From 51858e46a14aeb29aee2148966e749dc1dd03142 Mon Sep 17 00:00:00 2001 From: Martin Hutchinson Date: Tue, 25 Apr 2023 11:05:26 +0000 Subject: [PATCH 1/4] Docker compose config for demo CTFE The previous instructions have rotted and no longer work. This aims to fill in the gap of a HelloWorld deployment for CTFE. This is explicitly NOT a guide on how to deploy this in a production setting. This is a docker version of the updated instructions from #1061 --- .../examples/deployment/docker/ctfe/README.md | 73 +++++++++++++++++++ .../deployment/docker/ctfe/ct_server.cfg | 15 ++++ .../docker/ctfe/docker-compose.yaml | 72 ++++++++++++++++++ 3 files changed, 160 insertions(+) create mode 100644 trillian/examples/deployment/docker/ctfe/README.md create mode 100644 trillian/examples/deployment/docker/ctfe/ct_server.cfg create mode 100644 trillian/examples/deployment/docker/ctfe/docker-compose.yaml diff --git a/trillian/examples/deployment/docker/ctfe/README.md b/trillian/examples/deployment/docker/ctfe/README.md new file mode 100644 index 0000000000..409b51dd2f --- /dev/null +++ b/trillian/examples/deployment/docker/ctfe/README.md @@ -0,0 +1,73 @@ +# Dockerized Test Deployment + +This brings up a CTFE with its own trillian instance and DB server for users to +get a feel for how deploying CTFE works. This is not recommended as a way of +serving production logs! + +## Requirements + +- Docker and Docker Compose Plugin +- go tooling +- git checkouts of: + - github.com/google/trillian + - github.com/google/certificate-transparency-go + +The instructions below assume you've checked out the repositories within +`~/git/`, but if you have them in another location then just use a different +path when you run the command. + +## Deploying + +We will use 2 terminal sessions to the machine you will use for hosting the +docker containers. Each of the code stanzas below will state which terminal to +use. This makes it easier to see output logs and to avoid repeatedly changing +directory. + +First bring up the trillian instance and the database: + +```bash +# Terminal 1 +cd ~/git/certificate-transparency-go/trillian/examples/deployment/docker/ctfe/ +docker compose up +``` + +This brings up everything except the CTFE. Now to provision the logs. + +```bash +# Terminal 2 +cd ~/git/trillian/ +docker exec -i ctfe_db_1 mysql -pzaphod -Dtest < ./storage/mysql/schema/storage.sql +``` + +The CTFE requires some configuration files. First prepare a directory containing +these, and expose it as a docker volume. These instructions prepare this config +at `/tmp/ctfedocker` but if you plan on keeping this test instance alive for +more than a few hours then pick a less temporary location on your filesystem. + +```bash +# Terminal 2 +CTFE_CONF_DIR=/tmp/ctfedocker +mkdir ${CTFE_CONF_DIR} +TREE_ID=$(go run github.com/google/trillian/cmd/createtree@master --admin_server=localhost:8090) +sed "s/@TREE_ID@/$TREE_ID/" ~/git/certificate-transparency-go/trillian/examples/deployment/docker/ctfe/ct_server.cfg > ${CTFE_CONF_DIR}/ct_server.cfg +cp ./trillian/testdata/fake-ca.cert ${CTFE_CONF_DIR} +docker volume create --driver local --opt type=none --opt device=${CTFE_CONF_DIR}--opt o=bind ctfe_config +``` + +Now that this configuration is available, you can bring up the CTFE: + +```bash +# Terminal 1 + # kill the previous docker compose up command +docker compose --profile frontend up +``` + +This will bring up the whole stack. Assuming there are no errors in the log, +then the following command should return an empty tree head with HTTP status +code 200: + +```bash +# Terminal 2 +curl -i localhost:8080/testlog/ct/v1/get-sth +``` + diff --git a/trillian/examples/deployment/docker/ctfe/ct_server.cfg b/trillian/examples/deployment/docker/ctfe/ct_server.cfg new file mode 100644 index 0000000000..d16998f261 --- /dev/null +++ b/trillian/examples/deployment/docker/ctfe/ct_server.cfg @@ -0,0 +1,15 @@ +config { + log_id: @TREE_ID@ + prefix: "testlog" + roots_pem_file: "/ctfe-config/fake-ca.cert" + public_key: { + der: "\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x44\x6d\x69\x2c\x00\xec\xf3\xc7\xbb\x87\x7e\x57\xea\x04\xc3\x4b\x49\x01\xc4\x9a\x19\xf2\x49\x9b\x4c\x44\x1c\xac\xe0\xff\x27\x11\xce\x94\xa8\x85\xd9\xed\x42\x22\x5c\x54\xf6\x33\x73\xa3\x3d\x8b\xe8\x53\x48\xf5\x57\x50\x61\x96\x30\x5b\xc4\x9b\xa3\x04\xc3\x4b" + } + private_key: { + [type.googleapis.com/keyspb.PrivateKey] { + der: "\x30\x81\x87\x02\x01\x00\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x04\x6d\x30\x6b\x02\x01\x01\x04\x20\xd8\x8a\x49\xa2\x15\x3c\xbe\xb5\xb7\x6c\x63\xdc\xfd\xc0\x36\x64\x24\x88\xc3\x57\x9d\xfa\xd4\xa8\x70\x78\x32\x72\x29\x1a\xb1\x6f\xa1\x44\x03\x42\x00\x04\x44\x6d\x69\x2c\x00\xec\xf3\xc7\xbb\x87\x7e\x57\xea\x04\xc3\x4b\x49\x01\xc4\x9a\x19\xf2\x49\x9b\x4c\x44\x1c\xac\xe0\xff\x27\x11\xce\x94\xa8\x85\xd9\xed\x42\x22\x5c\x54\xf6\x33\x73\xa3\x3d\x8b\xe8\x53\x48\xf5\x57\x50\x61\x96\x30\x5b\xc4\x9b\xa3\x04\xc3\x4b" + } + } + max_merge_delay_sec: 86400 + expected_merge_delay_sec: 120 +} diff --git a/trillian/examples/deployment/docker/ctfe/docker-compose.yaml b/trillian/examples/deployment/docker/ctfe/docker-compose.yaml new file mode 100644 index 0000000000..e951dd86f2 --- /dev/null +++ b/trillian/examples/deployment/docker/ctfe/docker-compose.yaml @@ -0,0 +1,72 @@ +version: "3.1" + +services: + db: + image: mariadb + restart: always + environment: + - MYSQL_ROOT_PASSWORD=zaphod + - MYSQL_DATABASE=test + - MYSQL_USER=test + - MYSQL_PASSWORD=zaphod + ports: + - "3306:3306" + healthcheck: + test: mysql --user=$$MYSQL_USER --password=$$MYSQL_PASSWORD --silent --execute "SHOW DATABASES;" + interval: 3s + timeout: 2s + retries: 5 + + trillian-log-server: + image: gcr.io/trillian-opensource-ci/log_server + command: [ + "--storage_system=mysql", + "--mysql_uri=test:zaphod@tcp(db:3306)/test", + "--rpc_endpoint=0.0.0.0:8090", + "--http_endpoint=0.0.0.0:8091", + "--alsologtostderr", + ] + restart: always + ports: + - "8090:8090" + - "8091:8091" + depends_on: + - db + + trillian-log-signer: + image: gcr.io/trillian-opensource-ci/log_signer + command: [ + "--storage_system=mysql", + "--mysql_uri=test:zaphod@tcp(db:3306)/test", + "--rpc_endpoint=0.0.0.0:8090", + "--http_endpoint=0.0.0.0:8091", + "--force_master", + "--alsologtostderr", + ] + restart: always + ports: + - "8092:8091" + depends_on: + - db + - trillian-log-server + + ctfe: + image: gcr.io/trillian-opensource-ci/ctfe + profiles: ["frontend"] + command: [ + "--log_rpc_server=trillian-log-server:8090", + "--log_config=/ctfe-config/ct_server.cfg", + "--http_endpoint=0.0.0.0:8091", + "--alsologtostderr", + ] + restart: always + ports: + - "8080:8091" + volumes: + - ctfe_config:/ctfe-config:ro + depends_on: + - trillian-log-server + +volumes: + ctfe_config: + external: true From 5f143877ee8168fc399984b53326aa8172975d4f Mon Sep 17 00:00:00 2001 From: Martin Hutchinson Date: Tue, 25 Apr 2023 11:25:51 +0000 Subject: [PATCH 2/4] Use ctclient instead of curl --- trillian/examples/deployment/docker/ctfe/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/trillian/examples/deployment/docker/ctfe/README.md b/trillian/examples/deployment/docker/ctfe/README.md index 409b51dd2f..e7ef761ee1 100644 --- a/trillian/examples/deployment/docker/ctfe/README.md +++ b/trillian/examples/deployment/docker/ctfe/README.md @@ -63,11 +63,11 @@ docker compose --profile frontend up ``` This will bring up the whole stack. Assuming there are no errors in the log, -then the following command should return an empty tree head with HTTP status -code 200: +then the following command should return tree head for tree size 0. ```bash # Terminal 2 -curl -i localhost:8080/testlog/ct/v1/get-sth +cd ~/git/certificate-transparency-go +go run ./client/ctclient get-sth --log_uri http://localhost:8080/testlog ``` From 59f66226f77b6c2b345af69efa61cb3bbcee06be Mon Sep 17 00:00:00 2001 From: Roger Ng Date: Mon, 1 May 2023 05:09:53 +0800 Subject: [PATCH 3/4] Add container_name for ctfe-db in docker-compose.yaml --- trillian/examples/deployment/docker/ctfe/docker-compose.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/trillian/examples/deployment/docker/ctfe/docker-compose.yaml b/trillian/examples/deployment/docker/ctfe/docker-compose.yaml index e951dd86f2..e2db6c2d0c 100644 --- a/trillian/examples/deployment/docker/ctfe/docker-compose.yaml +++ b/trillian/examples/deployment/docker/ctfe/docker-compose.yaml @@ -2,6 +2,7 @@ version: "3.1" services: db: + container_name: ctfe-db image: mariadb restart: always environment: From 889dc92c87e6761ed3f7aeabb6a91c8a05734fc4 Mon Sep 17 00:00:00 2001 From: Roger Ng Date: Mon, 1 May 2023 05:10:59 +0800 Subject: [PATCH 4/4] Update ctfe-db container name in README.md --- trillian/examples/deployment/docker/ctfe/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/trillian/examples/deployment/docker/ctfe/README.md b/trillian/examples/deployment/docker/ctfe/README.md index e7ef761ee1..54811aedbe 100644 --- a/trillian/examples/deployment/docker/ctfe/README.md +++ b/trillian/examples/deployment/docker/ctfe/README.md @@ -36,7 +36,7 @@ This brings up everything except the CTFE. Now to provision the logs. ```bash # Terminal 2 cd ~/git/trillian/ -docker exec -i ctfe_db_1 mysql -pzaphod -Dtest < ./storage/mysql/schema/storage.sql +docker exec -i ctfe-db mysql -pzaphod -Dtest < ./storage/mysql/schema/storage.sql ``` The CTFE requires some configuration files. First prepare a directory containing @@ -51,7 +51,7 @@ mkdir ${CTFE_CONF_DIR} TREE_ID=$(go run github.com/google/trillian/cmd/createtree@master --admin_server=localhost:8090) sed "s/@TREE_ID@/$TREE_ID/" ~/git/certificate-transparency-go/trillian/examples/deployment/docker/ctfe/ct_server.cfg > ${CTFE_CONF_DIR}/ct_server.cfg cp ./trillian/testdata/fake-ca.cert ${CTFE_CONF_DIR} -docker volume create --driver local --opt type=none --opt device=${CTFE_CONF_DIR}--opt o=bind ctfe_config +docker volume create --driver local --opt type=none --opt device=${CTFE_CONF_DIR} --opt o=bind ctfe_config ``` Now that this configuration is available, you can bring up the CTFE: