sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-04-18 08:16:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Mgmt docker and document (#72)

Browse Source 
* debug image and use wiretrustee/management repository

* Update documentation and docker-compose to include management

* improve documentation and add debug image build

* update docker-compose section with management service notes.

* fix broken doc link
This commit is contained in:
Maycon Santos
2021-07-31 10:29:49 +02:00
committed by GitHub
parent 2c2c1e19df
commit f51a79d3b3
6 changed files with 126 additions and 119 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
management/Dockerfile
View File

@@ -1,3 +1,3 @@
FROM gcr.io/distroless/base:debug
FROM gcr.io/distroless/base
ENTRYPOINT [ "/go/bin/wiretrustee","management"]
COPY wiretrustee /go/bin/wiretrustee

3
management/Dockerfile.debug Normal file
View File

@@ -0,0 +1,3 @@
FROM gcr.io/distroless/base:debug
ENTRYPOINT [ "/go/bin/wiretrustee","management","--log-level","debug"]
COPY wiretrustee /go/bin/wiretrustee

163
management/README.md
View File

@@ -1,28 +1,46 @@
# Wiretrustee Management Server
Wiretrustee management server will control and synchronize peers configuration within your wiretrustee account and network.
## Command Options
The CLI accepts the command **management** with the following options:
```shell
start Wiretrustee Management Server
Usage:
wiretrustee management [flags]
Flags:
--datadir string server data directory location (default "/var/lib/wiretrustee/")
-h, --help help for management
--letsencrypt-domain string a domain to issue Let's Encrypt certificate for. Enables TLS using Let's Encrypt. Will fetch and renew certificate, and run the server with TLS
--port int server port to listen on (default 33073)
Global Flags:
--config string Wiretrustee config file location to write new config to (default "/etc/wiretrustee/config.json")
--log-level string (default "info")
```
## Run Management service (Docker)
You can run service in 2 modes - with TLS or without (not recommended).
### Run with TLS (Let's Encrypt).
By specifying the **--letsencrypt-domain** the daemon will handle SSL certificate request and configuration.
The server where you are running a container has to have a public IP (for Let's Encrypt certificate challenge).
In the following example ```33073``` is a gRpc port, ```443``` is a port for Let's Encrypt challenge and HTTP API.
In the following example ```33073``` is the management service **default** port, and ```443``` will be used as port for Let's Encrypt challenge and HTTP API.
> The server where you are running a container has to have a public IP (for Let's Encrypt certificate challenge).
Replace <YOUR-DOMAIN> with your server's public domain (e.g. mydomain.com or subdomain sub.mydomain.com).
```bash
# create a volume
docker volume create wiretrustee-mgmt
# run the docker container
docker run -d --name wiretrustee-management \
-p 33073:33073 \
-p 443:443 \
-v /var/lib/wiretrustee/:/var/lib/wiretrustee/ \
-v /etc/wiretrustee/:/etc/wiretrustee/ \
wiretrustee/wiretrustee:management-v0.0.8-SNAPSHOT-079d35e-amd64 \
--port 33073 \
--datadir /var/lib/wiretrustee/ \
--hosts-config /etc/wiretrustee/hosts-config.json \
--letsencrypt-domain <YOUR-DOMAIN> \
--log-level info
-v wiretrustee-mgmt:/var/lib/wiretrustee \
wiretrustee/management:latest \
--letsencrypt-domain <YOUR-DOMAIN>
```
Trigger Let's encrypt certificate generation:
@@ -30,110 +48,47 @@ Trigger Let's encrypt certificate generation:
curl https://<YOUR-DOMAIN>
```
The certificate will be persisted in the ```datadir/letsencrypt/``` folder (e.g. ```/var/lib/wiretrustee/letsencrypt/```). Make sure that the ```datadir``` is mapped to some folder on a host machine.
The certificate will be persisted in the ```datadir/letsencrypt/``` folder (e.g. ```/var/lib/wiretrustee/letsencrypt/```) inside the container.
