First public version

7 files changed, 129 insertions, 0 deletions

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..e495208
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,4 @@
+buildREADME.md
+create.sh
+.git
+Makefile
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..c00df13
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+*.deb
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..7b6aed8
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,44 @@
+# Given that this is security software, you might want to consider
+# generating your own debian:stretch base image using debbootstrap
+# rather than trusting Dockerhub
+
+FROM debian:stretch
+
+# Prerequisites.  Current version of python-django is a bit too recent
+# for the rpki-ca GUI, but rpki-rp only uses the ORM, which hasn't
+# broken backwards compatability (yet?).
+
+RUN apt-get --yes update && apt-get --yes install --no-install-recommends \
+    apache2 \
+    bsdmainutils \
+    ca-certificates \
+    cron \
+    postgresql \
+    postgresql-client \
+    python \
+    python-django \
+    python-lxml \
+    python-psycopg2 \
+    python-pycurl \
+    python-tornado \
+    rrdtool \
+    rsyslog \
+    rsync \
+    ssl-cert \
+    sudo \
+    xinetd
+
+# Install rpki-rp package downloaded by makefile, but defer
+# configuration until the container comes up.
+
+COPY startup.sh rpki-rp_*.deb /root/
+RUN  dpkg --unpack /root/rpki-rp_*.deb &&  rm -f /root/rpki-rp_*.deb
+
+# Container startup, execs cron on top of itself when done
+
+CMD [ "/root/startup.sh" ]
+
+# Expose web and rpki-rtr ports.  The HTTPS port is probably not very
+# useful unless you stuff a valid certificate into the image.
+
+EXPOSE 80 443 323
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..3681b00
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,8 @@
+all:
+	apt-get download rpki-rp
+	docker build -t rpki-rp .
+
+clean:
+	git clean -dfx
+
+.PHONY: all clean
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..49c66b3
--- /dev/null
+++ b/README.md
@@ -0,0 +1,33 @@
+Dockerized rpki.net RP tool
+===========================
+
+This is a (sort of) Dockerized version of the rpki.net relying party
+toolset.  It would probably horrify any Docker True Believer, and
+there's a lot of stuff I would do differently if I had the time to
+rewrite half of the code, but for the moment the goal is just to get
+the `rpki-rp` package running happily in a container.
+
+The existing Debian package is fairly careful about making sure that
+the actions it performs in its postinst script do the right thing
+whether in a new or existing installation, so all we really need to do
+is arrange to defer running the postinst script until the container
+starts up.
+
+Type `make` to build the image.  If you're paranoid, you might want to
+generate your own `debian:stretch` base image using `debootstrap`
+rather than trusting the one that's available on Dockerhub, but that's
+your call.
+
+See `create.sh` for an example of how one might start up the generated
+container.  One of the things that would probably horrify a True
+Docker Believer is that we run `postgresql` inside the container along
+with everything else, so pay careful attention to the volume mounts.
+
+Essentially the same technique should also work with the `rpki-ca`
+package, except for one thing: the GUI portion of `rpki-ca` depends on
+Django functions which have changed yet again, in incompatible ways,
+and the Django project has this nasty habit of doing that before
+discovering dangerous security issues in their older code.  So until
+we update the GUI portions of `rpki-ca`, your choices are running
+vulnerable code or doing without the GUI.  Code contributions actively
+solicited, since RPKI hasn't been my day job for years.
diff --git a/create.sh b/create.sh
new file mode 100755
index 0000000..41e38d0
--- /dev/null
+++ b/create.sh
@@ -0,0 +1,14 @@
+#!/bin/sh -
+
+# Sample of how one might start up an rpki-rp container, season to
+# taste.  This configuration publishes the rpki-rtr port globally, and
+# publishes the rcynic web status pages to localhost on port 8888.
+
+docker create -it \
+       --name rpki-rp \
+       --privileged \
+       --publish 323:323 \
+       --publish 127.0.0.1:8888:80 \
+       --mount 'type=volume,source=rpki-rp-postgres,target=/var/lib/postgresql/9.6/main' \
+       --mount 'type=volume,source=rpki-rp-rcynic,target=/var/rcynic' \
+       rpki-rp:latest
diff --git a/startup.sh b/startup.sh
new file mode 100755
index 0000000..83765c4
--- /dev/null
+++ b/startup.sh
@@ -0,0 +1,25 @@
+#!/bin/sh -
+#
+# Startup script for rpki-rp running under Docker.
+#
+# This assumes that cron is already running, and that this script is running as root.
+# Most likely this script is running under cron as a @reboot action.
+
+# Start non-RPKI daemons.  postgresql in particular needs to be up
+# before the RPKI code so that we can check the database and configure
+# it if necessary.
+
+for i in rsyslog postgresql xinetd apache2
+do
+    service $i start
+    sleep 1
+done
+
+# Run rpki-rp's postinst script.  This is a no-op if everything's up
+# to date, but will do everything including creating databases if needed.
+
+dpkg --configure --pending
+
+# The rest of rpki-rp runs under cron
+
+exec /usr/sbin/cron -f -L 15