Merge pull request #535 from endophage/official_mysql_image

Use official mariadb image

docker-compose.yml

@@ -1,27 +1,34 @@
-notaryserver:
+server:
   build: .
   dockerfile: server.Dockerfile
   links:
-   - notarymysql
-   - notarysigner
-  ports:
-   - "8080"
-   - "4443:4443"
+    - mysql
+    - signer
+    - signer:notarysigner
   environment:
-   - SERVICE_NAME=notary
-  command: -config=fixtures/server-config.json
-notarysigner:
-  volumes:
-   - /dev/bus/usb/003/010:/dev/bus/usb/002/010
-   - /var/run/pcscd/pcscd.comm:/var/run/pcscd/pcscd.comm
+    - SERVICE_NAME=notary_server
+  ports:
+    - "8080"
+    - "4443:4443"
+  entrypoint: /bin/bash
+  command: -c "./migrations/migrate.sh && notary-server -config=fixtures/server-config.json"
+signer:
   build: .
   dockerfile: signer.Dockerfile
   links:
-   - notarymysql
-  command: -config=fixtures/signer-config.json
-notarymysql:
+    - mysql
+  environment:
+    - SERVICE_NAME=notary_signer
+  entrypoint: /bin/bash
+  command: -c "./migrations/migrate.sh && notary-signer -config=fixtures/signer-config.json"
+mysql:
   volumes:
-    - notarymysql:/var/lib/mysql
-  build: ./notarymysql/
+    - ./notarymysql/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
+    - notary_data:/var/lib/mysql
+  image: mariadb:10.1.10
   ports:
     - "3306:3306"
+  environment:
+    - TERM=dumb
+    - MYSQL_ALLOW_EMPTY_PASSWORD="true"
+  command: mysqld --innodb_file_per_table

fixtures/server-config.json

@@ -18,6 +18,6 @@
 	},
 	"storage": {
 		"backend": "mysql",
-		"db_url": "server@tcp(notarymysql:3306)/notaryserver?parseTime=True"
+		"db_url": "server@tcp(mysql:3306)/notaryserver?parseTime=True"
 	}
 }

fixtures/signer-config.json

@@ -11,6 +11,6 @@
 	},
 	"storage": {
 		"backend": "mysql",
-		"db_url": "signer@tcp(notarymysql:3306)/notarysigner?parseTime=True"
+		"db_url": "signer@tcp(mysql:3306)/notarysigner?parseTime=True"
 	}
 }

migrations/migrate.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# When run in the docker containers, the working directory
+# is the root of the repo.
+
+iter=0
+
+case $SERVICE_NAME in
+	notary_server)
+		# have to poll for DB to come up
+		until migrate -path=migrations/server/mysql -url="mysql://server@tcp(mysql:3306)/notaryserver" version > /dev/null
+		do
+			((iter++))
+			if (( iter > 30 )); then
+				echo "notaryserver database failed to come up within 30 seconds"
+				exit 1;
+			fi
+			echo "waiting for notarymysql to come up."
+			sleep 1
+		done
+		pre=$(migrate -path=migrations/server/mysql -url="mysql://server@tcp(mysql:3306)/notaryserver" version)
+		if migrate -path=migrations/server/mysql -url="mysql://server@tcp(mysql:3306)/notaryserver" up ; then
+			post=$(migrate -path=migrations/server/mysql -url="mysql://server@tcp(mysql:3306)/notaryserver" version)
+			if [ "$pre" != "$post" ]; then
+				echo "notaryserver database migrated to latest version"
+			else
+				echo "notaryserver database already at latest version"
+			fi
+		else
+			echo "notaryserver database migration failed"
+			exit 1
+		fi
+		;;
+	notary_signer)
+		# have to poll for DB to come up
+		until migrate -path=migrations/signer/mysql -url="mysql://signer@tcp(mysql:3306)/notarysigner" version > /dev/null
+		do
+			((iter++))
+			if (( iter > 30 )); then
+				echo "notarysigner database failed to come up within 30 seconds"
+				exit 1;
+			fi
+			echo "waiting for notarymysql to come up."
+			sleep 1
+		done
+		pre=$(migrate -path=migrations/signer/mysql -url="mysql://signer@tcp(mysql:3306)/notarysigner" version)
+		if migrate -path=migrations/signer/mysql -url="mysql://signer@tcp(mysql:3306)/notarysigner" up ; then 
+			post=$(migrate -path=migrations/signer/mysql -url="mysql://signer@tcp(mysql:3306)/notarysigner" version)
+			if [ "$pre" != "$post" ]; then
+				echo "notarysigner database migrated to latest version"
+			else
+				echo "notarysigner database already at latest version"
+			fi
+		else
+			echo "notarysigner database migration failed"
+			exit 1
+		fi
+		;;
+esac

migrations/server/mysql/0001_initial.down.sql

@@ -1,3 +0,0 @@
-DROP TABLE `timestamp_keys`;
-
-DROP TABLE `tuf_files`;

migrations/server/mysql/0002_role_on_keys.down.sql

@@ -1 +0,0 @@
-ALTER TABLE `timestamp_keys` DROP KEY `gun_role`, DROP COLUMN `role`, ADD UNIQUE KEY `gun` (`gun`);

migrations/server/mysql/0003_add_sha256_tuf_files.down.sql

@@ -1 +0,0 @@
-ALTER TABLE `tuf_files` DROP INDEX `sha256`, DROP COLUMN `sha256`;

migrations/signer/mysql/0001_initial.down.sql

@@ -1 +0,0 @@
-DROP TABLE `private_keys`;

notarymysql/Dockerfile

@@ -1,17 +0,0 @@
-FROM ubuntu:14.04
-MAINTAINER diogo@docker.com
-
-RUN apt-get update \
- && apt-get install -y mysql-server \
- && rm -rf /var/lib/mysql/mysql \
- && rm -rf /var/lib/apt/lists/*
-
-ADD start /start
-ADD initial-notaryserver.sql /initial-notaryserver.sql
-ADD initial-notarysigner.sql /initial-notarysigner.sql
-ADD migrate-notaryserver.sql /migrate-notaryserver.sql
-RUN chmod 755 /start
-
-EXPOSE 3306
-
-CMD ["/start"]

notarymysql/LICENSE

@@ -1,21 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2014 Sameer Naik
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

notarymysql/docker-entrypoint-initdb.d/initial-notaryserver.sql

@@ -0,0 +1,7 @@
+CREATE DATABASE IF NOT EXISTS `notaryserver`;
+
+CREATE USER "server"@"%" IDENTIFIED BY "";
+
+GRANT
+	ALL PRIVILEGES ON `notaryserver`.* 
+	TO "server"@"%";

notarymysql/docker-entrypoint-initdb.d/initial-notarysigner.sql

@@ -0,0 +1,7 @@
+CREATE DATABASE IF NOT EXISTS `notarysigner`;
+
+CREATE USER "signer"@"%" IDENTIFIED BY "";
+
+GRANT
+	ALL PRIVILEGES ON `notarysigner`.* 
+	TO "signer"@"%";

notarymysql/initial-notaryserver.sql

@@ -1,20 +0,0 @@
-DROP TABLE IF EXISTS `tuf_files`;
-CREATE TABLE `tuf_files` (
-	`id` int(11) NOT NULL AUTO_INCREMENT,
-	`gun` varchar(255) NOT NULL,
-	`role` varchar(255) NOT NULL,
-	`version` int(11) NOT NULL,
-	`sha256` char(64) DEFAULT NULL,
-	`data` longblob NOT NULL,
-	PRIMARY KEY (`id`),
-	UNIQUE KEY `gun` (`gun`,`role`,`version`),
-	INDEX `sha256` (`sha256`)
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-DROP TABLE IF EXISTS `timestamp_keys`;
-CREATE TABLE `timestamp_keys` (
-	`gun` varchar(255) NOT NULL,
-	`cipher` varchar(50) NOT NULL,
-	`public` blob NOT NULL,
-	PRIMARY KEY (`gun`)
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;

