diff options
Diffstat (limited to 'bin')
| -rwxr-xr-x | bin/base/build_base_images.sh | 48 | ||||
| -rw-r--r-- | bin/base/openssldockerfile | 69 | ||||
| -rw-r--r-- | bin/base/xenialdockerfile | 102 | ||||
| -rwxr-xr-x | bin/caservicecontainer/dockerfile | 5 | ||||
| -rw-r--r-- | bin/distcenter/Dockerfile | 7 | ||||
| -rw-r--r-- | bin/distcenter/README.md | 17 | ||||
| -rw-r--r-- | bin/distcenter/README.txt | 33 | ||||
| -rwxr-xr-x | bin/distcenter/entrypoint.sh | 36 |
8 files changed, 280 insertions, 37 deletions
diff --git a/bin/base/build_base_images.sh b/bin/base/build_base_images.sh new file mode 100755 index 0000000..b6f8783 --- /dev/null +++ b/bin/base/build_base_images.sh @@ -0,0 +1,48 @@ +#!/bin/bash +set -e +DIRNAME=`dirname $0` +DOCKER_BUILD_DIR=`cd $DIRNAME/; pwd` +echo "DOCKER_BUILD_DIR=${DOCKER_BUILD_DIR}" +cd ${DOCKER_BUILD_DIR} + +BUILD_ARGS="--no-cache" +ORG="onap" +VERSION="3.0.0" +PROJECT="aaf" +IMAGE="aaf-base" +DOCKER_REPOSITORY="nexus3.onap.org:10003" +IMAGE_NAME_XENIAL="${DOCKER_REPOSITORY}/${ORG}/${PROJECT}/${IMAGE}-xenial" +IMAGE_NAME_OPENSSL_110="${DOCKER_REPOSITORY}/${ORG}/${PROJECT}/${IMAGE}-openssl_1.1.0" +TIMESTAMP=$(date +"%Y%m%dT%H%M%S") + +if [ $HTTP_PROXY ]; then + BUILD_ARGS+=" --build-arg HTTP_PROXY=${HTTP_PROXY}" +fi +if [ $HTTPS_PROXY ]; then + BUILD_ARGS+=" --build-arg HTTPS_PROXY=${HTTPS_PROXY}" +fi +echo $BUILD_ARGS + +function build_image { + echo "Start build docker image: ${IMAGE_NAME_XENIAL}:latest" + docker build ${BUILD_ARGS} -t ${IMAGE_NAME_XENIAL}:latest -f xenialdockerfile . + echo "Start build docker image: ${IMAGE_NAME_OPENSSL_110}:latest" + docker build ${BUILD_ARGS} -t ${IMAGE_NAME_OPENSSL_110}:latest -f openssldockerfile . +} + +function push_image { + echo "Start push ${IMAGE_NAME_XENIAL}:latest" + docker push ${IMAGE_NAME_XENIAL}:latest + echo "Start push ${IMAGE_NAME_XENIAL}:${VERSION}-SNAPSHOT-latest" + docker tag ${IMAGE_NAME_XENIAL}:latest ${IMAGE_NAME_XENIAL}:${VERSION}-SNAPSHOT-latest + docker push ${IMAGE_NAME_XENIAL}:${VERSION}-SNAPSHOT-latest + echo "Start push ${IMAGE_NAME_OPENSSL_110}:latest" + docker push ${IMAGE_NAME_OPENSSL_110}:latest + echo "Start push ${IMAGE_NAME_OPENSSL_110}:${VERSION}-SNAPSHOT-latest" + docker tag ${IMAGE_NAME_OPENSSL_110}:latest ${IMAGE_NAME_OPENSSL_110}:${VERSION}-SNAPSHOT-latest + docker push ${IMAGE_NAME_OPENSSL_110}:${VERSION}-SNAPSHOT-latest + +} + +build_image +push_image diff --git a/bin/base/openssldockerfile b/bin/base/openssldockerfile new file mode 100644 index 0000000..2607473 --- /dev/null +++ b/bin/base/openssldockerfile @@ -0,0 +1,69 @@ +FROM ubuntu:xenial + +RUN apt-get -y update && \ + apt-get -y install \ + autoconf \ + autoconf-archive \ + libglib2.0-dev \ + libdbus-1-dev \ + automake \ + libtool \ + autotools-dev \ + libcppunit-dev \ + p11-kit \ + libcurl4-gnutls-dev \ + libcmocka0 \ + libcmocka-dev \ + build-essential \ + git \ + pkg-config \ + vim \ + gcc \ + g++ \ + m4 \ + curl \ + wget \ + liburiparser-dev \ + libssl-dev \ + pandoc \ + opensc \ + default-jdk + +RUN apt-get -y install libgcrypt20-dev + +RUN git clone https://github.com/tpm2-software/tpm2-tss.git +RUN git clone https://github.com/tpm2-software/tpm2-tools.git + +RUN cd tpm2-tss && \ + git checkout 1.2.0 && \ + ./bootstrap && \ + ./configure && \ + make && \ + make install +RUN rm -rf tpm2-tss + +RUN cd tpm2-tools && \ + git checkout 2.1.0 && \ + ./bootstrap && \ + ./configure && \ + make && \ + make install +RUN rm -rf tpm2-tools + +RUN echo "/usr/local/lib" > /etc/ld.so.conf.d/tpm2.conf && \ + ldconfig + +RUN wget https://www.openssl.org/source/openssl-1.1.0.tar.gz +RUN gzip -d openssl-1.1.0.tar.gz +RUN tar -xvf openssl-1.1.0.tar +RUN cd openssl-1.1.0 && \ + ./config && \ + make && \ + make install +RUN rm -rf openssl-1.1.0 +RUN rm -rf openssl-1.1.0.tar +RUN rm -rf openssl-1.1.0.tar.gz + +RUN echo "/usr/local/lib" > /etc/ld.so.conf.d/openssl.conf && \ + ldconfig +RUN openssl version -v diff --git a/bin/base/xenialdockerfile b/bin/base/xenialdockerfile new file mode 100644 index 0000000..f28ed0f --- /dev/null +++ b/bin/base/xenialdockerfile @@ -0,0 +1,102 @@ +FROM ubuntu:xenial + +RUN apt-get -y update && \ + apt-get -y install \ + autoconf \ + autoconf-archive \ + libglib2.0-dev \ + libdbus-1-dev \ + automake \ + libtool \ + autotools-dev \ + libcppunit-dev \ + p11-kit \ + libcurl4-gnutls-dev \ + libcmocka0 \ + libcmocka-dev \ + build-essential \ + git \ + pkg-config \ + vim \ + gcc \ + g++ \ + m4 \ + curl \ + wget \ + liburiparser-dev \ + libssl-dev \ + pandoc \ + softhsm2 \ + opensc \ + default-jdk + +RUN apt-get -y install libgcrypt20-dev + +RUN git clone https://github.com/tpm2-software/tpm2-tss.git +RUN git clone https://github.com/tpm2-software/tpm2-abrmd.git +RUN git clone https://github.com/tpm2-software/tpm2-tools.git + +RUN cd tpm2-tss && \ + git checkout 1.2.0 && \ + ./bootstrap && \ + ./configure && \ + make && \ + make install + +RUN cd tpm2-abrmd && \ + git checkout 1.1.1 && \ + useradd --system --user-group tss && \ + ./bootstrap && \ + ./configure --with-dbuspolicydir=/etc/dbus-1/system.d \ + --with-udevrulesdir=/etc/udev/rules.d/ \ + --with-systemdsystemunitdir=/lib/systemd/system && \ + make && \ + make install + +RUN cd tpm2-tools && \ + git checkout 2.1.0 && \ + ./bootstrap && \ + ./configure && \ + make && \ + make install + +RUN echo "/usr/local/lib" > /etc/ld.so.conf.d/tpm2.conf && \ + ldconfig + +# Clone the sshsm repo +RUN git clone https://gerrit.onap.org/r/aaf/sshsm + +# Build SoftHSMv2 +RUN cd sshsm && \ + cd SoftHSMv2 && \ + sh autogen.sh && \ + ./configure --disable-gost && \ + make && \ + make install + +# Build TPM-Plugin +RUN cd sshsm && \ + chmod 755 TPM2-Plugin/ && \ + cd TPM2-Plugin && \ + chmod 755 bootstrap && \ + sleep 2 && \ + ./bootstrap && \ + ./configure && \ + make && \ + make install && \ + ldconfig && \ + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib + +RUN cd sshsm && \ + cd tpm-util && \ + cd import && \ + make -f sampleMakefile + +RUN mkdir tpm-util +RUN cd tpm-util && \ + mkdir bin +RUN cp /sshsm/tpm-util/import/ossl_tpm_import /tpm-util/bin/ +RUN rm -rf tpm2-tss +RUN rm -rf tpm2-abrmd +RUN rm -rf tpm2-tools +RUN rm -rf sshsm diff --git a/bin/caservicecontainer/dockerfile b/bin/caservicecontainer/dockerfile index 8557181..bad49d1 100755 --- a/bin/caservicecontainer/dockerfile +++ b/bin/caservicecontainer/dockerfile @@ -2,17 +2,12 @@ # Base Image for the build FROM rmannfv/aaf-base:xenial -RUN apt-get update -RUN apt-get install -y softhsm2 -RUN apt-get install -y opensc - # Files required for the Java application RUN wget https://www.bouncycastle.org/download/bcprov-jdk15on-159.jar RUN wget https://www.bouncycastle.org/download/bcpkix-jdk15on-159.jar RUN wget https://www.bouncycastle.org/download/bcmail-jdk15on-159.jar RUN wget https://www.bouncycastle.org/download/bcpg-jdk15on-159.jar RUN wget https://www.bouncycastle.org/download/bctls-jdk15on-159.jar -RUN wget https://www.bouncycastle.org/download/bctest-jdk15on-159.jar RUN cp ./bcpkix-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/ RUN cp ./bcprov-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/ RUN cp ./bcmail-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/ diff --git a/bin/distcenter/Dockerfile b/bin/distcenter/Dockerfile index f79c7ef..cb6f000 100644 --- a/bin/distcenter/Dockerfile +++ b/bin/distcenter/Dockerfile @@ -6,15 +6,12 @@ RUN cd sshsm && \ cd duplicate && \ make -f sampleMakefile -RUN mkdir /createca -COPY ./create_ca.sh /createca/ +RUN mkdir -p /distcenter/bin +COPY ./create_ca.sh /distcenter/bin RUN mkdir /dup -RUN mkdir /dup/database -RUN mkdir /dup/database/host_sample RUN mkdir /dup/bin RUN cp sshsm/tpm-util/duplicate/ossl_tpm_duplicate /dup/bin -RUN cp sshsm/test/integration/samplecaservicecontainer/inittoolfiles/out_parent_public /dup/database/host_sample ADD entrypoint.sh /entrypoint.sh ENTRYPOINT [ "/entrypoint.sh" ] diff --git a/bin/distcenter/README.md b/bin/distcenter/README.md deleted file mode 100644 index 973cbf9..0000000 --- a/bin/distcenter/README.md +++ /dev/null @@ -1,17 +0,0 @@ -Create folder under /tmp/volume/host_sample on host. This will be mounted into the container as shared volume for now. - -Build the container using - - docker build --no-cache -t dist-center . - -Run it mounting the volume - - docker run -v /tmp/volume:/volume dist-center - -This will output the following files in /tmp/volume/host_sample - - ca.cert - dupEncKey - dupPriv - dupPub - dupSymseed diff --git a/bin/distcenter/README.txt b/bin/distcenter/README.txt new file mode 100644 index 0000000..fe39395 --- /dev/null +++ b/bin/distcenter/README.txt @@ -0,0 +1,33 @@ +Create folder under /tmp/volume/host_<host name> for each host (example +host_sample where sample is the name of the tpm capable host). +This folder will be mounted into the container as shared volume for now. + +Expects the input SRK pulic key "out_parent_public" for each host under +the corresponding host directory and file "passphrase" under /tmp/volume/ +containing the passphrase to encrypt the key. + +example + + /tmp/volume/host_sample/out_parent_public + /tmp/volume/passphrase + +Build the container using + + docker build --no-cache -t dist-center . + +Run it mounting the volume + + docker run -v /tmp/volume:/volume dist-center + +This will output the following files in /tmp/volume/host_<host name> + + ca.cert + dupEncKey + dupPriv + dupPub + dupSymseed + +Encrypted private key and certificate under /tmp/volume + + ca.cert + privkey.pem.gpg diff --git a/bin/distcenter/entrypoint.sh b/bin/distcenter/entrypoint.sh index 85cdf52..6aac3ca 100755 --- a/bin/distcenter/entrypoint.sh +++ b/bin/distcenter/entrypoint.sh @@ -1,12 +1,28 @@ #!/bin/sh set -e -cd /createca -/createca/create_ca.sh -cd /volume -DLIST=`ls -d host_*` -for DIR in $DLIST; do - echo $DIR - cp /createca/ca/ca.cert /volume/$DIR - cd /volume/$DIR - /dup/bin/ossl_tpm_duplicate -pemfile /createca/ca/privkey.pem -parentPub /dup/database/$DIR/out_parent_public -dupPub dupPub -dupPriv dupPriv -dupSymSeed dupSymseed -dupEncKey dupEncKey -done +cd /distcenter +/distcenter/bin/create_ca.sh + +cd /distcenter/data +DCOUNT=$(ls -d host_* 2> /dev/null | wc -l) +if [ "$DCOUNT" != "0" ] +then + DLIST=`ls -d host_*` + #Iterate over all hosts (host in k8s corresponds node) + for DIR in $DLIST; do + echo $DIR + cp /distcenter/ca/ca.cert /distcenter/data/$DIR + cd /distcenter/data/$DIR + /dup/bin/ossl_tpm_duplicate -pemfile /distcenter/ca/privkey.pem -parentPub \ + /distcenter/data/$DIR/out_parent_public -dupPub dupPub -dupPriv dupPriv -dupSymSeed \ + dupSymseed -dupEncKey dupEncKey + done +else + cd /distcenter/ca + cat /distcenter/passphrase/passphrase | gpg --no-tty --symmetric -z 9 --require-secmem \ + --cipher-algo AES256 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 \ + --s2k-mode 3 --s2k-count 65000000 --compress-algo BZIP2 \ + --passphrase-fd 0 privkey.pem + cp /distcenter/ca/privkey.pem.gpg /distcenter/data + cp /distcenter/ca/ca.cert /distcenter/data +fi |