From ce3137917d7707ad188f2c9ac2eed8d71d3308a8 Mon Sep 17 00:00:00 2001 From: kev Date: Fri, 1 Sep 2017 19:38:21 +0800 Subject: [PATCH] update ocserv --- ocserv/Dockerfile | 142 ++++++++++++++++++-------------------- ocserv/docker-compose.yml | 2 +- ocserv/init.sh | 10 +-- 3 files changed, 73 insertions(+), 81 deletions(-) diff --git a/ocserv/Dockerfile b/ocserv/Dockerfile index 8956141..358614b 100644 --- a/ocserv/Dockerfile +++ b/ocserv/Dockerfile @@ -2,96 +2,88 @@ # Dockerfile for ocserv # -FROM debian:jessie +FROM alpine MAINTAINER kev ENV OCSERV_VERSION 0.11.8 +ENV OCSERV_URL ftp://ftp.infradead.org/pub/ocserv/ocserv-$OCSERV_VERSION.tar.xz + +RUN buildDeps=" \ + curl \ + g++ \ + gnutls-dev \ + gpgme \ + libev-dev \ + libnl3-dev \ + libseccomp-dev \ + linux-headers \ + linux-pam-dev \ + lz4-dev \ + make \ + readline-dev \ + tar \ + xz \ + "; \ + set -x \ + && apk add --update --virtual .build-deps $buildDeps \ + && curl -SL $OCSERV_URL -o ocserv.tar.xz \ + && curl -SL $OCSERV_URL.sig -o ocserv.tar.xz.sig \ + && gpg --keyserver pgp.mit.edu --recv-key 7F343FA7 \ + && gpg --keyserver pgp.mit.edu --recv-key 96865171 \ + && gpg --verify ocserv.tar.xz.sig \ + && mkdir -p /usr/src/ocserv \ + && tar -xf ocserv.tar.xz -C /usr/src/ocserv --strip-components=1 \ + && rm ocserv.tar.xz* \ + && cd /usr/src/ocserv \ + && ./configure \ + && make \ + && make install \ + && mkdir -p /etc/ocserv \ + && cp /usr/src/ocserv/doc/sample.config /etc/ocserv/ocserv.conf \ + && cp /usr/src/ocserv/doc/profile.xml /etc/ocserv/profile.xml \ + && cd / \ + && rm -rf /usr/src/ocserv \ + && runDeps="$( \ + scanelf --needed --nobanner /usr/local/sbin/ocserv \ + | awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \ + | xargs -r apk info --installed \ + | sort -u \ + )" \ + && apk add --virtual .run-deps $runDeps gnutls-utils iptables \ + && apk del .build-deps \ + && rm -rf /var/cache/apk/* RUN set -xe \ - && apt-get update \ - && apt-get install -y autogen \ - build-essential \ - curl \ - gnutls-bin \ - iptables \ - less \ - libdbus-1-3 \ - libdbus-1-dev \ - libev4 \ - libev-dev \ - libgnutlsxx28 \ - libgnutls28-dev \ - libhttp-parser2.1 \ - libhttp-parser-dev \ - libnl-route-3-200 \ - libnl-route-3-dev \ - libopts25 \ - libopts25-dev \ - libpam0g \ - libpam0g-dev \ - libpcl1 \ - libpcl1-dev \ - libprotobuf-c1 \ - libprotobuf-c-dev \ - libprotobuf9 \ - libprotobuf-dev \ - libprotoc9 \ - libprotoc-dev \ - libreadline6 \ - libreadline-dev \ - libseccomp2 \ - libseccomp-dev \ - libtalloc2 \ - libtalloc-dev \ - libwrap0 \ - libwrap0-dev \ - protobuf-c-compiler \ - protobuf-compiler \ - && curl -sSL ftp://ftp.infradead.org/pub/ocserv/ocserv-$OCSERV_VERSION.tar.xz | tar xJ \ - && cd ocserv-$OCSERV_VERSION \ - && ./configure --prefix=/usr --sysconfdir=/etc --with-local-talloc \ - && make install \ && mkdir -p /etc/ocserv/certs \ - && cp ./doc/sample.config /etc/ocserv/ocserv.conf \ - && cp ./doc/profile.xml /etc/ocserv/profile.xml \ - && sed -i -e 's@^#user-profile = /path/to/file.xml@#user-profile = /etc/ocserv/profile.xml@' \ - -e 's@../tests/@/etc/ocserv/certs/@' \ - -e 's@certs/ca.pem@certs/ca-cert.pem@' \ - -e 's@./sample.passwd@/etc/ocserv/ocpasswd@' \ + && mkdir -p /etc/ocserv/config-per-user \ + && mkdir -p /etc/ocserv/config-per-group \ + && mkdir -p /etc/ocserv/defaults \ + && touch /etc/ocserv/defaults/user.conf \ + && touch /etc/ocserv/defaults/group.conf \ + && touch /etc/ocserv/ocpasswd \ + && sed -i -e 's@\./sample.passwd@/etc/ocserv/ocpasswd@' \ + -e 's@\.