notarymysql/initial-notarysigner.sql

@@ -1,17 +0,0 @@
-DROP TABLE IF EXISTS `private_keys`;
-CREATE TABLE `private_keys` (
-	`id` int(11) NOT NULL AUTO_INCREMENT,
-	`created_at` timestamp NULL DEFAULT NULL,
-	`updated_at` timestamp NULL DEFAULT NULL,
-	`deleted_at` timestamp NULL DEFAULT NULL,
-	`key_id`  varchar(255) NOT NULL,
-	`encryption_alg`  varchar(255) NOT NULL,
-	`keywrap_alg`  varchar(255) NOT NULL,
-	`algorithm`  varchar(50) NOT NULL,
-	`passphrase_alias`  varchar(50) NOT NULL,
-	`public`  blob NOT NULL,
-	`private`  blob NOT NULL,
-	PRIMARY KEY (`id`),
-	UNIQUE (`key_id`),
-	UNIQUE (`key_id`,`algorithm`)
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;

notarymysql/migrate-notaryserver.sql

@@ -1,20 +0,0 @@
--- This migrates initial-notaryserver.sql to tables that are needed for GORM
-
-ALTER TABLE `tuf_files`
-ADD COLUMN `created_at` timestamp NULL DEFAULT NULL AFTER `id`,
-ADD COLUMN `updated_at` timestamp NULL DEFAULT NULL AFTER `created_at`,
-ADD COLUMN `deleted_at` timestamp NULL DEFAULT NULL AFTER `updated_at`,
-MODIFY `id` int(10) unsigned AUTO_INCREMENT;
-
-ALTER TABLE `timestamp_keys`
-ADD COLUMN `id` int(10) unsigned AUTO_INCREMENT FIRST,
-ADD COLUMN `created_at` timestamp NULL DEFAULT NULL AFTER `id`,
-ADD COLUMN `updated_at` timestamp NULL DEFAULT NULL AFTER `created_at`,
-ADD COLUMN `deleted_at` timestamp NULL DEFAULT NULL AFTER `updated_at`,
-DROP PRIMARY KEY,
-ADD PRIMARY KEY (`id`),
-ADD UNIQUE (`gun`);
-
-ALTER TABLE `timestamp_keys` ADD COLUMN `role` VARCHAR(255) NOT NULL, DROP KEY `gun`, ADD UNIQUE KEY `gun_role` (`gun`, `role`);
-
-UPDATE `timestamp_keys` SET `role`="timestamp";

