Merge pull request #169 from google/update-docker-images

Update Envoy docker compose example
google · May 10, 2024 · 8210df9 · 8210df9
2 parents 11e2a33 + 9138b56
commit 8210df9
Show file tree

Hide file tree

Showing 12 changed files with 131 additions and 212 deletions.
diff --git a/installing-and-running-grr/advanced-usecases/sandbox.md b/installing-and-running-grr/advanced-usecases/sandbox.md
@@ -46,7 +46,7 @@ You will have to create a ```demo``` user first. The script will ask you for a p
 
 You can create the ```demo``` user by executing the command listed in the box below.
 ```
-docker exec -it sandbox-grr-admin-1 /grr/venv/bin/grr_config_updater add_user demo
+docker exec -it sandbox-grr-admin-1 grr_config_updater add_user demo --secondary_configs /config/grr-server/server.local.yaml
 ```
 With the ```demo``` user in place you can now point your browser to the GRR UI: [http://localhost:8000](http://localhost:8000)
 

diff --git a/...and-running-grr/advanced-usecases/sandbox/config/fleetspeak-frontend/components.textproto b/...and-running-grr/advanced-usecases/sandbox/config/fleetspeak-frontend/components.textproto
@@ -1,8 +1,8 @@
 mysql_data_source_name: "fleetspeak-user:fleetspeak-password@tcp(mysql-fleetspeak:3306)/fleetspeak"
 https_config: <
   listen_address: "0.0.0.0:9090"
-  certificates: "FRONTEND_CERTIFICATE"
-  key: "FRONTEND_KEY"
+  certificates: "FLEETSPEAK_CERT"
+  key: "FLEETSPEAK_KEY"
   frontend_config: <
     https_header_checksum_config: <
       client_certificate_header: "x-client-certificate" 

diff --git a/installing-and-running-grr/advanced-usecases/sandbox/config/grr-client/client.yaml b/installing-and-running-grr/advanced-usecases/sandbox/config/grr-client/client.yaml
@@ -1,6 +1,16 @@
 Client.fleetspeak_enabled: true
+ClientBuilder.fleetspeak_bundled: true
 Client.foreman_check_frequency: 30
+
 Logging.verbose: true
 Logging.engines: file,stderr
 Logging.path: /
 Logging.filename: /grr-client.log
+
+Client.executable_signing_public_key: "%(/config/public-key.pem|file)"
+Target:Linux:
+  ClientBuilder.fleetspeak_client_config: /config/grr-client/config.textproto
+Target:Windows:
+  ClientBuilder.fleetspeak_client_config: /config/grr-client/config.textproto
+Target:Darwin:
+  ClientBuilder.fleetspeak_client_config: /config/grr-client/config.textproto
diff --git a/installing-and-running-grr/advanced-usecases/sandbox/config/grr-client/config.textproto b/installing-and-running-grr/advanced-usecases/sandbox/config/grr-client/config.textproto
@@ -1,9 +1,9 @@
 client_certificate_header: "x-client-certificate"
-trusted_certs: "FRONTEND_CERTIFICATE"
+trusted_certs: "TRUSTED_FLEETSPEAK_CERT"
 server: "fleetspeak-server:10000"
 client_label: ""
 filesystem_handler: <
-  configuration_directory: "/config/"
+  configuration_directory: "/config/grr-client/"
   state_file: "/fleetspeak.state"
 >
 streaming: true
diff --git a/...ling-and-running-grr/advanced-usecases/sandbox/config/grr-client/textservices/grr.service b/...ling-and-running-grr/advanced-usecases/sandbox/config/grr-client/textservices/grr.service
@@ -2,10 +2,10 @@ name: "GRR"
 factory: "Daemon"
 config: {
   [type.googleapis.com/fleetspeak.daemonservice.Config]: {
-    argv: "/grr/venv/bin/python"
+    argv: "python"
     argv: "-m"
-    argv: "grr_response_client.grr_fs_client"
-    argv: "--config"
-    argv: "/grr/venv/install_data/etc/client.yaml"
+    argv: "grr_response_client.client"
+    argv: "--secondary_configs"
+    argv: "/config/grr-client/client.yaml"
   }
 }
diff --git a/installing-and-running-grr/advanced-usecases/sandbox/config/grr-server/server.local.yaml b/installing-and-running-grr/advanced-usecases/sandbox/config/grr-server/server.local.yaml
@@ -1,42 +1,43 @@
     Database.implementation: MysqlDB
     Blobstore.implementation: DbBlobStore
+
+    API.DefaultRouter: ApiCallRouterWithoutChecks
+
+    Server.initialized: true
+    Server.fleetspeak_enabled: true
+    Server.fleetspeak_server: fleetspeak-admin:9091
+    FleetspeakFrontend Context:
+      Server.fleetspeak_message_listen_address: 0.0.0.0:11111
+
     Mysql.host: mysql-grr
     Mysql.port: 3306
-    Mysql.database_name: grr
     Mysql.database: grr
-    Mysql.database_username: grr-user
     Mysql.username: grr-user
-    Client.server_urls:
-    - http://localhost:8080/
+    Mysql.password: grr-password
+    Mysql.database_name: grr
+    Mysql.database_username: grr-user
+    Mysql.database_password: grr-password
+    Mysql.flow_processing_threads_max: 20
+
     AdminUI.url: http://localhost:8000
     AdminUI.bind: 0.0.0.0
     AdminUI.headless: true
+    AdminUI.use_precompiled_js: true
+    AdminUI.csrf_secret_key: random_passphrase_123____PLEASE_REPLACE___
+
     Logging.domain: localhost
     Logging.verbose: true
     Logging.engines: file,stderr
     Logging.path: /grr
     Logging.filename: /grr/grr-server.log
     Monitoring.alert_email: grr-monitoring@localhost
     Monitoring.emergency_access_email: grr-emergency@localhost
-    Mysql.database_password: grr-password
-    Mysql.password: grr-password
-    Mysql.flow_processing_threads_max: 20
 
