Skip to content

Commit 0d83875

Browse files
committedNov 20, 2018
SSL certificates should not be created on the host
Moving the ssl certificate creation step to inside the container.
1 parent 218f753 commit 0d83875

6 files changed

+19
-44
lines changed
 

‎README.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,7 @@ hostssl all all 0.0.0.0/0 cert
4141

4242
To run the exmaple do the following:
4343
```
44-
./build_all.sh
44+
docker-compose build
4545
docker-compose up
4646
```
4747
# Testing

‎build_all.sh

-20
This file was deleted.

‎clientnode.Dockerfile

+4-3
Original file line numberDiff line numberDiff line change
@@ -2,10 +2,11 @@ FROM pgsql-pgpool:10
22
MAINTAINER m.usama@gmail.com
33
#copy the client certificates
44
RUN mkdir /home/postgres/.postgresql
5+
RUN cp ${CERTDIR}/postgresql.key /home/postgres/.postgresql/postgresql.key
6+
RUN cp ${CERTDIR}/postgresql.crt /home/postgres/.postgresql/postgresql.crt
7+
RUN cp ${CERTDIR}/root.crt /home/postgres/.postgresql/root.crt
8+
59

6-
COPY certs/postgresql.key /home/postgres/.postgresql/postgresql.key
7-
COPY certs/postgresql.crt /home/postgres/.postgresql/postgresql.crt
8-
COPY certs/root.crt /home/postgres/.postgresql/root.crt
910
RUN chmod 0600 /home/postgres/.postgresql/postgresql.key
1011
RUN chown postgres:postgres /home/postgres/.postgresql/postgresql.key
1112

‎pg-pgpool.Dockerfile

+5-5
Original file line numberDiff line numberDiff line change
@@ -30,13 +30,13 @@ RUN echo 'postgres ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
3030
RUN echo 'postgres:postgres'|chpasswd
3131

3232
#copy scripts for generating certificates
33-
#RUN mkdir ${CERTDIR}
34-
#COPY ./scripts/generate_client_ssl_crt.sh ${CERTDIR}/generate_client_ssl_crt.sh
35-
#COPY ./scripts/generate_server_ssl_crt.sh ${CERTDIR}/generate_server_ssl_crt.sh
33+
RUN mkdir ${CERTDIR}
34+
COPY ./scripts/generate_client_ssl_crt.sh ${CERTDIR}/generate_client_ssl_crt.sh
35+
COPY ./scripts/generate_server_ssl_crt.sh ${CERTDIR}/generate_server_ssl_crt.sh
3636

3737
#create certificates
38-
#RUN if [ "x$CERTUSERNAME" = "x" ] ; then cd ${CERTDIR} && ./generate_server_ssl_crt.sh certuser; else cd ${CERTDIR} && ./generate_server_ssl_crt.sh ${CERTUSERNAME}; fi
39-
#RUN if [ "x$CERTUSERNAME" = "x" ] ; then cd ${CERTDIR} && ./generate_client_ssl_crt.sh certuser; else cd ${CERTDIR} && ./generate_client_ssl_crt.sh ${CERTUSERNAME}; fi
38+
RUN if [ "x$CERTUSERNAME" = "x" ] ; then cd ${CERTDIR} && ./generate_server_ssl_crt.sh certuser; else cd ${CERTDIR} && ./generate_server_ssl_crt.sh ${CERTUSERNAME}; fi
39+
RUN if [ "x$CERTUSERNAME" = "x" ] ; then cd ${CERTDIR} && ./generate_client_ssl_crt.sh certuser; else cd ${CERTDIR} && ./generate_client_ssl_crt.sh ${CERTUSERNAME}; fi
4040

4141
#initialize database
4242
RUN service ${PGSERVICE_NAME} initdb

‎pgnode.Dockerfile

+5-8
Original file line numberDiff line numberDiff line change
@@ -9,19 +9,15 @@ ENV ROLE_=$ROLE
99
ENV MASTER_IP_=$MASTER_IP
1010

1111

12-
#copy the client certificates
13-
#RUN mkdir ~/.postgresql
14-
1512
COPY ./scripts/setup_pg_server.sh /tmp/setup_pg_server.sh
1613
RUN chmod u+x /tmp/setup_pg_server.sh
1714
RUN sed -i "s/^MASTER_IP=/MASTER_IP=$MASTER_IP/" /tmp/setup_pg_server.sh
1815
RUN sed -i "s/^ROLE=/ROLE=$ROLE/" /tmp/setup_pg_server.sh
1916

20-
#copy the server certificates
21-
COPY certs/server.key ${PGDATA}/server.key
22-
COPY certs/server.crt ${PGDATA}/server.crt
23-
COPY certs/root.crt ${PGDATA}/root.crt
24-
17+
#copy the server certificates data directory
18+
RUN cp ${CERTDIR}/server.key ${PGDATA}/server.key
19+
RUN cp ${CERTDIR}/server.crt ${PGDATA}/server.crt
20+
RUN cp ${CERTDIR}/root.crt ${PGDATA}/root.crt
2521

2622
RUN chmod 0600 ${PGDATA}/server.key && chown postgres:postgres ${PGDATA}/server.key
2723
RUN chmod 0600 ${PGDATA}/server.crt && chown postgres:postgres ${PGDATA}/server.crt
@@ -36,6 +32,7 @@ RUN echo "listen_addresses = '*'" >> ${PGDATA}/postgresql.conf
3632
RUN echo "ssl = on" >> ${PGDATA}/postgresql.conf
3733
RUN echo "ssl_cert_file = 'server.crt'" >> ${PGDATA}/postgresql.conf
3834
RUN echo "ssl_key_file = 'server.key'" >> ${PGDATA}/postgresql.conf
35+
RUN echo "ssl_ca_file = 'root.crt'" >> ${PGDATA}/postgresql.conf
3936

4037
RUN echo "local all all trust" > ${PGDATA}/pg_hba.conf
4138
RUN echo "local replication all trust" >> ${PGDATA}/pg_hba.conf

‎pgpoolnode.Dockerfile

+4-7
Original file line numberDiff line numberDiff line change
@@ -8,18 +8,15 @@ ENV PGPORT=5432
88
ENV PGPOOLPORT=9999
99
ENV PCPPORT=9898
1010

11-
#copy the server certificates
12-
#COPY server.key /server.key
13-
#COPY server.crt /server.crt
14-
#COPY root.crt /root.crt
1511
COPY scripts/wait_for_pg_server.sh /tmp/wait_for_pg_server.sh
1612
RUN sed -i "s/^IP=/IP=$SLAVE_IP/" /tmp/wait_for_pg_server.sh
1713
RUN sed -i "s/^PORT=/PORT=5432/" /tmp/wait_for_pg_server.sh
1814

15+
#copy the server certificates to certs dir
1916
RUN mkdir /certs
20-
COPY certs/server.key /certs/server.key
21-
COPY certs/server.crt /certs/server.crt
22-
COPY certs/root.crt /certs/root.crt
17+
RUN cp ${CERTDIR}/server.key /certs/server.key
18+
RUN cp ${CERTDIR}/server.crt /certs/server.crt
19+
RUN cp ${CERTDIR}/root.crt /certs/root.crt
2320

2421
# Set up pgpool config files
2522
RUN sed -i "s/^backend_hostname0 = .*/backend_hostname0 = '${MASTER_IP}'/" ${PGPOOLCONF}/pgpool.conf

0 commit comments

Comments
 (0)