diff --git a/trillian/examples/deployment/docker/ctfe/README.md b/trillian/examples/deployment/docker/ctfe/README.md new file mode 100644 index 0000000000..409b51dd2f --- /dev/null +++ b/trillian/examples/deployment/docker/ctfe/README.md @@ -0,0 +1,73 @@ +# Dockerized Test Deployment + +This brings up a CTFE with its own trillian instance and DB server for users to +get a feel for how deploying CTFE works. This is not recommended as a way of +serving production logs! + +## Requirements + +- Docker and Docker Compose Plugin +- go tooling +- git checkouts of: + - github.com/google/trillian + - github.com/google/certificate-transparency-go + +The instructions below assume you've checked out the repositories within +`~/git/`, but if you have them in another location then just use a different +path when you run the command. + +## Deploying + +We will use 2 terminal sessions to the machine you will use for hosting the +docker containers. Each of the code stanzas below will state which terminal to +use. This makes it easier to see output logs and to avoid repeatedly changing +directory. + +First bring up the trillian instance and the database: + +```bash +# Terminal 1 +cd ~/git/certificate-transparency-go/trillian/examples/deployment/docker/ctfe/ +docker compose up +``` + +This brings up everything except the CTFE. Now to provision the logs. + +```bash +# Terminal 2 +cd ~/git/trillian/ +docker exec -i ctfe_db_1 mysql -pzaphod -Dtest < ./storage/mysql/schema/storage.sql +``` + +The CTFE requires some configuration files. First prepare a directory containing +these, and expose it as a docker volume. These instructions prepare this config +at `/tmp/ctfedocker` but if you plan on keeping this test instance alive for +more than a few hours then pick a less temporary location on your filesystem. + +```bash +# Terminal 2 +CTFE_CONF_DIR=/tmp/ctfedocker +mkdir ${CTFE_CONF_DIR} +TREE_ID=$(go run github.com/google/trillian/cmd/createtree@master --admin_server=localhost:8090) +sed "s/@TREE_ID@/$TREE_ID/" ~/git/certificate-transparency-go/trillian/examples/deployment/docker/ctfe/ct_server.cfg > ${CTFE_CONF_DIR}/ct_server.cfg +cp ./trillian/testdata/fake-ca.cert ${CTFE_CONF_DIR} +docker volume create --driver local --opt type=none --opt device=${CTFE_CONF_DIR}--opt o=bind ctfe_config +``` + +Now that this configuration is available, you can bring up the CTFE: + +```bash +# Terminal 1 + # kill the previous docker compose up command +docker compose --profile frontend up +``` + +This will bring up the whole stack. Assuming there are no errors in the log, +then the following command should return an empty tree head with HTTP status +code 200: + +```bash +# Terminal 2 +curl -i localhost:8080/testlog/ct/v1/get-sth +``` + diff --git a/trillian/examples/deployment/docker/ctfe/ct_server.cfg b/trillian/examples/deployment/docker/ctfe/ct_server.cfg new file mode 100644 index 0000000000..d16998f261 --- /dev/null +++ b/trillian/examples/deployment/docker/ctfe/ct_server.cfg @@ -0,0 +1,15 @@ +config { + log_id: @TREE_ID@ + prefix: "testlog" + roots_pem_file: "/ctfe-config/fake-ca.cert" + public_key: { + der: "\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x44\x6d\x69\x2c\x00\xec\xf3\xc7\xbb\x87\x7e\x57\xea\x04\xc3\x4b\x49\x01\xc4\x9a\x19\xf2\x49\x9b\x4c\x44\x1c\xac\xe0\xff\x27\x11\xce\x94\xa8\x85\xd9\xed\x42\x22\x5c\x54\xf6\x33\x73\xa3\x3d\x8b\xe8\x53\x48\xf5\x57\x50\x61\x96\x30\x5b\xc4\x9b\xa3\x04\xc3\x4b" + } + private_key: { + [type.googleapis.com/keyspb.PrivateKey] { + der: "\x30\x81\x87\x02\x01\x00\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x04\x6d\x30\x6b\x02\x01\x01\x04\x20\xd8\x8a\x49\xa2\x15\x3c\xbe\xb5\xb7\x6c\x63\xdc\xfd\xc0\x36\x64\x24\x88\xc3\x57\x9d\xfa\xd4\xa8\x70\x78\x32\x72\x29\x1a\xb1\x6f\xa1\x44\x03\x42\x00\x04\x44\x6d\x69\x2c\x00\xec\xf3\xc7\xbb\x87\x7e\x57\xea\x04\xc3\x4b\x49\x01\xc4\x9a\x19\xf2\x49\x9b\x4c\x44\x1c\xac\xe0\xff\x27\x11\xce\x94\xa8\x85\xd9\xed\x42\x22\x5c\x54\xf6\x33\x73\xa3\x3d\x8b\xe8\x53\x48\xf5\x57\x50\x61\x96\x30\x5b\xc4\x9b\xa3\x04\xc3\x4b" + } + } + max_merge_delay_sec: 86400 + expected_merge_delay_sec: 120 +} diff --git a/trillian/examples/deployment/docker/ctfe/docker-compose.yaml b/trillian/examples/deployment/docker/ctfe/docker-compose.yaml new file mode 100644 index 0000000000..e951dd86f2 --- /dev/null +++ b/trillian/examples/deployment/docker/ctfe/docker-compose.yaml @@ -0,0 +1,72 @@ +version: "3.1" + +services: + db: + image: mariadb + restart: always + environment: + - MYSQL_ROOT_PASSWORD=zaphod + - MYSQL_DATABASE=test + - MYSQL_USER=test + - MYSQL_PASSWORD=zaphod + ports: + - "3306:3306" + healthcheck: + test: mysql --user=$$MYSQL_USER --password=$$MYSQL_PASSWORD --silent --execute "SHOW DATABASES;" + interval: 3s + timeout: 2s + retries: 5 + + trillian-log-server: + image: gcr.io/trillian-opensource-ci/log_server + command: [ + "--storage_system=mysql", + "--mysql_uri=test:zaphod@tcp(db:3306)/test", + "--rpc_endpoint=0.0.0.0:8090", + "--http_endpoint=0.0.0.0:8091", + "--alsologtostderr", + ] + restart: always + ports: + - "8090:8090" + - "8091:8091" + depends_on: + - db + + trillian-log-signer: + image: gcr.io/trillian-opensource-ci/log_signer + command: [ + "--storage_system=mysql", + "--mysql_uri=test:zaphod@tcp(db:3306)/test", + "--rpc_endpoint=0.0.0.0:8090", + "--http_endpoint=0.0.0.0:8091", + "--force_master", + "--alsologtostderr", + ] + restart: always + ports: + - "8092:8091" + depends_on: + - db + - trillian-log-server + + ctfe: + image: gcr.io/trillian-opensource-ci/ctfe + profiles: ["frontend"] + command: [ + "--log_rpc_server=trillian-log-server:8090", + "--log_config=/ctfe-config/ct_server.cfg", + "--http_endpoint=0.0.0.0:8091", + "--alsologtostderr", + ] + restart: always + ports: + - "8080:8091" + volumes: + - ctfe_config:/ctfe-config:ro + depends_on: + - trillian-log-server + +volumes: + ctfe_config: + external: true