From: W. Trevor King Date: Sat, 28 Dec 2013 00:42:27 +0000 (-0800) Subject: stunnel: Add a stunnel-wrapper image X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=16e316892a02ada16e04d4d582342e60c06e36ad;p=dockerfile.git stunnel: Add a stunnel-wrapper image Make it easy to wrap arbitrary ports with stunnel. The explicit pid configuration avoids errors like: ... stunnel: ... Cannot create pid file /var/lib/run/stunnel/stunnel.pid ... stunnel: ... create: No such file or directory (2) which is probably just a wart in Gentoo's stunnel packaging. --- diff --git a/README.md b/README.md index 20ed700..a2879e1 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,7 @@ The dependency graph is: |-- buildbot (adds a Buildbot master and slave) |-- postgresql (adds PostgreSQL) |-- redis (adds Redis) + |-- stunnel (adds stunnel) `-- gentoo-java (adds IcedTea) `-- elasticsearch (adds Elasticsearch) diff --git a/build.sh b/build.sh index a21392b..ae6d3a3 100755 --- a/build.sh +++ b/build.sh @@ -46,6 +46,7 @@ REPOS="${REPOS:- elasticsearch postgresql redis + stunnel }" die() diff --git a/stunnel/Dockerfile.template b/stunnel/Dockerfile.template new file mode 100644 index 0000000..d5ed4ad --- /dev/null +++ b/stunnel/Dockerfile.template @@ -0,0 +1,43 @@ +# Copyright (C) 2013 W. Trevor King +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE +# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. + +FROM NAMESPACE/gentoo-syslog:TAG +MAINTAINER A. U. Thor +#VOLUME ["PORTAGE:/usr/portage:ro", "PORTAGE/distfiles:/usr/portage/distfiles:rw"] +RUN emerge -v net-misc/stunnel +RUN eselect news read new +RUN rc-update add stunnel default + +# Configure stunnel +RUN echo 'cert = /etc/stunnel/stunnel.pem' > /etc/stunnel/stunnel.conf +RUN echo 'pid = /run/stunnel/stunnel.pid' >> /etc/stunnel/stunnel.conf +RUN echo '[stunnel]' >> /etc/stunnel/stunnel.conf +RUN echo 'accept = 9999' >> /etc/stunnel/stunnel.conf +RUN echo 'connect = NETLOC' >> /etc/stunnel/stunnel.conf + +# Container networking happens automatically +RUN sed -i 's/need net$/use net/' /etc/init.d/* + +CMD sed -i "s|NETLOC|${SERVER_PORT#tcp://}|" /etc/stunnel/stunnel.conf && rc default && tail -F /var/log/messages +EXPOSE 9999 diff --git a/stunnel/README.md b/stunnel/README.md new file mode 100644 index 0000000..7f06030 --- /dev/null +++ b/stunnel/README.md @@ -0,0 +1,22 @@ +Use this [stunnel][] image to wrap other containers in SSL/TLS +encryption using Docker's [linking][]. You'll want to +[volume-mount][volume-mount] your SSL keys, since you may want +different keys in every stunnel container. + + $ docker run -d -name postgresql-0 wking/postgresql + $ docker run -d -name postgresql-0-ssl -v /etc/postgresql-0-ssl/stunnel.pem:/etc/stunnel/stunnel.pem -link postgresql-0:server -p 5432:9999 wking/stunnel + +[PostgreSQL][] [uses plaintext commands to initiate SSL/TLS +encryption][SSLRequest] so you can't use `psql` to connect directly to +this client. You can use it for protocols that use SSL/TLS from the +start (e.g. HTTPS). If you need support for an initially unencrypted +protocol, your best bet is to avoid stunnel and use the SSL/TLS +support in the server itself. Failing that, you can always setup a +client-side stunnel, and have both the server and client think they're +talking in the clear. + +[stunnel]: https://www.stunnel.org/ +[linking]: http://docs.docker.io/en/latest/use/port_redirection/#linking-a-container +[volume-mount]: http://docs.docker.io/en/latest/use/working_with_volumes/#mount-a-host-directory-as-a-container-volume +[PostgreSQL]: http://postgresql.io/ +[SSLRequest]: http://www.postgresql.org/docs/devel/static/protocol-flow.html#AEN100370