Successfully run webserver from Docker image

2020-12-25 19:34:15 -08:00 · 2020-12-25 19:34:15 -08:00 · 2e6aafbcb3
parent 938e41b1c6
commit 2e6aafbcb3
15 changed files with 325 additions and 17 deletions
--- a/19
+++ b/19
@ -28,6 +28,8 @@ image:
 	@: $${I}
 ifeq ($(I),composite)
 	node tools/build-composite-image.js
 else ifeq ($(I),app)
 	docker build . -f docker/$(I)/Dockerfile -t riju:$(I)
 else
 	docker build . -f docker/$(I)/Dockerfile -t riju:$(I) --pull
 endif
@ -51,13 +53,24 @@ pkg:
 VOLUME_MOUNT ?= $(PWD)
 P1 ?= 6119
 P2 ?= 6120
 ifneq (,$(E))
 SHELL_PORTS := -p 127.0.0.1:$(P1):6119 -p 127.0.0.1:$(P2):6120
 else
 SHELL_PORTS :=
 endif
 .PHONY: shell
 shell:
 	@: $${I}
 ifeq ($(I),admin)
-	docker run -it --rm --hostname $(I) -v $(VOLUME_MOUNT):/src -v /var/run/docker.sock:/var/run/docker.sock -v $(HOME)/.aws:/var/riju/.aws:ro -e AWS_REGION -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e VOLUME_MOUNT=$(VOLUME_MOUNT) --network host riju:$(I)
+	docker run -it --rm --hostname $(I) -v $(VOLUME_MOUNT):/src -v /var/run/docker.sock:/var/run/docker.sock -v $(HOME)/.aws:/var/riju/.aws -v $(HOME)/.docker:/var/riju/.docker -v $(HOME)/.terraform.d:/var/riju/.terraform.d -e AWS_REGION -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e VOLUME_MOUNT=$(VOLUME_MOUNT) $(SHELL_PORTS) --network host riju:$(I)
 else ifeq ($(I),compile)
 	docker run -it --rm --hostname $(I) $(SHELL_PORTS) riju:$(I)
 else
-	docker run -it --rm --hostname $(I) -v $(VOLUME_MOUNT):/src -p 127.0.0.1:6119:6119 -p 127.0.0.1:6120:6120 riju:$(I)
+	docker run -it --rm --hostname $(I) -v $(VOLUME_MOUNT):/src $(SHELL_PORTS) riju:$(I)
 endif
 .PHONY: install
@ -99,8 +112,6 @@ build: frontend system
 dev:
 	make -j3 frontend-dev system-dev server-dev
 ### Run application code
 ### Fetch artifacts from registries
 .PHONY: pull
--- a/backend/server.js
+++ b/backend/server.js
@ -47,7 +47,7 @@ app.get("/:lang", (req, res) => {
      analyticsEnabled,
    });
  } else {
-    res.send(`No such language: ${lang}`);
+    res.send(404, `No such language: ${lang}\n`);
  }
 });
 app.use("/css", express.static("frontend/styles"));
--- a/docker/admin/install.bash
+++ b/docker/admin/install.bash
@ -11,6 +11,7 @@ apt-get update
 apt-get install -y curl gnupg lsb-release
 curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add -
 curl -fsSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add -
 curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
 curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
@ -21,13 +22,33 @@ ubuntu_name="$(lsb_release -cs)"
 node_repo="$(curl -sS https://deb.nodesource.com/setup_current.x | grep NODEREPO= | grep -Eo 'node_[0-9]+\.x' | head -n1)"
 tee -a /etc/apt/sources.list.d/custom.list >/dev/null <<EOF
 deb [arch=amd64] https://apt.releases.hashicorp.com ${ubuntu_name} main
 deb [arch=amd64] https://deb.nodesource.com/${node_repo} ${ubuntu_name} main
 deb [arch=amd64] https://dl.yarnpkg.com/debian/ stable main
-deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable
+deb [arch=amd64] https://download.docker.com/linux/ubuntu ${ubuntu_name} stable
 EOF
 packages="
 docker-ce-cli
 jq
 less
 make
 man
 nodejs
 packer
 sudo
 tmux
 terraform
 unzip
 vim
 wget
 yarn
 "
 apt-get update
-apt-get install -y docker-ce-cli less make man nodejs sudo tmux unzip wget yarn
+apt-get install -y $(sed 's/#.*//' <<< "${packages}")
 wget https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -O awscli.zip
 unzip awscli.zip
--- a/docker/admin/pid1.bash
+++ b/docker/admin/pid1.bash
@ -7,6 +7,8 @@ useradd -u "$(stat -c %u "$PWD")" -g "$(stat -c %g "$PWD")" -o -p '!' -m -N -l -
 runuser -u riju -- touch /home/riju/.sudo_as_admin_successful
 runuser -u riju -- ln -sT /var/riju/.aws /home/riju/.aws
 runuser -u riju -- ln -sT /var/riju/.docker /home/riju/.docker
 runuser -u riju -- ln -sT /var/riju/.terraform.d /home/riju/.terraform.d
 runuser -u riju -- yarn install
 exec runuser -u riju "$@"
--- a/docker/app/Dockerfile
+++ b/docker/app/Dockerfile
@ -1,11 +1,13 @@
 FROM riju:compile AS compile
 FROM riju:composite
 ENTRYPOINT ["/usr/local/sbin/my_init"]
 RUN useradd -p '!' -m -l -s /usr/bin/bash riju
 WORKDIR /src
-COPY --chown=riju:riju --from=compile . ./
+COPY --chown=riju:riju --from=compile /src ./
 RUN chown root:riju system/out/*-privileged && chmod a=,g=rx,u=rwxs system/out/*-privileged
 USER riju
 CMD ["make", "server"]
--- a/docker/compile/Dockerfile
+++ b/docker/compile/Dockerfile
@ -1,9 +1,13 @@
-FROM ubuntu:rolling AS build
+FROM ubuntu:rolling
-COPY docker/runtime/install.bash /tmp/
+COPY docker/compile/install.bash /tmp/
 RUN /tmp/install.bash
 WORKDIR /src
 COPY Makefile ./
 COPY system ./system/
 RUN make system
 COPY package.json yarn.lock ./
 RUN yarn install
@ -12,9 +16,6 @@ COPY webpack.config.cjs ./
 COPY frontend/src ./frontend/src/
 RUN make frontend
 COPY system ./system/
 RUN make system
 COPY frontend/pages ./frontend/pages/
 COPY frontend/styles ./frontend/styles/
 COPY backend ./backend/
--- a/docker/compile/install.bash
+++ b/docker/compile/install.bash
@ -0,0 +1,26 @@
 #!/usr/bin/env bash
 set -euxo pipefail
 export DEBIAN_FRONTEND=noninteractive
 apt-get update
 apt-get dist-upgrade -y
 apt-get install -y curl gnupg lsb-release
 curl -sSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add -
 curl -sSL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
 ubuntu_ver="$(lsb_release -rs)"
 ubuntu_name="$(lsb_release -cs)"
 node_repo="$(curl -sS https://deb.nodesource.com/setup_current.x | grep NODEREPO= | grep -Eo 'node_[0-9]+\.x' | head -n1)"
 tee -a /etc/apt/sources.list.d/custom.list >/dev/null <<EOF
 deb https://deb.nodesource.com/${node_repo} ${ubuntu_name} main
 deb https://dl.yarnpkg.com/debian/ stable main
 EOF
 apt-get update
 apt-get install -y clang g++ make nodejs sudo yarn
--- a/packer/provision.bash
+++ b/packer/provision.bash
@ -0,0 +1,54 @@
 #!/usr/bin/env bash
 set -euo pipefail
 export DEBIAN_FRONTEND=noninteractive
 apt-get update
 apt-get dist-upgrade
 apt-get install -y curl gnupg lsb-release
 curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
 ubuntu_name="$(lsb_release -cs)"
 tee -a /etc/apt/sources.list.d/custom.list >/dev/null <<EOF
 deb [arch=amd64] https://download.docker.com/linux/ubuntu ${ubuntu_name} stable
 EOF
 apt-get update
 apt-get install docker-ce docker-ce-cli containerd.io
 sed -i "s#DOCKER_REPO_REPLACED_BY_PACKER#${DOCKER_REPO}#" /usr/local/bin/riju-deploy
 for user in admin deploy; do
    if ! grep -vq "PRIVATE KEY" "/tmp/id_${user}.pub"; then
        echo "${user} public key was set to a private key, aborting" >&2
        exit 1
    fi
    IFS=" " read contents < "/tmp/id_${user}.pub"
    echo "${contents}" > "/tmp/id_${user}.pub"
 done
 sed -Ei 's/^#?PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config
 sed -Ei 's/^#?PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config
 sed -Ei 's/^#?PermitEmptyPasswords .*/PermitEmptyPasswords no/' /etc/ssh/sshd_config
 passwd -l root
 useradd admin -g admin -G sudo -s /usr/bin/bash -p "$(echo "${ADMIN_PASSWORD}" | mkpasswd -s)" -m
 useradd deploy -s /usr/bin/bash -p "!"