notarymysql/start

@@ -1,167 +0,0 @@
-#!/bin/bash
-set -e
-
-# This database is used by both of Notary-Server and Notary-Signer
-# the early days which we would not use it any longer.
-DB_NAME_OLD='notary'
-
-# Message which will be displayed when the database 'notary' exsits.
-DB_WARNING="
-=============== WARNING =================
-# The schema has changed.               #
-# Make sure you migrate the tables in   #
-# 'notary'                              #
-# to                                    #
-# 'notaryserver' and 'notarysigner'     #
-=========================================
-"
-
-# Although the Notary-Server and Notary-Signer could use the same
-# database, it's better to separate that for security.
-DB_NAME_SERVER='notaryserver'
-DB_NAME_SIGNER='notarysigner'
-DB_NAME=($DB_NAME_SERVER,$DB_NAME_SIGNER)
-
-DB_TABLE_FILES='tuf_files'
-DB_TABLE_KEYS='timestamp_keys'
-DB_USER='root'
-DB_PASS=''
-
-# Default username and password for Notary-Server
-DB_USER_SERVER='server'
-DB_PASS_SERVER=''
-
-# Default username and password for Notary-Signer
-DB_USER_SIGNER='signer'
-DB_PASS_SIGNER=''
-
-DB_REMOTE_ROOT_NAME=''
-DB_REMOTE_ROOT_PASS=''
-DB_REMOTE_ROOT_HOST=''
-
-# disable error log
-sed 's/^log_error/# log_error/' -i /etc/mysql/my.cnf
-
-# Fixing StartUp Porblems with some DNS Situations and Speeds up the stuff
-# http://www.percona.com/blog/2008/05/31/dns-achilles-heel-mysql-installation/
-cat > /etc/mysql/conf.d/mysql-skip-name-resolv.cnf <<EOF
-[mysqld]
-skip_name_resolve
-EOF
-
-# fix permissions and ownership of /var/lib/mysql
-mkdir -p -m 700 /var/lib/mysql
-chown -R mysql:mysql /var/lib/mysql
-
-# fix permissions and ownership of /run/mysqld
-mkdir -p -m 0755 /run/mysqld
-chown -R mysql:root /run/mysqld
-
-#
-# the default password for the debian-sys-maint user is randomly generated
-# during the installation of the mysql-server package.
-#
-# Due to the nature of docker we blank out the password such that the maintenance
-# user can login without a password.
-#
-sed 's/password = .*/password = /g' -i /etc/mysql/debian.cnf
-
-# initialize MySQL data directory
-if [ ! -d /var/lib/mysql/mysql ]; then
-  echo "Installing database..."
-  mysql_install_db --user=mysql >/dev/null 2>&1
-
-  # start mysql server
-  echo "Starting MySQL server..."
-  /usr/bin/mysqld_safe >/dev/null 2>&1 &
-
-  # wait for mysql server to start (max 30 seconds)
-  timeout=30
-  echo -n "Waiting for database server to accept connections"
-  while ! /usr/bin/mysqladmin -u root status >/dev/null 2>&1
-  do
-    timeout=$(($timeout - 1))
-    if [ $timeout -eq 0 ]; then
-      echo -e "\nCould not connect to database server. Aborting..."
-      exit 1
-    fi
-    echo -n "."
-    sleep 1
-  done
-  echo
-
-  ## create a localhost only, debian-sys-maint user
-  ## the debian-sys-maint is used while creating users and database
-  ## as well as to shut down or starting up the mysql server via mysqladmin
-  echo "Creating debian-sys-maint user..."
-  mysql -uroot -e "GRANT ALL PRIVILEGES on *.* TO 'debian-sys-maint'@'localhost' IDENTIFIED BY '' WITH GRANT OPTION;"
-
-  if [ -n "${DB_REMOTE_ROOT_NAME}" -a -n "${DB_REMOTE_ROOT_HOST}" ]; then
-    echo "Creating remote user \"${DB_REMOTE_ROOT_NAME}\" with root privileges..."
-    mysql -uroot \
-    -e "GRANT ALL PRIVILEGES ON *.* TO '${DB_REMOTE_ROOT_NAME}'@'${DB_REMOTE_ROOT_HOST}' IDENTIFIED BY '${DB_REMOTE_ROOT_PASS}' WITH GRANT OPTION; FLUSH PRIVILEGES;"
-  fi
-
-  /usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf shutdown
-fi
-
-# create new user / database
-if [ -n "${DB_USER}" -o -n "${DB_NAME}" ]; then
-  /usr/bin/mysqld_safe >/dev/null 2>&1 &
-
-  # wait for mysql server to start (max 30 seconds)
-  timeout=30
-  while ! /usr/bin/mysqladmin -u root status >/dev/null 2>&1
-  do
-    timeout=$(($timeout - 1))
-    if [ $timeout -eq 0 ]; then
-      echo "Could not connect to mysql server. Aborting..."
-      exit 1
-    fi
-    sleep 1
-  done
-
-  # Check whether the old database exists and warn users to
-  # manually migrate those tables if so.
-  if [ -n "${DB_NAME_OLD}" ]; then
-      if mysql --defaults-file=/etc/mysql/debian.cnf -e "USE $DB_NAME_OLD;" 2>/dev/null; then
-        echo "$DB_WARNING"
-      fi
-  fi
-
-  if [ -n "${DB_NAME}" ]; then
-    for db in $(awk -F',' '{for (i = 1 ; i <= NF ; i++) print $i}' <<< "${DB_NAME}"); do
-      if mysql --defaults-file=/etc/mysql/debian.cnf -e "USE $db;" 2>/dev/null; then
-        echo "Database \"$db\" exists"
-      else
-        echo "Creating database \"$db\"..."
-        mysql --defaults-file=/etc/mysql/debian.cnf \
-          -e "CREATE DATABASE IF NOT EXISTS \`$db\` DEFAULT CHARACTER SET \`utf8\` COLLATE \`utf8_unicode_ci\`;"
-          if [ -n "${DB_USER_SERVER}" -a $db = $DB_NAME_SERVER ]; then
-            echo "Granting access to database \"$db\" for user \"${DB_USER_SERVER}\"..."
-            mysql --defaults-file=/etc/mysql/debian.cnf \
-            -e "GRANT ALL PRIVILEGES ON \`$db\`.* TO '${DB_USER_SERVER}' IDENTIFIED BY '${DB_PASS_SERVER}';"
-            # Create our Database:
-            mysql -uroot $db < ./initial-notaryserver.sql
-            mysql -uroot $db < ./migrate-notaryserver.sql
-          fi
-          if [ -n "${DB_USER_SIGNER}" -a $db = $DB_NAME_SIGNER ]; then
-            echo "Granting access to database \"$db\" for user \"${DB_USER_SIGNER}\"..."
-            mysql --defaults-file=/etc/mysql/debian.cnf \
-            -e "GRANT ALL PRIVILEGES ON \`$db\`.* TO '${DB_USER_SIGNER}' IDENTIFIED BY '${DB_PASS_SIGNER}';"
-            # Create our Database:
-            mysql -uroot $db < ./initial-notarysigner.sql
-          fi
-      fi
-    done
-  fi
-  /usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf shutdown
-fi
-
-# listen on all interfaces
-cat > /etc/mysql/conf.d/mysql-listen.cnf <<EOF
-[mysqld]
-bind = 0.0.0.0
-EOF
-
-exec /usr/bin/mysqld_safe

server.Dockerfile

@@ -1,4 +1,5 @@
-FROM golang:1.5.1
+FROM golang:1.5.3
+MAINTAINER David Lawrence "david.lawrence@docker.com"
 
 RUN apt-get update && apt-get install -y \
     libltdl-dev \
@@ -7,13 +8,20 @@ RUN apt-get update && apt-get install -y \
 
 EXPOSE 4443
 
+# Install DB migration tool
+RUN go get github.com/mattes/migrate
+
 ENV NOTARYPKG github.com/docker/notary
 ENV GOPATH /go/src/${NOTARYPKG}/Godeps/_workspace:$GOPATH
 
+
+
+# Copy the local repo to the expected go path
 COPY . /go/src/github.com/docker/notary
 
 WORKDIR /go/src/${NOTARYPKG}
 
+# Install notary-server
 RUN go install \
     -tags pkcs11 \
     -ldflags "-w -X ${NOTARYPKG}/version.GitCommit=`git rev-parse --short HEAD` -X ${NOTARYPKG}/version.NotaryVersion=`cat NOTARY_VERSION`" \

signer.Dockerfile

@@ -1,29 +1,20 @@
-FROM dockersecurity/golang-softhsm2
-MAINTAINER Diogo Monica "diogo@docker.com"
+FROM golang:1.5.3
+MAINTAINER David Lawrence "david.lawrence@docker.com"
 
-# CHANGE-ME: Default values for SoftHSM2 PIN and SOPIN, used to initialize the first token
-ENV NOTARY_SIGNER_PIN="1234"
-ENV SOPIN="1234"
-ENV LIBDIR="/usr/local/lib/softhsm/"
-ENV NOTARY_SIGNER_DEFAULT_ALIAS="timestamp_1"
-ENV NOTARY_SIGNER_TIMESTAMP_1="testpassword"
-
-# Install openSC and dependencies
 RUN apt-get update && apt-get install -y \
     libltdl-dev \
-    libpcsclite-dev \
-    opensc \
-    usbutils \
     --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 
-# Initialize the SoftHSM2 token on slod 0, using PIN and SOPIN varaibles
-RUN softhsm2-util --init-token --slot 0 --label "test_token" --pin $NOTARY_SIGNER_PIN --so-pin $SOPIN
+EXPOSE 4444
+
+# Install DB migration tool
+RUN go get github.com/mattes/migrate
 
 ENV NOTARYPKG github.com/docker/notary
 ENV GOPATH /go/src/${NOTARYPKG}/Godeps/_workspace:$GOPATH
-
-EXPOSE 4444
+ENV NOTARY_SIGNER_DEFAULT_ALIAS="timestamp_1"
+ENV NOTARY_SIGNER_TIMESTAMP_1="testpassword"
 
 # Copy the local repo to the expected go path
 COPY . /go/src/github.com/docker/notary
@@ -36,6 +27,5 @@ RUN go install \
     -ldflags "-w -X ${NOTARYPKG}/version.GitCommit=`git rev-parse --short HEAD` -X ${NOTARYPKG}/version.NotaryVersion=`cat NOTARY_VERSION`" \
     ${NOTARYPKG}/cmd/notary-signer
 
-
 ENTRYPOINT [ "notary-signer" ]
 CMD [ "-config=fixtures/signer-config-local.json" ]