aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorQuentin Dufour <quentin@deuxfleurs.fr>2020-06-02 12:26:41 +0200
committerQuentin Dufour <quentin@deuxfleurs.fr>2020-06-02 12:26:41 +0200
commitd13352910d3c352d07d7e482bc87227ce88bdb22 (patch)
tree0c7c07a1f9e8a03f54dd58c1ebf8c05693234757
parenta2e1f61cf8b70f0e63fc6f8eddbbcf0477263f8f (diff)
downloadinfrastructure-d13352910d3c352d07d7e482bc87227ce88bdb22.tar.gz
infrastructure-d13352910d3c352d07d7e482bc87227ce88bdb22.zip
Add upgrade documentation
-rw-r--r--docker/README.md8
-rw-r--r--docker/bckp/README.md27
-rw-r--r--docker/bckp/kv_to_s3.go83
-rw-r--r--docker/bckp/sodium.go35
-rw-r--r--docker/docker-compose.yml14
-rw-r--r--docker/matrix-synapse/Dockerfile3
-rw-r--r--docker/matrix-synapse/README.md3
-rw-r--r--docker/riotweb/Dockerfile10
-rw-r--r--docker/riotweb/README.md4
9 files changed, 28 insertions, 159 deletions
diff --git a/docker/README.md b/docker/README.md
new file mode 100644
index 0000000..a877cfa
--- /dev/null
+++ b/docker/README.md
@@ -0,0 +1,8 @@
+## How to upgrade our packaged apps to a new version?
+
+ 1. Edit `docker-compose.yml`
+ 2. Change the `VERSION` variable to the desired version
+ 3. Increment the docker image tag by 1 (eg: superboum/riot:v13 -> superboum/riot:v14)
+ 4. Run `docker-compose build`
+ 5. Run `docker-compose push`
+ 6. Done
diff --git a/docker/bckp/README.md b/docker/bckp/README.md
deleted file mode 100644
index 2ba9079..0000000
--- a/docker/bckp/README.md
+++ /dev/null
@@ -1,27 +0,0 @@
-Install dependencies:
-
-```
-GOBIN=$GOPATH/bin go get .
-```
-
-Run:
-
-```
-go run ./kv_to_s3.go
-```
-
-
-## Scratchpad
-
- - https://golang.org/pkg/crypto/cipher/ --> c'est pas clé en main, c'est soit streaming soit authentication
- - https://www.imperialviolet.org/2014/06/27/streamingencryption.html --> gpg ne fait pas l'authentication correctement
- - https://github.com/FiloSottile/age --> age fait de l'authentication et du streaming
- - https://rclone.org/crypt/ --> rclone fait de l'auth+streaming de la même manière que age mais avec un format de fichier différent (stockage du nonce, infos sur les algos utilisés)
- - https://neilmadden.blog/2019/12/30/a-few-comments-on-age/ --> une critique plutôt négative de age qui ne me donne pas envie de l'utiliser, pas plus que rclone du coup
- - https://moxie.org/2011/12/13/the-cryptographic-doom-principle.html
- --> cité par l'article précédent, je ne comprends pas trop mais je crois que pas simple
- - https://godoc.org/golang.org/x/crypto/nacl/box --> du coup je pense me limiter à un lib très reconnue comme nacl/sodium, si possible une implem officielle. Mais là pas de streaming, à nous de chunker et de gérer la rotation des nonces
- - Est ce qu'on a besoin d'authentication ?
- - Oui en fait il y a plein d'attaques apparemment
- - https://blog.minio.io/data-at-rest-encryption-done-right-7446c644ddb6 --> Minio a sa solution mais elle a des requirements bizarres (une clé par fichier, il faut donc un HKDF)
- - https://www.imperialviolet.org/2017/05/14/aesgcmsiv.html --> AES GCM SIV does not break crypto if you reuse nonces (but you should still try to supply unique ones to have different cipher if you encode the same plaintext twice)
diff --git a/docker/bckp/kv_to_s3.go b/docker/bckp/kv_to_s3.go
deleted file mode 100644
index 5b629b8..0000000
--- a/docker/bckp/kv_to_s3.go
+++ /dev/null
@@ -1,83 +0,0 @@
-package main
-import (
- "github.com/hashicorp/consul/api"
- "errors"
- "log"
- "fmt"
- "os"
- "encoding/base64"
- /*"github.com/aws/aws-sdk-go/service/s3"*/
-)
-
-const consul_addr string = "KV2S3_CONSUL_ADDR"
-const enc_key string = "KV2S3_ENC_KEY"
-
-const key_exp_bits int = 256
-const key_exp_bytes int = key_exp_bits / 8
-
-func errIsPanic(err error, format string, a ...interface{}) {
- if err != nil {
- log.Panicf(format, a...)
- }
-}
-
-func absentIsErr(present bool) error {
- if !present {
- return errors.New("Environement variable is not set.")
- }
- return nil
-}
-
-func main() {
- log.Println("starting consul kv backup...")
