JBevillC commented on a change in pull request #3257: CIAB: Add OpenVPN URL: https://github.com/apache/trafficcontrol/pull/3257#discussion_r253615853
########## File path: infrastructure/cdn-in-a-box/optional/vpn/run.sh ########## @@ -0,0 +1,85 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +set-dns.sh +insert-self-into-dns.sh + +set -x +set -e + +INTERFACE=$(ls -I lo /sys/class/net) +NETWORK=$(route |grep -v default |grep $INTERFACE |awk '{print $1}') +NETMASK=$(route |grep -v default |grep $INTERFACE |awk '{print $3}') +DNSADDR=$(dig +short dns) + +if [[ -z "$PRIVATE_NETWORK" ]] || [[ -z "$PRIVATE_NETMASK" ]]; then + if [[ $NETWORK == 192.* ]] || [[ $HOST == 10.* ]]; then + PRIVATE_NETWORK="172.16.127.0" + else + PRIVATE_NETWORK="10.16.127.0" + fi + PRIVATE_NETMASK="255.255.255.240" +fi + +# Check if vpn ca existed +if [ ! -f "/vpnca/completed" ]; then + cp /vars /root/EasyRSA-* Review comment: The files written into the /vpnca shared volume are owned by `root:root` and becomes unreadable to those of us that run `docker-compose` as a non-root user. `docker-compose` likes to recursively scan directories under $context, which means `vpnca` shared directory can't be owned by root with restricted permissions. ``` $ mydc build vpn Building vpn Traceback (most recent call last): File "/usr/bin/docker-compose", line 11, in <module> sys.exit(main()) File "/usr/lib/python2.7/site-packages/compose/cli/main.py", line 71, in main command() File "/usr/lib/python2.7/site-packages/compose/cli/main.py", line 127, in perform_command handler(command, command_options) File "/usr/lib/python2.7/site-packages/compose/cli/main.py", line 287, in build parallel_build=options.get('--parallel', False), File "/usr/lib/python2.7/site-packages/compose/project.py", line 384, in build build_service(service) File "/usr/lib/python2.7/site-packages/compose/project.py", line 366, in build_service service.build(no_cache, pull, force_rm, memory, build_args, gzip) File "/usr/lib/python2.7/site-packages/compose/service.py", line 1080, in build platform=self.platform, File "/usr/lib/python2.7/site-packages/docker/api/build.py", line 154, in build path, exclude=exclude, dockerfile=dockerfile, gzip=gzip File "/usr/lib/python2.7/site-packages/docker/utils/build.py", line 31, in tar root=root, fileobj=fileobj, gzip=gzip, extra_files=extra_files File "/usr/lib/python2.7/site-packages/docker/utils/build.py", line 100, in create_archive 'Can not read file in context: {}'.format(full_path) IOError: Can not read file in context: /home/xxxxxxxxx/src/tc-pr3257/infrastructure/cdn-in-a-box/optional/vpn/vpnca/ca.crt $ ls -l $PWD/optional/vpn/vpnca/ total 36 -rw------- 1 root root 822 Feb 4 11:40 ca.crt -rw-rw-rw- 1 root root 5661 Feb 4 11:40 client.ovpn -rw-rw-rw- 1 root root 0 Feb 4 11:40 completed -rw------- 1 root root 245 Feb 4 11:40 dh.pem -rw------- 1 root root 636 Feb 4 11:40 tls.key -rw------- 1 root root 3071 Feb 4 11:40 vpnclient01.crt -rw------- 1 root root 912 Feb 4 11:40 vpnclient01.key -rw------- 1 root root 3201 Feb 4 11:40 vpnserver.crt -rw------- 1 root root 916 Feb 4 11:40 vpnserver.key ``` My suggestion is to update the ownership/permissions of /vpnca directory at the end of the if statement: ``` $ find /vpnca -type d -exec chmod a+rwx '{}' \; $ find /vpnca -type f -exec chmod a+rw '{}' \; $ chown -R nobody:nogroup /vpnca $ ls -l /vpnca root@vpn:/# ls -l /vpnca total 36 -rw-rw-rw- 1 nobody nogroup 822 Feb 4 18:55 ca.crt -rw-rw-rw- 1 nobody nogroup 5665 Feb 4 18:55 client.ovpn -rw-rw-rw- 1 nobody nogroup 0 Feb 4 18:55 completed -rw-rw-rw- 1 nobody nogroup 245 Feb 4 18:55 dh.pem -rw-rw-rw- 1 nobody nogroup 636 Feb 4 18:55 tls.key -rw-rw-rw- 1 nobody nogroup 3071 Feb 4 18:55 vpnclient01.crt -rw-rw-rw- 1 nobody nogroup 916 Feb 4 18:55 vpnclient01.key -rw-rw-rw- 1 nobody nogroup 3201 Feb 4 18:55 vpnserver.crt -rw-rw-rw- 1 nobody nogroup 916 Feb 4 18:55 vpnserver.key ``` ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