 for user in admin deploy; do
    mkdir -p "/home/${user}/.ssh"
    mv "/tmp/id_${user}.pub" "/home/${user}/.ssh/authorized_keys"
    chown -R "${user}:${user}" "/home/${user}/.ssh"
    chmod -R go-rwx "/home/${user}/.ssh"
 done
 sed -i 's/^/command="sudo riju-deploy",restrict/' /home/deploy/.ssh/authorized_keys
 cat <<"EOF" > /etc/sudoers.d/riju
 deploy ALL=(root) NOPASSWD: /usr/local/bin/riju-deploy
 EOF
--- a/packer/riju
+++ b/packer/riju
@ -0,0 +1,36 @@
 #!/usr/bin/env bash
 set -euo pipefail
 domain="$(ls /etc/letsencrypt/live | grep -v README | head -n1)"
 if [[ -n "${domain}" ]]; then
    echo "Detected cert for domain: ${domain}, enabling TLS" >&2
    export TLS=1
    TLS_PRIVATE_KEY="$(base64 "/etc/letsencrypt/live/${domain}/privkey.pem")"
    TLS_CERTIFICATE="$(base64 "/etc/letsencrypt/live/${domain}/fullchain.pem")"
    export TLS_PRIVATE_KEY TLS_CERTIFICATE
    if [[ "${domain}" == riju.codes ]]; then
        echo "Domain is riju.codes, enabling analytics" >&2
        export ANALYTICS=1
    else
        echo "Domain is not riju.codes, disabling analytics" >&2
    fi
 else
    echo "No certs installed in /etc/letsencrypt/live, disabling TLS" >&2
 fi
 if [[ -n "${DETACH:-}" ]]; then
    extra_args="-d"
 elif [[ -t 1 ]]; then
    extra_args="-it"
 else
    extra_args=
 fi
 port_args="${PORT_MAPPING:--p 0.0.0.0:80:6119 -p 0.0.0.0:443:6120}"
 docker run --rm ${port_args} ${extra_args} \
       -e TLS -e TLS_PRIVATE_KEY -e TLS_CERTIFICATE -e ANALYTICS \
       -h riju --name "${CONTAINER_NAME:-riju-prod}" \
       "${IMAGE_NAME}:-riju:app"
--- a/packer/riju-deploy
+++ b/packer/riju-deploy
@ -0,0 +1,41 @@
 #!/usr/bin/env bash
 set -euo pipefail
 DOCKER_REPO="${DOCKER_REPO:-DOCKER_REPO_REPLACED_BY_PACKER}"
 if (( $# != 1 )); then
    echo "usage: ssh deploy@riju COMMIT-SHA" >&2
    exit 1
 fi
 commit="$1"
 if [[ "$(echo -n "${commit}" | wc -c)" != 40 ]]; then
    echo "riju-deploy: invalid commit SHA: ${commit}" >&2
    exit 1
 fi
 image="${DOCKER_REPO}:app-${commit}"
 echo "Pull image to be deployed..."
 docker pull "${image}"
 echo "Start new image in test container..." >&2
 CONTAINER_NAME=riju-test IMAGE_NAME="${image}" DETACH=1 \
              PORT_MAPPING="-p 127.0.0.1:6119:6119" riju
 echo "Wait for web server to come up..." >&2
 sleep 10
 echo "Test web server health..." >&2
 curl -fsSL http://localhost:6119 | head -n15
 echo "Tear down test container..." >&2
 docker stop riju-test
 echo "Retag production image..." >&2
 docker tag "${image}" riju:app
 echo "Restart production server..." >&2
 systemctl restart riju
--- a/packer/riju.service
+++ b/packer/riju.service
@ -0,0 +1,12 @@
 [Unit]
 Description=Riju online coding sandbox
 Requires=docker.service
 After=docker.service
 [Service]
 Type=exec
 ExecStart=riju
 Restart=always
 [Install]
 WantedBy=multi-user.target
--- a/packer/server.json
+++ b/packer/server.json
@ -0,0 +1,70 @@
 {
  "variables": {
    "docker_repo": "{{env `DOCKER_REPO`}}",
    "admin_password": "{{env `ADMIN_PASSWORD`}}",
    "admin_ssh_public_key_file": "{{env `ADMIN_SSH_PUBLIC_KEY_FILE`}",
    "deploy_ssh_public_key_file": "{{env `DEPLOY_SSH_PUBLIC_KEY_FILE`}"
  },
  "builders": [
    {
      "type": "amazon-ebs",
      "source_ami_filter": {
        "filters": {
          "virtualization-type": "hvm",
          "root-device-type": "ebs",
          "name": "ubuntu/images/ubuntu-groovy-20.10-amd64-server-*"
        },
        "owners": ["099720109477"],
        "most_recent": true
      },
      "instance_type": "t3.micro",
      "ssh_username": "ubuntu",
      "ami_name": "riju-{{timestamp}}"
    }
  ],
  "provisioners": [
    {
      "type": "shell",
      "script": "validate.bash",
      "environment_vars": [
        "DOCKER_REPO={{user `docker_repo`}}",
        "ADMIN_PASSWORD={{user `admin_password`}}",
        "ADMIN_SSH_PUBLIC_KEY_FILE={{user `admin_ssh_public_key_file`}}",
        "DEPLOY_SSH_PUBLIC_KEY_FILE={{user `deploy_ssh_public_key_file`}}"
      ]
    },
    {
      "type": "file",
      "source": "riju",
      "destination": "/usr/local/bin/riju"
    },
    {
      "type": "file",
      "source": "riju-deploy",
      "destination": "/usr/local/bin/riju-deploy"
    },
    {
      "type": "file",
      "source": "riju.service",
      "destination": "/etc/systemd/system/riju.service"
    },
    {
      "type": "file",
      "source": "{{user `admin_ssh_public_key_file`}}",
      "destination": "/tmp/id_admin.pub"
    },
    {
      "type": "file",
      "source": "{{user `deploy_ssh_public_key_file`}}",
      "destination": "/tmp/id_deploy.pub"
    },
    {
      "type": "shell",
      "script": "provision.bash",
      "environment_vars": [
        "DOCKER_REPO={{user `docker_repo`}}",
        "ADMIN_PASSWORD={{user `admin_password`}}"
      ]
    }
  ]
 }
--- a/packer/validate.bash
+++ b/packer/validate.bash
@ -0,0 +1,8 @@
 #!/usr/bin/env bash
 set -euo pipefail
 : ${DOCKER_REPO}
 : ${ADMIN_PASSWORD}
 : ${ADMIN_SSH_PUBLIC_KEY_FILE}
 : ${DEPLOY_SSH_PUBLIC_KEY_FILE}
--- a/system/compile.bash
+++ b/system/compile.bash
@ -19,7 +19,9 @@ for src in system/src/*.c; do
    out="${out/.c}"
    verbosely clang -Wall -Wextra -Werror -std=c11 "${src}" -o "${out}"
    if [[ "${out}" == *-privileged ]]; then
-        sudo chown root:riju "${out}"
+        if getent group riju >/dev/null; then
            sudo chown root:riju "${out}"
        fi
        sudo chmod a=,g=rx,u=rwxs "${out}"
    fi
 done
--- a/tf/infra.tf
+++ b/tf/infra.tf
@ -13,15 +13,37 @@ terraform {
  }
 }
 locals {
  tags = {
    Terraform = "Managed by Terraform"
  }
 }
 data "external" "env" {
  program = ["jq", "-n", "env"]
 }
 provider "aws" {
  profile = "default"
  region  = "us-west-1"
 }
 data "aws_region" "current" {}
 resource "aws_s3_bucket" "riju_debs" {
  bucket = "riju-debs"
  acl    = "public-read"
-  tags = {
+  tags   = local.tags
-    Terraform = "Managed by Terraform"
+}
-  }
+
 resource "aws_instance" "server" {
  instance_type = "t3.micro"
  ami           = data.external.env.result.AMI_ID
  tags          = local.tags
 }
 resource "aws_ebs_volume" "data" {
  availability_zone = "${data.aws_region.current.name}a"
  size              = 100
  tags              = local.tags
 }