From 16e316892a02ada16e04d4d582342e60c06e36ad Mon Sep 17 00:00:00 2001
From: "W. Trevor King" <wking@tremily.us>
Date: Fri, 27 Dec 2013 16:42:27 -0800
Subject: [PATCH] stunnel: Add a stunnel-wrapper image

Make it easy to wrap arbitrary ports with stunnel.

The explicit pid configuration avoids errors like:

  ... stunnel: ... Cannot create pid file /var/lib/run/stunnel/stunnel.pid
  ... stunnel: ... create: No such file or directory (2)

which is probably just a wart in Gentoo's stunnel packaging.
---
 README.md                   |  1 +
 build.sh                    |  1 +
 stunnel/Dockerfile.template | 43 +++++++++++++++++++++++++++++++++++++
 stunnel/README.md           | 22 +++++++++++++++++++
 4 files changed, 67 insertions(+)
 create mode 100644 stunnel/Dockerfile.template
 create mode 100644 stunnel/README.md

diff --git a/README.md b/README.md
index 20ed700..a2879e1 100644
--- a/README.md
+++ b/README.md
@@ -22,6 +22,7 @@ The dependency graph is:
                 |-- buildbot  (adds a Buildbot master and slave)
                 |-- postgresql  (adds PostgreSQL)
                 |-- redis  (adds Redis)
+                |-- stunnel  (adds stunnel)
                 `-- gentoo-java  (adds IcedTea)
                     `-- elasticsearch  (adds Elasticsearch)
 
diff --git a/build.sh b/build.sh
index a21392b..ae6d3a3 100755
--- a/build.sh
+++ b/build.sh
@@ -46,6 +46,7 @@ REPOS="${REPOS:-
 	elasticsearch
 	postgresql
 	redis
+	stunnel
 	}"
 
 die()
diff --git a/stunnel/Dockerfile.template b/stunnel/Dockerfile.template
new file mode 100644
index 0000000..d5ed4ad
--- /dev/null
+++ b/stunnel/Dockerfile.template
@@ -0,0 +1,43 @@
+# Copyright (C) 2013 W. Trevor King <wking@tremily.us>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice, this
+# list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice,
+# this list of conditions and the following disclaimer in the documentation
+# and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+FROM NAMESPACE/gentoo-syslog:TAG
+MAINTAINER A. U. Thor <author@example.com>
+#VOLUME ["PORTAGE:/usr/portage:ro", "PORTAGE/distfiles:/usr/portage/distfiles:rw"]
+RUN emerge -v net-misc/stunnel
+RUN eselect news read new
+RUN rc-update add stunnel default
+
+# Configure stunnel
+RUN echo 'cert = /etc/stunnel/stunnel.pem' > /etc/stunnel/stunnel.conf
+RUN echo 'pid = /run/stunnel/stunnel.pid' >> /etc/stunnel/stunnel.conf
+RUN echo '[stunnel]' >> /etc/stunnel/stunnel.conf
+RUN echo 'accept = 9999' >> /etc/stunnel/stunnel.conf
+RUN echo 'connect = NETLOC' >> /etc/stunnel/stunnel.conf
+
+# Container networking happens automatically
+RUN sed -i 's/need net$/use net/' /etc/init.d/*
+
+CMD sed -i "s|NETLOC|${SERVER_PORT#tcp://}|" /etc/stunnel/stunnel.conf && rc default && tail -F /var/log/messages
+EXPOSE 9999
diff --git a/stunnel/README.md b/stunnel/README.md
new file mode 100644
index 0000000..7f06030
--- /dev/null
+++ b/stunnel/README.md
@@ -0,0 +1,22 @@
+Use this [stunnel][] image to wrap other containers in SSL/TLS
+encryption using Docker's [linking][].  You'll want to
+[volume-mount][volume-mount] your SSL keys, since you may want
+different keys in every stunnel container.
+
+    $ docker run -d -name postgresql-0 wking/postgresql
+    $ docker run -d -name postgresql-0-ssl -v /etc/postgresql-0-ssl/stunnel.pem:/etc/stunnel/stunnel.pem -link postgresql-0:server -p 5432:9999 wking/stunnel
+
+[PostgreSQL][] [uses plaintext commands to initiate SSL/TLS
+encryption][SSLRequest] so you can't use `psql` to connect directly to
+this client.  You can use it for protocols that use SSL/TLS from the
+start (e.g. HTTPS).  If you need support for an initially unencrypted
+protocol, your best bet is to avoid stunnel and use the SSL/TLS
+support in the server itself.  Failing that, you can always setup a
+client-side stunnel, and have both the server and client think they're
+talking in the clear.
+
+[stunnel]: https://www.stunnel.org/
+[linking]: http://docs.docker.io/en/latest/use/port_redirection/#linking-a-container
+[volume-mount]: http://docs.docker.io/en/latest/use/working_with_volumes/#mount-a-host-directory-as-a-container-volume
+[PostgreSQL]: http://postgresql.io/
+[SSLRequest]: http://www.postgresql.org/docs/devel/static/protocol-flow.html#AEN100370
-- 
2.26.2