Make sure that the ```datadir``` is mapped to some folder on a host machine. In case you used the volume command, you can run the following to retrieve the Mountpoint:
```shell
docker volume inspect wiretrustee-mgmt
[
{
"CreatedAt": "2021-07-25T20:45:28Z",
"Driver": "local",
"Labels": {},
"Mountpoint": "/var/lib/docker/volumes/mgmt/_data",
"Name": "wiretrustee-mgmt",
"Options": {},
"Scope": "local"
}
]
```
Consequent restarts of the container will pick up previously generated certificate so there is no need to trigger certificate generation with the ```curl``` command on every restart.
**Below are optional steps (some checks).**
Inspect ```datadir``` to see if the folder contains Let's Encrypt certificate:
```bash
ls /var/lib/wiretrustee/letsencrypt/
```
The output should be something similar to this:
```bash
root@wiretrustee-test-2:~# ls /var/lib/wiretrustee/letsencrypt/
acme_account+key <YOUR-DOMAIN> <YOUR-DOMAIN>+rsa
```
Check certificate:
```bash
echo | openssl s_client -showcerts -servername <YOUR-DOMAIN> -connect <YOUR-DOMAIN>:33073 2>/dev/null | openssl x509 -inform pem -noout -text
```
The output should be something similar to this:
```bash
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:07:7a:8e:f3:78:0d:bc:4d:f0:82:9b:1a:a3:c1:89:6c:ae
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Jul 17 14:19:45 2021 GMT
Not After : Oct 15 14:19:43 2021 GMT
Subject: CN = <YOUR-DOMAIN>
...
Signature Algorithm: sha256WithRSAEncryption
3a:a3:27:5c:aa:35:11:b0:9a:89:d4:da:03:30:16:bc:3e:01:
9f:7a:14:0a:1c:f3:c3:1c:67:86:31:bd:63:0f:19:81:66:77:
34:32:e8:ac:be:16:1d:55:5e:d5:71:73:d7:50:b4:fb:56:6d:
14:b3:2f:ae:04:52:e5:f4:e2:86:dd:fe:b8:b0:bf:52:84:bf:
5f:d2:56:9f:7b:70:6c:b8:f4:e8:c8:94:7f:89:e9:0d:37:55:
c7:c7:6c:51:88:09:9a:40:4a:52:88:c6:8b:1b:9c:d4:a2:a5:
4d:c7:23:4b:81:b8:4a:90:3f:a3:50:80:6e:bb:1f:1c:c2:19:
99:d4:57:7b:82:07:f3:ca:71:6d:83:e8:5a:98:70:98:13:a1:
64:81:0d:01:db:41:37:46:6f:a5:c6:e5:cf:7d:ba:f8:26:b1:
53:58:fc:7d:48:2a:55:f3:14:e7:5e:7d:0f:3d:23:98:83:00:
08:19:b0:62:93:a4:66:96:db:25:3f:e7:02:44:25:c1:62:4d:
75:90:5b:b6:59:68:42:58:37:88:2f:84:c2:77:8f:9f:50:ed:
b5:f7:b1:31:8a:b6:ca:9e:5a:90:e9:3f:5b:eb:d4:c3:f6:82:
42:16:5f:f4:62:ed:51:9c:ac:b1:ba:4e:6f:ea:ec:ab:43:ba:
d1:25:ab:28
```
### Run without TLS.
```bash
# create a volume
docker volume create wiretrustee-mgmt
# run the docker container
docker run -d --name wiretrustee-management \
-p 33073:33073 \
-v /var/lib/wiretrustee/:/var/lib/wiretrustee/ \
-v /etc/wiretrustee/:/etc/wiretrustee/ \
wiretrustee/wiretrustee:management-v0.0.8-SNAPSHOT-079d35e-amd64 \
--port 33073 \
--datadir /var/lib/wiretrustee/ \
--hosts-config /etc/wiretrustee/hosts-config.json \
--letsencrypt-domain app.wiretrustee.com \
--log-level debug
-v wiretrustee-mgmt:/var/lib/wiretrustee \
wiretrustee/management:latest
```
### Debug tag
We also publish a docker image with the debug tag which has the log-level set to default, plus it uses the ```gcr.io/distroless/base:debug``` image that can be used with docker exec in order to run some commands in the Management container.
```shell
shell $ docker run -d --name wiretrustee-management-debug \
-p 33073:33073 \
-v wiretrustee-mgmt:/var/lib/wiretrustee \
wiretrustee/management:debug-latest
### hosts-config.json file example:
```json
{
"Stuns": [
{
"Proto": 2,
"Host": "stun.wiretrustee.com",
"Port": 3468,
"Username": "",
"Password": null
}
],
"Turns": [
{
"Proto": 2,
"Host": "stun.wiretrustee.com",
"Port": 3468,
"Username": "some_user",
"Password": "c29tZV9wYXNzd29yZA=="
}
],
"Signal": {
"Proto": 2,
"Host": "signal.wiretrustee.com",
"Port": 10000,
"Username": "",
"Password": null
}
}
shell $ docker exec -ti wiretrustee-management-debug /bin/sh
container-shell $
```
## For development purposes:
Install golang gRpc tools: