-
Notifications
You must be signed in to change notification settings - Fork 241
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
The previous instructions have rotted and no longer work. This aims to fill in the gap of a HelloWorld deployment for CTFE. This is explicitly NOT a guide on how to deploy this in a production setting. This is a docker version of the updated instructions from #1061
- Loading branch information
1 parent
6924af8
commit 51858e4
Showing
3 changed files
with
160 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
# Dockerized Test Deployment | ||
|
||
This brings up a CTFE with its own trillian instance and DB server for users to | ||
get a feel for how deploying CTFE works. This is not recommended as a way of | ||
serving production logs! | ||
|
||
## Requirements | ||
|
||
- Docker and Docker Compose Plugin | ||
- go tooling | ||
- git checkouts of: | ||
- github.com/google/trillian | ||
- github.com/google/certificate-transparency-go | ||
|
||
The instructions below assume you've checked out the repositories within | ||
`~/git/`, but if you have them in another location then just use a different | ||
path when you run the command. | ||
|
||
## Deploying | ||
|
||
We will use 2 terminal sessions to the machine you will use for hosting the | ||
docker containers. Each of the code stanzas below will state which terminal to | ||
use. This makes it easier to see output logs and to avoid repeatedly changing | ||
directory. | ||
|
||
First bring up the trillian instance and the database: | ||
|
||
```bash | ||
# Terminal 1 | ||
cd ~/git/certificate-transparency-go/trillian/examples/deployment/docker/ctfe/ | ||
docker compose up | ||
``` | ||
|
||
This brings up everything except the CTFE. Now to provision the logs. | ||
|
||
```bash | ||
# Terminal 2 | ||
cd ~/git/trillian/ | ||
docker exec -i ctfe_db_1 mysql -pzaphod -Dtest < ./storage/mysql/schema/storage.sql | ||
``` | ||
|
||
The CTFE requires some configuration files. First prepare a directory containing | ||
these, and expose it as a docker volume. These instructions prepare this config | ||
at `/tmp/ctfedocker` but if you plan on keeping this test instance alive for | ||
more than a few hours then pick a less temporary location on your filesystem. | ||
|
||
```bash | ||
# Terminal 2 | ||
CTFE_CONF_DIR=/tmp/ctfedocker | ||
mkdir ${CTFE_CONF_DIR} | ||
TREE_ID=$(go run github.com/google/trillian/cmd/createtree@master --admin_server=localhost:8090) | ||
sed "s/@TREE_ID@/$TREE_ID/" ~/git/certificate-transparency-go/trillian/examples/deployment/docker/ctfe/ct_server.cfg > ${CTFE_CONF_DIR}/ct_server.cfg | ||
cp ./trillian/testdata/fake-ca.cert ${CTFE_CONF_DIR} | ||
docker volume create --driver local --opt type=none --opt device=${CTFE_CONF_DIR}--opt o=bind ctfe_config | ||
``` | ||
|
||
Now that this configuration is available, you can bring up the CTFE: | ||
|
||
```bash | ||
# Terminal 1 | ||
<Ctrl C> # kill the previous docker compose up command | ||
docker compose --profile frontend up | ||
``` | ||
|
||
This will bring up the whole stack. Assuming there are no errors in the log, | ||
then the following command should return an empty tree head with HTTP status | ||