\./tests/@/etc/ocserv/@' \ + -e 's@^#cert-group-oid =@cert-group-oid =@' \ + -e 's@^#compression =.*@compression = true@' \ + -e 's@^#config-per-@config-per-@' \ + -e 's@^#default-@default-@' \ -e 's@^#enable-auth = "certificate"$@enable-auth = "certificate"@' \ - -e 's@^try-mtu-discovery = false$@try-mtu-discovery = true@' \ - -e 's@^dns =.*$@dns = 8.8.8.8@' \ + -e 's@^#user-profile =.*@user-profile = /etc/ocserv/profile.xml@' \ -e 's@^default-domain@#&@' \ + -e 's@^dns =.*@dns = 8.8.8.8@' \ + -e 's@^max-clients =.*@max-clients = 0@' \ + -e 's@^max-same-clients =.*@max-same-clients = 0@' \ -e 's@^route@#&@' \ - /etc/ocserv/ocserv.conf \ - && cd .. \ - && apt-get purge --auto-remove -y autogen \ - build-essential \ - libdbus-1-dev \ - libev-dev \ - libgnutls28-dev \ - libhttp-parser-dev \ - libnl-route-3-dev \ - libopts25-dev \ - libpam0g-dev \ - libpcl1-dev \ - libprotobuf-c-dev \ - libprotobuf-dev \ - libprotoc-dev \ - libreadline-dev \ - libseccomp-dev \ - libtalloc-dev \ - libwrap0-dev \ - protobuf-c-compiler \ - protobuf-compiler \ - && rm -rf ocserv-$OCSERV_VERSION /var/lib/apt/lists/* + -e 's@^try-mtu-discovery =.*@try-mtu-discovery = true@' \ + /etc/ocserv/ocserv.conf COPY init.sh /init.sh COPY docker-entrypoint.sh /entrypoint.sh VOLUME /etc/ocserv +WORKDIR /etc/ocserv -ENV VPN_DOMAIN=vpn.easypi.info \ +ENV VPN_DOMAIN=vpn.easypi.pro \ VPN_NETWORK=10.20.30.0 \ VPN_NETMASK=255.255.255.0 \ LAN_NETWORK=192.168.0.0 \ diff --git a/ocserv/docker-compose.yml b/ocserv/docker-compose.yml index d0ce9f5..b74fadc 100644 --- a/ocserv/docker-compose.yml +++ b/ocserv/docker-compose.yml @@ -4,7 +4,7 @@ ocserv: - "4443:443/tcp" - "4443:443/udp" environment: - - VPN_DOMAIN=vpn.easypi.info + - VPN_DOMAIN=vpn.easypi.pro - VPN_NETWORK=10.20.30.0 - VPN_NETMASK=255.255.255.0 - LAN_NETWORK=192.168.0.0 diff --git a/ocserv/init.sh b/ocserv/init.sh index 10c4918..096fb8a 100755 --- a/ocserv/init.sh +++ b/ocserv/init.sh @@ -37,7 +37,7 @@ _EOF_ cat > client.tmpl <<_EOF_ cn = "client@${VPN_DOMAIN}" -uid = "client@${VPN_DOMAIN}" +uid = "client" unit = "ocserv" expiration_days = 3650 signing_key @@ -51,7 +51,7 @@ certtool --generate-privkey \ certtool --generate-self-signed \ --load-privkey /etc/ocserv/certs/ca-key.pem \ --template ca.tmpl \ - --outfile ca-cert.pem + --outfile ca.pem # gen server keys certtool --generate-privkey \ @@ -59,7 +59,7 @@ certtool --generate-privkey \ certtool --generate-certificate \ --load-privkey server-key.pem \ - --load-ca-certificate ca-cert.pem \ + --load-ca-certificate ca.pem \ --load-ca-privkey ca-key.pem \ --template server.tmpl \ --outfile server-cert.pem @@ -70,14 +70,14 @@ certtool --generate-privkey \ certtool --generate-certificate \ --load-privkey client-key.pem \ - --load-ca-certificate ca-cert.pem \ + --load-ca-certificate ca.pem \ --load-ca-privkey ca-key.pem \ --template client.tmpl \ --outfile client-cert.pem certtool --to-p12 \ --pkcs-cipher 3des-pkcs12 \ - --load-ca-certificate ca-cert.pem \ + --load-ca-certificate ca.pem \ --load-certificate client-cert.pem \ --load-privkey client-key.pem \ --outfile client.p12 \