArch="$(dpkg --print-architecture)"; \
69+ case "${dpkgArch##*-}" in \
70+ "amd64" | "armhf" | "arm64") tiniArch="tini-static-$dpkgArch" ;;\
71+ *) echo >&2 "unsupported architecture: ${dpkgArch}"; exit 1 ;; \
72+ esac; \
73+ cd /tmp \
74+ && git clone https://github.com/ncopa/su-exec.git \
75+ && cd su-exec \
76+ && git checkout -q $SUEXEC_VERSION \
77+ && make su-exec-static \
78+ && cd /tmp \
79+ && wget -q -O tini https://github.com/krallin/tini/releases/download/$TINI_VERSION/$tiniArch \
80+ && chmod +x tini
81+
82+# Now comes the actual target image, which aims to be as small as possible.
83+FROM busybox:1.31.1-glibc
84+LABEL maintainer="Steven Allen <steven@stebalien.com>"
85+
86+# Get the ipfs binary, entrypoint script, and TLS CAs from the build container.
87+ENV SRC_DIR /go-ipfs
88+COPY --from=0 $SRC_DIR/cmd/ipfs/ipfs /usr/local/bin/ipfs
89+COPY --from=0 $SRC_DIR/bin/container_daemon /usr/local/bin/start_ipfs
90+COPY --from=0 /tmp/su-exec/su-exec-static /sbin/su-exec
91+COPY --from=0 /tmp/tini /sbin/tini
92+COPY --from=0 /bin/fusermount /usr/local/bin/fusermount
93+COPY --from=0 /etc/ssl/certs /etc/ssl/certs
94+
95+# Add suid bit on fusermount so it will run properly
96+RUN chmod 4755 /usr/local/bin/fusermount
97+
98+# Fix permissions on start_ipfs (ignore the build machine's permissions)
99+RUN chmod 0755 /usr/local/bin/start_ipfs
100+
101+# This shared lib (part of glibc) doesn't seem to be included with busybox.
102+COPY --from=0 /lib/*-linux-gnu*/libdl.so.2 /lib/
103+
104+# Copy over SSL libraries.
105+COPY --from=0 /usr/lib/*-linux-gnu*/libssl.so* /usr/lib/
106+COPY --from=0 /usr/lib/*-linux-gnu*/libcrypto.so* /usr/lib/
107+
108+# Swarm TCP; should be exposed to the public
109+EXPOSE 4001
110+# Swarm UDP; should be exposed to the public
111+EXPOSE 4001/udp
112+# Daemon API; must not be exposed publicly but to client services under you control
113+EXPOSE 5001
114+# Web Gateway; can be exposed publicly with a proxy, e.g. as https://ipfs.example.org
115+EXPOSE 8080
116+# Swarm Websockets; must be exposed publicly when the node is listening using the websocket transport (/ipX/.../tcp/8081/ws).
117+EXPOSE 8081
118+
119+# Create the fs-repo directory and switch to a non-privileged user.
120+ENV IPFS_PATH /data/ipfs
121+RUN mkdir -p $IPFS_PATH \
122+ && adduser -D -h $IPFS_PATH -u 1000 -G users ipfs \
123+ && chown ipfs:users $IPFS_PATH
124+
125+# Create mount points for `ipfs mount` command
126+RUN mkdir /ipfs /ipns \
127+ && chown ipfs:users /ipfs /ipns
128+
129+# Expose the fs-repo as a volume.
130+# start_ipfs initializes an fs-repo if none is mounted.
131+# Important this happens after the USER directive so permissions are correct.
132+VOLUME $IPFS_PATH
133+
134+# The default logging level
135+ENV IPFS_LOGGING ""
136+
137+# This just makes sure that:
138+# 1. There's an fs-repo, and initializes one if there isn't.
139+# 2. The API and Gateway are accessible from outside the container.
140+ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/start_ipfs"]
141+
142+# Heathcheck for the container
143+# QmUNLLsPACCz1vLxQVkXqqLX5R1X345qqfHbsf67hvA3Nn is the CID of empty folder
144+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
145+ CMD ipfs dag stat /ipfs/QmUNLLsPACCz1vLxQVkXqqLX5R1X345qqfHbsf67hvA3Nn || exit 1
146+
147+# Execute the daemon subcommand by default
148+CMD ["daemon", "--migrate=true"]
149+---
\ No newline at end of file
Show on old repository browser