code 200: | ||
|
||
```bash | ||
# Terminal 2 | ||
curl -i localhost:8080/testlog/ct/v1/get-sth | ||
``` | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
config { | ||
log_id: @TREE_ID@ | ||
prefix: "testlog" | ||
roots_pem_file: "/ctfe-config/fake-ca.cert" | ||
public_key: { | ||
der: "\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x44\x6d\x69\x2c\x00\xec\xf3\xc7\xbb\x87\x7e\x57\xea\x04\xc3\x4b\x49\x01\xc4\x9a\x19\xf2\x49\x9b\x4c\x44\x1c\xac\xe0\xff\x27\x11\xce\x94\xa8\x85\xd9\xed\x42\x22\x5c\x54\xf6\x33\x73\xa3\x3d\x8b\xe8\x53\x48\xf5\x57\x50\x61\x96\x30\x5b\xc4\x9b\xa3\x04\xc3\x4b" | ||
} | ||
private_key: { | ||
[type.googleapis.com/keyspb.PrivateKey] { | ||
der: "\x30\x81\x87\x02\x01\x00\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x04\x6d\x30\x6b\x02\x01\x01\x04\x20\xd8\x8a\x49\xa2\x15\x3c\xbe\xb5\xb7\x6c\x63\xdc\xfd\xc0\x36\x64\x24\x88\xc3\x57\x9d\xfa\xd4\xa8\x70\x78\x32\x72\x29\x1a\xb1\x6f\xa1\x44\x03\x42\x00\x04\x44\x6d\x69\x2c\x00\xec\xf3\xc7\xbb\x87\x7e\x57\xea\x04\xc3\x4b\x49\x01\xc4\x9a\x19\xf2\x49\x9b\x4c\x44\x1c\xac\xe0\xff\x27\x11\xce\x94\xa8\x85\xd9\xed\x42\x22\x5c\x54\xf6\x33\x73\xa3\x3d\x8b\xe8\x53\x48\xf5\x57\x50\x61\x96\x30\x5b\xc4\x9b\xa3\x04\xc3\x4b" | ||
} | ||
} | ||
max_merge_delay_sec: 86400 | ||
expected_merge_delay_sec: 120 | ||
} |
72 changes: 72 additions & 0 deletions
72
trillian/examples/deployment/docker/ctfe/docker-compose.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
version: "3.1" | ||
|
||
services: | ||
db: | ||
image: mariadb | ||
restart: always | ||
environment: | ||
- MYSQL_ROOT_PASSWORD=zaphod | ||
- MYSQL_DATABASE=test | ||
- MYSQL_USER=test | ||
- MYSQL_PASSWORD=zaphod | ||
ports: | ||
- "3306:3306" | ||
healthcheck: | ||
test: mysql --user=$$MYSQL_USER --password=$$MYSQL_PASSWORD --silent --execute "SHOW DATABASES;" | ||
interval: 3s | ||
timeout: 2s | ||
retries: 5 | ||
|
||
trillian-log-server: | ||
image: gcr.io/trillian-opensource-ci/log_server | ||
command: [ | ||
"--storage_system=mysql", | ||
"--mysql_uri=test:zaphod@tcp(db:3306)/test", | ||
"--rpc_endpoint=0.0.0.0:8090", | ||
"--http_endpoint=0.0.0.0:8091", | ||
"--alsologtostderr", | ||
] | ||
restart: always | ||
ports: | ||
- "8090:8090" | ||
- "8091:8091" | ||
depends_on: | ||
- db | ||
|
||
trillian-log-signer: | ||
image: gcr.io/trillian-opensource-ci/log_signer | ||
command: [ | ||
"--storage_system=mysql", | ||
"--mysql_uri=test:zaphod@tcp(db:3306)/test", | ||
"--rpc_endpoint=0.0.0.0:8090", | ||
"--http_endpoint=0.0.0.0:8091", | ||
"--force_master", | ||
"--alsologtostderr", | ||
] | ||
restart: always | ||
ports: | ||
- "8092:8091" | ||
depends_on: | ||
- db | ||
- trillian-log-server | ||
|
||
ctfe: | ||
image: gcr.io/trillian-opensource-ci/ctfe | ||
profiles: ["frontend"] | ||
command: [ | ||
"--log_rpc_server=trillian-log-server:8090", | ||
"--log_config=/ctfe-config/ct_server.cfg", | ||
"--http_endpoint=0.0.0.0:8091", | ||
"--alsologtostderr", | ||
] | ||
restart: always | ||
ports: | ||
- "8080:8091" | ||
volumes: | ||
- ctfe_config:/ctfe-config:ro | ||
depends_on: | ||
- trillian-log-server | ||
|
||
volumes: | ||
ctfe_config: | ||
external: true |