diff --git a/make/photon/notary/binary.Dockerfile b/make/photon/notary/binary.Dockerfile new file mode 100644 index 000000000..d670b9cc3 --- /dev/null +++ b/make/photon/notary/binary.Dockerfile @@ -0,0 +1,13 @@ +FROM golang:1.7.3 + +ENV NOTARY_DIR /go/src/github.com/docker/notary +ENV NOTARYPKG github.com/docker/notary + +COPY . /go/src/${NOTARYPKG} +WORKDIR /go/src/${NOTARYPKG} + +RUN go build -tags pkcs11 \ + -ldflags "-w -X ${NOTARYPKG}/version.GitCommit=`git rev-parse --short HEAD` -X ${NOTARYPKG}/version.NotaryVersion=`cat NOTARY_VERSION`" $NOTARYPKG/cmd/notary-server + +RUN go build -tags pkcs11 \ + -ldflags "-w -X ${NOTARYPKG}/version.GitCommit=`git rev-parse --short HEAD` -X ${NOTARYPKG}/version.NotaryVersion=`cat NOTARY_VERSION`" $NOTARYPKG/cmd/notary-signer diff --git a/make/photon/notary/binary/notary-server b/make/photon/notary/binary/notary-server new file mode 100755 index 000000000..cb1c56a78 Binary files /dev/null and b/make/photon/notary/binary/notary-server differ diff --git a/make/photon/notary/binary/notary-signer b/make/photon/notary/binary/notary-signer new file mode 100755 index 000000000..f615ffdfe Binary files /dev/null and b/make/photon/notary/binary/notary-signer differ diff --git a/make/photon/notary/builder b/make/photon/notary/builder new file mode 100755 index 000000000..8ce2aedf2 --- /dev/null +++ b/make/photon/notary/builder @@ -0,0 +1,58 @@ +#!/bin/bash + +set +e + +echo "Usage: #./builder [notary version] [registry username] [registry password]" +if [ -z $1 ]; then + error "Please set the 'version' variable" + exit 1 +fi +if [ -z $2 ]; then + error "Please set the 'photonversion' variable" + exit 1 +fi +if [ -z $3 ]; then + error "Please set the 'username' variable" + exit 1 +fi + + +VERSION="$1" +USERNAME="$2" +PASSWORD="$3" +SIGNER_PHOTONIMAGE=vmware/notary-photon:signer-$VERSION +SERVER_PHOTONIMAGE=vmware/notary-photon:server-$VERSION + +set -e + +# the temp folder to store binary file... +mkdir -p binary +rm -rf binary || true + +cd `dirname $0` +cur=$PWD + +# the temp folder to store notary source code... +TEMP=`mktemp -d /$TMPDIR/notary.XXXXXX` +git clone -b $VERSION https://github.com/docker/notary.git $TEMP + +echo 'build the notary binary bases on the golang:1.7.3...' +cp binary.Dockerfile $TEMP +cd $TEMP +docker build -f binary.Dockerfile -t notary-golang $TEMP + +echo 'copy the notary binary to local...' +ID=$(docker create notary-golang) +echo $ID +cd $cur +docker cp $ID:/go/src/github.com/docker/notary/notary-server binary +docker cp $ID:/go/src/github.com/docker/notary/notary-signer binary + +docker rm -f $ID +docker rmi -f notary-golang + +docker build -f server.Dockerfile -t $SERVER_PHOTONIMAGE . +docker build -f signer.Dockerfile -t $SIGNER_PHOTONIMAGE . + +echo 'Push image to docker hub.' +../../pushimage.sh $PHOTONIMAGE $USERNAME $PASSWORD \ No newline at end of file diff --git a/make/photon/notary/migrate b/make/photon/notary/migrate new file mode 100755 index 000000000..0c2dc6a44 Binary files /dev/null and b/make/photon/notary/migrate differ diff --git a/make/photon/notary/migrations/README.md b/make/photon/notary/migrations/README.md new file mode 100644 index 000000000..66f87fbe4 --- /dev/null +++ b/make/photon/notary/migrations/README.md @@ -0,0 +1,8 @@ +# Database Migrations + +This directory contains database migrations for the server and signer. They +are being managed using [this tool](https://github.com/mattes/migrate). +Within each of the server and signer directories are directories for different +database backends. Notary server and signer use GORM and are therefore +capable of running on a number of different databases, however migrations +may contain syntax specific to one backend. diff --git a/make/photon/notary/migrations/migrate.sh b/make/photon/notary/migrations/migrate.sh new file mode 100755 index 000000000..6494b055a --- /dev/null +++ b/make/photon/notary/migrations/migrate.sh @@ -0,0 +1,63 @@ +#!