-    Frontend.certificate: |
-FRONTEND_CERTIFICATE
+    Client.executable_signing_public_key: |
+      %(/config/public-key.pem|file)
+
+    PrivateKeys.executable_signing_private_key: |
+      %(/config/private-key.pem|file)
+
+
 
-    AdminUI.csrf_secret_key: O$YTx01F2BuxgT4DoVSI hJVuhWOxyuuxJhg#lg96ARF_fWLabzN5kjAy0UBcI9GDrUPo1v
-      b7PyF3vj4pqRrc8oegeJ8XgIyI5X
-    Server.fleetspeak_enabled: true
-    Client.fleetspeak_enabled: true
-    ClientBuilder.fleetspeak_bundled: true
-    Target:Linux:
-      ClientBuilder.fleetspeak_client_config: /grr/venv/fleetspeak-server-bin/etc/fleetspeak-server/linux_client.config
-    Target:Windows:
-      ClientBuilder.fleetspeak_client_config: /grr/venv/fleetspeak-server-bin/etc/fleetspeak-server/windows_client.config
-    Target:Darwin:
-      ClientBuilder.fleetspeak_client_config: /grr/venv/fleetspeak-server-bin/etc/fleetspeak-server/darwin_client.config
-    Server.fleetspeak_server: fleetspeak-admin:9091
-    FleetspeakFrontend Context:
-      Server.fleetspeak_message_listen_address: 0.0.0.0:11111
-    Server.initialized: true
diff --git a/installing-and-running-grr/advanced-usecases/sandbox/containers/envoy/Dockerfile b/installing-and-running-grr/advanced-usecases/sandbox/containers/envoy/Dockerfile
@@ -13,8 +13,8 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     && apt-get -qq update -y \
     && apt-get -qq install --no-install-recommends -y curl
 COPY --chmod=777 "$ENVOY_CONFIG" /etc/envoy.yaml
-COPY --chmod=644 cert.pem /etc/cert.pem
-COPY --chmod=644 key.pem /etc/key.pem
+COPY --chmod=644 fleetspeak-cert.pem /etc/cert.pem
+COPY --chmod=644 fleetspeak-key.pem /etc/key.pem
 CMD ["/usr/local/bin/envoy", "-c", "/etc/envoy.yaml"]
 
