From f739b51a9e81eb42a53325df11eb761f44132981 Mon Sep 17 00:00:00 2001 From: Jacob Boddey Date: Wed, 15 May 2024 12:44:40 +0100 Subject: [PATCH 1/3] Generate and SSL certificate for Testrun UI --- cmd/install | 31 ++++++++++++++++++++++++++++ cmd/prepare | 2 +- framework/python/src/core/testrun.py | 22 +++++++++++++++----- modules/ui/nginx.conf | 14 +++++++++++++ modules/ui/ui.Dockerfile | 6 +++++- 5 files changed, 68 insertions(+), 7 deletions(-) create mode 100644 modules/ui/nginx.conf diff --git a/cmd/install b/cmd/install index 9d4f4de52..31defa341 100755 --- a/cmd/install +++ b/cmd/install @@ -63,5 +63,36 @@ sudo cmd/build # Create local folders mkdir -p local/devices mkdir -p local/root_certs +mkdir -p local/ui/certs + +# Add hosts entry +HOST="127.0.0.1 testrun.io" +grep -qxF "$HOST" /etc/hosts || echo $HOST | sudo tee -a /etc/hosts + +# Prepare for certificate generation +UI_CERTS_DIR=local/ui/certs +CA_NAME=testrun.ca +CRT_NAME=testrun + +# Generate CA certificate +openssl genrsa -aes256 -out $UI_CERTS_DIR/$CA_NAME.key -passout pass:supersecurepassword 4096 + +openssl req -x509 -new -nodes -key $UI_CERTS_DIR/$CA_NAME.key -passin pass:supersecurepassword -sha256 -days 1826 -out $UI_CERTS_DIR/$CA_NAME.crt -subj "/C=US/O=Google/CN=Testrun CA" + +# Trust CA certificate +mkdir -p /usr/local/share/ca-certificates/ +cp $UI_CERTS_DIR/$CA_NAME.pem /usr/local/share/ca-certificates/$CA_NAME.pem + +# Create signing config file +echo 'subjectAltName = DNS:testrun.io' >> $UI_CERTS_DIR/$CRT_NAME.ext + +# Create signing request +openssl req -new -nodes -out $UI_CERTS_DIR/$CRT_NAME.csr -newkey rsa:4096 -keyout $UI_CERTS_DIR/$CRT_NAME.key -subj "/C=US/O=Google/CN=Testrun" + +# Complete signing +openssl x509 -req -in $UI_CERTS_DIR/$CRT_NAME.csr -CA $UI_CERTS_DIR/$CA_NAME.crt -CAkey $UI_CERTS_DIR/$CA_NAME.key -passin pass:supersecurepassword -CAcreateserial -out $UI_CERTS_DIR/$CRT_NAME.signed.crt -days 500 -sha256 -extfile $UI_CERTS_DIR/$CRT_NAME.ext + +# Update trusted Ca certificates +update-ca-certificates echo Finished installing Testrun diff --git a/cmd/prepare b/cmd/prepare index 9e68f734d..b570e6569 100755 --- a/cmd/prepare +++ b/cmd/prepare @@ -20,6 +20,6 @@ echo Installing system dependencies # Install system dependencies -sudo apt-get update && sudo apt-get install openvswitch-common openvswitch-switch python3 libpangocairo-1.0-0 ethtool +sudo apt-get update && sudo apt-get install openvswitch-common openvswitch-switch python3 libpangocairo-1.0-0 ethtool openssl echo Finished installing system dependencies diff --git a/framework/python/src/core/testrun.py b/framework/python/src/core/testrun.py index 22607a520..a04fafb2d 100644 --- a/framework/python/src/core/testrun.py +++ b/framework/python/src/core/testrun.py @@ -36,7 +36,8 @@ from net_orc import network_orchestrator as net_orc from test_orc import test_orchestrator as test_orc -from docker.errors import ImageNotFound +from docker.errors import ImageNotFound, APIError +from docker.types import Mount # Locate parent directory current_dir = os.path.dirname(os.path.realpath(__file__)) @@ -50,6 +51,8 @@ DEFAULT_CONFIG_FILE = 'local/system.json' EXAMPLE_CONFIG_FILE = 'local/system.json.example' +LOCAL_CERTS_DIR = 'local/ui/certs' + LOCAL_DEVICES_DIR = 'local/devices' RESOURCE_DEVICES_DIR = 'resources/devices' @@ -454,6 +457,9 @@ def start_ui(self): client = docker.from_env() + certs_folder = os.path.join(root_dir, + LOCAL_CERTS_DIR) + try: client.containers.run( image='test-run/ui', @@ -462,17 +468,23 @@ def start_ui(self): hostname='testrun.io', detach=True, ports={ - '80': 8080 - } + '443': 443 + }, + mounts=[ + Mount(target='/certs', + source=certs_folder, + type='bind', + read_only=True) + ] ) - except ImageNotFound as ie: + except (APIError, ImageNotFound) as ie: LOGGER.error('An error occured whilst starting the UI. ' + 'Please investigate and try again.') LOGGER.error(ie) sys.exit(1) # TODO: Make port configurable - LOGGER.info('User interface is ready on http://localhost:8080') + LOGGER.info('User interface is ready on https://testrun.io') def _stop_ui(self): LOGGER.info('Stopping user interface') diff --git a/modules/ui/nginx.conf b/modules/ui/nginx.conf new file mode 100644 index 000000000..a82ff134c --- /dev/null +++ b/modules/ui/nginx.conf @@ -0,0 +1,14 @@ +server { + listen 80; + listen 443 ssl; + server_name testrun.io; + + ssl_certificate /certs/testrun.signed.crt; + ssl_certificate_key /certs/testrun.key; + ssl_protocols TLSv1.2 TLSv1.3; + + location / { + root /usr/share/nginx/html; + try_files $uri /index.html; + } +} diff --git a/modules/ui/ui.Dockerfile b/modules/ui/ui.Dockerfile index da56be93e..ee7c4623a 100644 --- a/modules/ui/ui.Dockerfile +++ b/modules/ui/ui.Dockerfile @@ -22,8 +22,12 @@ RUN npm run build FROM nginx@sha256:4c0fdaa8b6341bfdeca5f18f7837462c80cff90527ee35ef185571e1c327beac +# Copy configuration +COPY /modules/ui/nginx.conf /etc/nginx/conf.d/default.conf + +# Copy application COPY --from=build /modules/ui/dist/ /usr/share/nginx/html -EXPOSE 8080 +EXPOSE 443 CMD ["nginx", "-g", "daemon off;"] From 7ffd3dd3802b89319b085455ab6083776c6bee6a Mon Sep 17 00:00:00 2001 From: jhughesbiot Date: Fri, 30 Aug 2024 13:41:39 -0600 Subject: [PATCH 2/3] Fix ui dockerfile Fix paths for cert generation Fix root path reference --- cmd/install | 4 ++-- framework/python/src/core/testrun.py | 2 +- modules/ui/ui.Dockerfile | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cmd/install b/cmd/install index 9adc39387..84b72888f 100755 --- a/cmd/install +++ b/cmd/install @@ -78,7 +78,7 @@ HOST="127.0.0.1 testrun.io" grep -qxF "$HOST" /etc/hosts || echo $HOST | sudo tee -a /etc/hosts # Prepare for certificate generation -UI_CERTS_DIR=local/ui/certs +UI_CERTS_DIR=$PWD/local/ui/certs CA_NAME=testrun.ca CRT_NAME=testrun @@ -89,7 +89,7 @@ openssl req -x509 -new -nodes -key $UI_CERTS_DIR/$CA_NAME.key -passin pass:super # Trust CA certificate mkdir -p /usr/local/share/ca-certificates/ -cp $UI_CERTS_DIR/$CA_NAME.pem /usr/local/share/ca-certificates/$CA_NAME.pem +cp $UI_CERTS_DIR/$CA_NAME.crt /usr/local/share/ca-certificates/$CA_NAME.crt # Create signing config file echo 'subjectAltName = DNS:testrun.io' >> $UI_CERTS_DIR/$CRT_NAME.ext diff --git a/framework/python/src/core/testrun.py b/framework/python/src/core/testrun.py index d6676d4da..198994c46 100644 --- a/framework/python/src/core/testrun.py +++ b/framework/python/src/core/testrun.py @@ -511,7 +511,7 @@ def start_ui(self, single_intf): client = docker.from_env(environment=envs) - certs_folder = os.path.join(root_dir, + certs_folder = os.path.join(self._root_dir, LOCAL_CERTS_DIR) try: diff --git a/modules/ui/ui.Dockerfile b/modules/ui/ui.Dockerfile index e8ef77132..da6fdb79e 100644 --- a/modules/ui/ui.Dockerfile +++ b/modules/ui/ui.Dockerfile @@ -15,12 +15,12 @@ # Image name: testrun/ui FROM nginx@sha256:4c0fdaa8b6341bfdeca5f18f7837462c80cff90527ee35ef185571e1c327beac +# Copy application +COPY modules/ui/dist/ /usr/share/nginx/html + # Copy configuration COPY /modules/ui/nginx.conf /etc/nginx/conf.d/default.conf -# Copy application -COPY --from=build /modules/ui/dist/ /usr/share/nginx/html - EXPOSE 443 CMD ["nginx", "-g", "daemon off;"] From c0f224abf7511bb5099916237b23fa2b71e2e23c Mon Sep 17 00:00:00 2001 From: jhughesbiot Date: Fri, 6 Sep 2024 13:32:40 -0600 Subject: [PATCH 3/3] add sudo/root user to docker user group check --- cmd/install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/install b/cmd/install index 84b72888f..3f4bc1992 100755 --- a/cmd/install +++ b/cmd/install @@ -38,7 +38,7 @@ else TESTRUN_DIR="${TESTRUN_DIR}" # Check that user is in docker group - if ! (id -nGz "$USER" | grep -qzxF "docker"); then + if ! (id -nGz "$USER" | grep -qzxF "docker") && [ "$EUID" -ne 0 ]; then echo User is not in docker group. Follow https://docs.docker.com/engine/install/linux-postinstall/ to finish setting up docker. exit 1 fi