-
- //--- Ask Consul to Snapshot our KV
- var present bool
- conf := api.DefaultConfig()
- conf.Address, present = os.LookupEnv(consul_addr)
- err := absentIsErr(present)
- errIsPanic(err, "%v env required. %v", consul_addr, err)
- //@FIXME add later support for HTTPS
-
- options := api.QueryOptions {
- // Prevent from backuping forever silently a desynchronized node
- AllowStale: false,
- }
-
- consul, err := api.NewClient(conf)
- errIsPanic(err, "Unable to build a new client. %v", err)
-
- reader, _, err := consul.Snapshot().Save(&options)
- defer reader.Close()
- errIsPanic(err, "Snapshot failed. %v", err)
-
- //--- Get encryption key and check it
- b64_key, present := os.LookupEnv(enc_key)
- err = absentIsErr(present)
- errIsPanic(err, "%v env required. %v", enc_key, err)
- raw_key, err := base64.StdEncoding.DecodeString(b64_key)
- errIsPanic(err, "Unable to decode base64 key. %v", err)
-
- err = nil
- key_size_bytes := len(raw_key)
- key_size_bits := key_size_bytes
-
- if key_size_bytes != key_exp_bytes {
- msg := fmt.Sprintf(
- "Key size is %d bits (%d bytes) instead of %d bits (%d bytes).",
- key_size_bits,
- key_size_bytes,
- key_exp_bits,
- key_exp_bytes)
-
- err = errors.New(msg)
- }
- errIsPanic(err, "We deliberately support only 256 bits (32 bytes) keys. %v", err)
-
- //--- Encryption
- // Not a simple thing to do it in a streaming manner - is it only a good idea?
- // https://neilmadden.blog/2019/12/30/a-few-comments-on-age/
- // https://moxie.org/2011/12/13/the-cryptographic-doom-principle.html
-
-
-}
diff --git a/docker/bckp/sodium.go b/docker/bckp/sodium.go
deleted file mode 100644
index a4f25b4..0000000
--- a/docker/bckp/sodium.go
+++ /dev/null
@@ -1,35 +0,0 @@
-package main
-
-/*
-#cgo CFLAGS: -g -Wall
-#cgo LDFLAGS: -lsodium
-#include <sodium.h>
-*/
-import "C"
-import "log"
-
-const block_size int = 16 * 1024 // 16 KiB
-
-func main() {
- log.Println("Test cgo")
- ret := C.sodium_init()
- if ret < 0 {
- log.Panic("Failed to init sodium.")
- }
- //unsigned char array as requested
- var key [C.crypto_secretstream_xchacha20poly1305_KEYBYTES]C.uchar
- C.crypto_secretstream_xchacha20poly1305_keygen(&key[0])
-
- var state C.crypto_secretstream_xchacha20poly1305_state
- var header [C.crypto_secretstream_xchacha20poly1305_HEADERBYTES]C.uchar
-
- C.crypto_secretstream_xchacha20poly1305_init_push(&state, &header[0], &key[0])
- log.Print("key", key)
- log.Print("header", header)
-
- var plain [block_size]C.uchar
- var c1 [block_size + C.crypto_secretstream_xchacha20poly1305_ABYTES]C.uchar
-
- C.crypto_secretstream_xchacha20poly1305_push(&state, &c1[0], nil, &plain[0], C.ulonglong(len(plain)), nil, 0, 0)
- log.Print("c1", c1)
-}
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
new file mode 100644
index 0000000..6f351ec
--- /dev/null
+++ b/docker/docker-compose.yml
@@ -0,0 +1,14 @@
+version: '3.4'
+services:
+ riot:
+ build:
+ context: ./riotweb
+ args:
+ VERSION: 1.6.2
+ image: superboum/amd64_riotweb:v11
+ synapse:
+ build:
+ context: ./matrix-synapse
+ args:
+ VERSION: 1.14.0
+ image: superboum/amd64_synapse:v29
diff --git a/docker/matrix-synapse/Dockerfile b/docker/matrix-synapse/Dockerfile
index 7b9146a..b8480d5 100644
--- a/docker/matrix-synapse/Dockerfile
+++ b/docker/matrix-synapse/Dockerfile
@@ -1,7 +1,6 @@
FROM amd64/debian:buster as builder
-ENV VERSION 1.12.4
-
+ARG VERSION
RUN apt-get update && \
apt-get -qq -y full-upgrade && \
apt-get install -y \
diff --git a/docker/matrix-synapse/README.md b/docker/matrix-synapse/README.md
deleted file mode 100644
index 1782101..0000000
--- a/docker/matrix-synapse/README.md
+++ /dev/null
@@ -1,3 +0,0 @@
-```
-docker build -t superboum/amd64_synapse:v28 .
-```
diff --git a/docker/riotweb/Dockerfile b/docker/riotweb/Dockerfile
index fc0bae9..862e2e5 100644
--- a/docker/riotweb/Dockerfile
+++ b/docker/riotweb/Dockerfile
@@ -1,13 +1,13 @@
-FROM amd64/debian:stretch as builder
+FROM amd64/debian:buster as builder
+ARG VERSION
WORKDIR /root
-ENV VERSION v1.6.0
RUN apt-get update && \
apt-get install -y wget && \
- wget https://github.com/vector-im/riot-web/releases/download/${VERSION}/riot-${VERSION}.tar.gz && \
- tar xf riot-${VERSION}.tar.gz && \
- mv riot-${VERSION}/ riot/
+ wget https://github.com/vector-im/riot-web/releases/download/v${VERSION}/riot-v${VERSION}.tar.gz && \
+ tar xf riot-v${VERSION}.tar.gz && \
+ mv riot-v${VERSION}/ riot/
FROM superboum/amd64_webserver:v3
COPY --from=builder /root/riot /srv/http
diff --git a/docker/riotweb/README.md b/docker/riotweb/README.md
deleted file mode 100644
index 150fd51..0000000
--- a/docker/riotweb/README.md
+++ /dev/null
@@ -1,4 +0,0 @@
-```
-sudo docker build -t superboum/amd64_riotweb:v10 .
-sudo docker push superboum/amd64_riotweb:v10
-```