 FROM envoy-base as envoy-admin

diff --git a/installing-and-running-grr/advanced-usecases/sandbox/containers/fleetspeak/Dockerfile b/installing-and-running-grr/advanced-usecases/sandbox/containers/fleetspeak/Dockerfile
diff --git a/installing-and-running-grr/advanced-usecases/sandbox/containers/grr/client/Dockerfile b/installing-and-running-grr/advanced-usecases/sandbox/containers/grr/client/Dockerfile
diff --git a/installing-and-running-grr/advanced-usecases/sandbox/containers/grr/server/Dockerfile b/installing-and-running-grr/advanced-usecases/sandbox/containers/grr/server/Dockerfile
diff --git a/installing-and-running-grr/advanced-usecases/sandbox/createConfig.sh b/installing-and-running-grr/advanced-usecases/sandbox/createConfig.sh
@@ -1,26 +1,36 @@
 #!/bin/bash
-openssl ecparam -list_curves
-
-# generate a private key for a curve
-openssl ecparam -name prime256v1 -genkey -noout -out key.pem
-
-# optional: generate corresponding public key
-#openssl ec -in key.pem -pubout -out public-key.pem
-
-# create a self-signed certificate
-openssl req -new -x509 -key key.pem -out cert.pem -days 365 -subj "/C=AU/CN=fleetspeak-server" -addext "subjectAltName = DNS:fleetspeak-server"
 
-export FRONTEND_PEM="$(cat cert.pem | sed 's/^/      /g' | sed ':a;N;$!ba;s/\n/\\n/g' | sed 's/\$/\\$/g')"
-export FRONTEND_CERT=$(sed ':a;N;$!ba;s/\n/\\\\n/g' cert.pem)
-export FRONTEND_KEY=$(sed ':a;N;$!ba;s/\n/\\\\n/g' key.pem)
+set -ex
 
-echo $FRONTEND_PEM
-echo $FRONTEND_CERT
-echo $FRONTEND_KEY
-
-sed -i "s@FRONTEND_CERTIFICATE@${FRONTEND_PEM}@" ./config/grr-server/server.local.yaml
-
-sed -i 's@FRONTEND_CERTIFICATE@'"$FRONTEND_CERT"'@' ./config/fleetspeak-frontend/components.textproto
-sed -i 's@FRONTEND_CERTIFICATE@'"$FRONTEND_CERT"'@' ./config/grr-client/config.textproto
+openssl ecparam -list_curves
 
-sed -i 's@FRONTEND_KEY@'"$FRONTEND_KEY"'@' ./config/fleetspeak-frontend/components.textproto
+# Generate key pair .pem files, which is linked in the GRR client and 
+# server configs (client.yaml, server.local.yaml).
+openssl genrsa -out config/private-key.pem
+openssl rsa -in config/private-key.pem -pubout -out config/public-key.pem
+
+# Create a CA/trusted private key and cert for Fleetspeak.
+openssl ecparam -name prime256v1 -genkey -noout \
+    -out fleetspeak-ca-key.pem
+openssl req -new -x509 -days 365 -subj "/CN=Fleetspeak CA"\
+   -key fleetspeak-ca-key.pem \
+   -out fleetspeak-ca-cert.pem \
+
+# Create keys for CA signed key and cert for fleetspeak. Resulting files are also
+# copied in the envoy container, see containers/envoy/Dockerfile).
+openssl ecparam -name prime256v1 -genkey -noout \
+    -out fleetspeak-key.pem
+openssl req -new -x509 -days 365 -subj "/CN=Fleetspeak CA" -addext "subjectAltName = DNS:fleetspeak-server" \
+   -key fleetspeak-key.pem \
+   -out fleetspeak-cert.pem \
+   -CA fleetspeak-ca-cert.pem \
+   -CAkey fleetspeak-ca-key.pem
+
+# Replace placeholders in fleetspeak and grr-client textproto files.
+TRUSTED_FLEETSPEAK_CERT=$(sed ':a;N;$!ba;s/\n/\\\\n/g' fleetspeak-ca-cert.pem)
+FLEETSPEAK_KEY=$(sed ':a;N;$!ba;s/\n/\\\\n/g' fleetspeak-key.pem)
+FLEETSPEAK_CERT=$(sed ':a;N;$!ba;s/\n/\\\\n/g' fleetspeak-cert.pem)
+
+sed -i 's@FLEETSPEAK_CERT@'"$FLEETSPEAK_CERT"'@' ./config/fleetspeak-frontend/components.textproto
+sed -i 's@FLEETSPEAK_KEY@'"$FLEETSPEAK_KEY"'@' ./config/fleetspeak-frontend/components.textproto
+sed -i 's@TRUSTED_FLEETSPEAK_CERT@'"$TRUSTED_FLEETSPEAK_CERT"'@' ./config/grr-client/config.textproto