/usr/bin/env sh + +# When run in the docker containers, the working directory +# is the root of the repo. + +iter=0 + +case $SERVICE_NAME in + notary_server) + MIGRATIONS_PATH=${MIGRATIONS_PATH:-migrations/server/mysql} + DB_URL=${DB_URL:-mysql://server@tcp(mysql:3306)/notaryserver} + # have to poll for DB to come up + until migrate -path=$MIGRATIONS_PATH -url=$DB_URL version + do + iter=$(( iter+1 )) + if [[ $iter -gt 30 ]]; then + echo "notaryserver database failed to come up within 30 seconds" + exit 1; + fi + echo "waiting for $DB_URL to come up." + sleep 1 + done + pre=$(migrate -path=$MIGRATIONS_PATH -url="${DB_URL}" version) + if migrate -path=$MIGRATIONS_PATH -url="${DB_URL}" up ; then + post=$(migrate -path=$MIGRATIONS_PATH -url="${DB_URL}" version) + if [ "$pre" != "$post" ]; then + echo "notaryserver database migrated to latest version" + else + echo "notaryserver database already at latest version" + fi + else + echo "notaryserver database migration failed" + exit 1 + fi + ;; + notary_signer) + MIGRATIONS_PATH=${MIGRATIONS_PATH:-migrations/signer/mysql} + DB_URL=${DB_URL:-mysql://signer@tcp(mysql:3306)/notarysigner} + # have to poll for DB to come up + until migrate -path=$MIGRATIONS_PATH -url=$DB_URL up version + do + iter=$(( iter+1 )) + if [[ $iter -gt 30 ]]; then + echo "notarysigner database failed to come up within 30 seconds" + exit 1; + fi + echo "waiting for $DB_URL to come up." + sleep 1 + done + pre=$(migrate -path=$MIGRATIONS_PATH -url="${DB_URL}" version) + if migrate -path=$MIGRATIONS_PATH -url="${DB_URL}" up ; then + post=$(migrate -path=$MIGRATIONS_PATH -url="${DB_URL}" version) + if [ "$pre" != "$post" ]; then + echo "notarysigner database migrated to latest version" + else + echo "notarysigner database already at latest version" + fi + else + echo "notarysigner database migration failed" + exit 1 + fi + ;; +esac diff --git a/make/photon/notary/migrations/server/mysql/0001_initial.up.sql b/make/photon/notary/migrations/server/mysql/0001_initial.up.sql new file mode 100644 index 000000000..e864b26c9 --- /dev/null +++ b/make/photon/notary/migrations/server/mysql/0001_initial.up.sql @@ -0,0 +1,24 @@ +CREATE TABLE `timestamp_keys` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `created_at` timestamp NULL DEFAULT NULL, + `updated_at` timestamp NULL DEFAULT NULL, + `deleted_at` timestamp NULL DEFAULT NULL, + `gun` varchar(255) NOT NULL, + `cipher` varchar(50) NOT NULL, + `public` blob NOT NULL, + PRIMARY KEY (`id`), + UNIQUE KEY `gun` (`gun`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +CREATE TABLE `tuf_files` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `created_at` timestamp NULL DEFAULT NULL, + `updated_at` timestamp NULL DEFAULT NULL, + `deleted_at` timestamp NULL DEFAULT NULL, + `gun` varchar(255) NOT NULL, + `role` varchar(255) NOT NULL, + `version` int(11) NOT NULL, + `data` longblob NOT NULL, + PRIMARY KEY (`id`), + UNIQUE KEY `gun` (`gun`,`role`,`version`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8; diff --git a/make/photon/notary/migrations/server/mysql/0002_role_on_keys.up.sql b/make/photon/notary/migrations/server/mysql/0002_role_on_keys.up.sql new file mode 100644 index 000000000..86f26c623 --- /dev/null +++ b/make/photon/notary/migrations/server/mysql/0002_role_on_keys.up.sql @@ -0,0 +1,3 @@ +ALTER TABLE `timestamp_keys` ADD COLUMN `role` VARCHAR(255) NOT NULL, DROP KEY `gun`, ADD UNIQUE KEY `gun_role` (`gun`, `role`); + +UPDATE `timestamp_keys` SET `role`="timestamp"; diff --git a/make/photon/notary/migrations/server/mysql/0003_add_sha256_tuf_files.up.sql b/make/photon/notary/migrations/server/mysql/0003_add_sha256_tuf_files.up.sql new file mode 100644 index 000000000..95a970b43 --- /dev/null +++ b/make/photon/notary/migrations/server/mysql/0003_add_sha256_tuf_files.up.sql @@ -0,0 +1,5 @@ +ALTER TABLE `tuf_files` ADD COLUMN `sha256` CHAR(64) DEFAULT NULL, ADD INDEX `sha256` (`sha256`); + +-- SHA2 function takes the column name or a string as the first parameter, and the +-- hash size as the second argument. It returns a hex string. +UPDATE `tuf_files` SET `sha256` = SHA2(`data`, 256); diff --git a/make/photon/notary/migrations/server/mysql/0004_drop_timestamp_key.up.sql b/make/photon/notary/migrations/server/mysql/0004_drop_timestamp_key.up.sql new file mode 100644 index 000000000..78688617f --- /dev/null +++ b/make/photon/notary/migrations/server/mysql/0004_drop_timestamp_key.up.sql @@ -0,0 +1 @@ +DROP TABLE IF EXISTS `timestamp_keys`; \ No newline at end of file diff --git a/make/photon/notary/migrations/server/mysql/0005_changefeed.up.sql b/make/photon/notary/migrations/server/mysql/0005_changefeed.up.sql new file mode 100644 index 000000000..a652c4687 --- /dev/null +++ b/make/photon/notary/migrations/server/mysql/0005_changefeed.up.sql @@ -0,0 +1,36 @@ +CREATE TABLE `change_category` ( + `category` VARCHAR(20) NOT NULL, + PRIMARY KEY (`category`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +INSERT INTO `change_category` VALUES ("update"), ("deletion"); + +CREATE TABLE `changefeed` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `created_at` timestamp DEFAULT CURRENT_TIMESTAMP, + `gun` varchar(255) NOT NULL, + `version` int(11) NOT NULL, + `sha256` CHAR(64) DEFAULT NULL, + `category` VARCHAR(20) NOT NULL DEFAULT "update", + PRIMARY KEY (`id`), + FOREIGN KEY (`category`) REFERENCES `change_category` (`category`), + INDEX `idx_changefeed_gun` (`gun`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +INSERT INTO `changefeed` ( + `created_at`, + `gun`, + `version`, + `sha256` + ) (SELECT + `created_at`, + `gun`, + `version`, + `sha256` + FROM + `tuf_files` + WHERE + `role` = "timestamp" + ORDER BY + `created_at` ASC +); diff --git a/make/photon/notary/migrations/signer/mysql/0001_initial.up.sql b/make/photon/notary/migrations/signer/mysql/0001_initial.up.sql new file mode 100644 index 000000000..4cec14000 --- /dev/null +++ b/make/photon/notary/migrations/signer/mysql/0001_initial.up.sql @@ -0,0 +1,16 @@ +CREATE TABLE `private_keys` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `created_at` timestamp NULL DEFAULT NULL, + `updated_at` timestamp NULL DEFAULT NULL, + `deleted_at` timestamp NULL DEFAULT NULL, + `key_id` varchar(255) NOT NULL, + `encryption_alg` varchar(255) NOT NULL, + `keywrap_alg` varchar(255) NOT NULL, + `algorithm` varchar(50) NOT NULL, + `passphrase_alias` varchar(50) NOT NULL, + `public` blob NOT NULL, + `private` blob NOT NULL, + PRIMARY KEY (`id`), + UNIQUE KEY `key_id` (`key_id`), + UNIQUE KEY `key_id_2` (`key_id`,`algorithm`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8; diff --git a/make/photon/notary/migrations/signer/mysql/0002_gun_role_on_keys.up.sql b/make/photon/notary/migrations/signer/mysql/0002_gun_role_on_keys.up.sql new file mode 100644 index 000000000..d0563e747 --- /dev/null +++ b/make/photon/notary/migrations/signer/mysql/0002_gun_role_on_keys.up.sql @@ -0,0 +1 @@ +ALTER TABLE `private_keys` ADD COLUMN `gun` VARCHAR(255) NOT NULL, ADD COLUMN `role` VARCHAR(255) NOT NULL, ADD COLUMN `last_used` DATETIME NULL DEFAULT NULL; \ No newline at end of file diff --git a/make/photon/notary/server.Dockerfile b/make/photon/notary/server.Dockerfile new file mode 100644 index 000000000..d0e682a47 --- /dev/null +++ b/make/photon/notary/server.Dockerfile @@ -0,0 +1,8 @@ +from library/photon:1.0 + +COPY ./binary/notary-server /bin/notary-server +COPY ./migrate /bin/migrate +COPY ./migrations/ /migrations/ + +ENV SERVICE_NAME=notary_server +ENTRYPOINT [ "notary-server" ] \ No newline at end of file diff --git a/make/photon/notary/signer.Dockerfile b/make/photon/notary/signer.Dockerfile new file mode 100644 index 000000000..3ef8231cd --- /dev/null +++ b/make/photon/notary/signer.Dockerfile @@ -0,0 +1,8 @@ +from library/photon:1.0 + +COPY ./binary/notary-signer /bin/notary-signer +COPY ./migrate /bin/migrate +COPY ./migrations/ /migrations/ + +ENV SERVICE_NAME=notary_signer +ENTRYPOINT [ "notary-signer" ] \ No newline at end of file