From f84e0f0f5b7ebbc6769e69a6181e539827d6a113 Mon Sep 17 00:00:00 2001 From: kev Date: Mon, 22 May 2017 14:48:55 +0800 Subject: [PATCH] update mosquitto tls --- mosquitto/Dockerfile | 2 +- mosquitto/README.md | 24 ++++++++----- mosquitto/arm/Dockerfile | 2 +- mosquitto/arm/data/mosquitto.conf | 4 +-- mosquitto/data/mosquitto.conf | 4 +-- netdata/arm/Dockerfile | 56 ++++++++++++------------------- 6 files changed, 43 insertions(+), 49 deletions(-) diff --git a/mosquitto/Dockerfile b/mosquitto/Dockerfile index 4043526..6467e0f 100644 --- a/mosquitto/Dockerfile +++ b/mosquitto/Dockerfile @@ -5,7 +5,7 @@ FROM alpine MAINTAINER kev -RUN apk add --no-cache mosquitto +RUN apk add --no-cache ca-certificates mosquitto VOLUME /etc/mosquitto EXPOSE 1883 8883 diff --git a/mosquitto/README.md b/mosquitto/README.md index 9a4da5d..e1551fa 100644 --- a/mosquitto/README.md +++ b/mosquitto/README.md @@ -24,27 +24,33 @@ mosquitto: ## mosquitto.conf -``` -port 8883 +```ini +port 1883 log_dest stdout +allow_anonymous false password_file /etc/mosquitto/pwfile persistence true persistence_location /var/lib/mosquitto -cafile /var/lib/mosquitto/ca.crt -certfile /var/lib/mosquitto/server.crt -keyfile /var/lib/mosquitto/server.key + +###### ENABLE TLS ###### +listener 8883 +protocol mqtt +capath /etc/ssl/certs +certfile /var/lib/mosquitto/fullchain.pem +keyfile /var/lib/mosquitto/privkey.pem require_certificate false ``` - `pwfile` is managed by [mosquitto_passwd][3]. -- TLS keys are generated by [openssl][2]. +- Two methods to support TLS: + - You can get free TLS certificates from letsencrypt, `capath` is needed. + - Self-signed TLS keys can be generated by [openssl][2], `cafile` is needed. -> It is important to use different certificate subject parameters for your CA, -> server and clients. +> It is important to use different certificate subject parameters for your self-signed CA, server and clients. ## server -``` +```bash $ mkdir -p data $ touch data/mosquitto.conf data/pwfile $ docker-compose up -d diff --git a/mosquitto/arm/Dockerfile b/mosquitto/arm/Dockerfile index 153a334..e722055 100644 --- a/mosquitto/arm/Dockerfile +++ b/mosquitto/arm/Dockerfile @@ -5,7 +5,7 @@ FROM easypi/alpine-arm MAINTAINER EasyPi Software Foundation -RUN apk add --no-cache mosquitto +RUN apk add --no-cache ca-certificates mosquitto VOLUME /etc/mosquitto EXPOSE 1883 8883 diff --git a/mosquitto/arm/data/mosquitto.conf b/mosquitto/arm/data/mosquitto.conf index 1504640..5f2de9f 100644 --- a/mosquitto/arm/data/mosquitto.conf +++ b/mosquitto/arm/data/mosquitto.conf @@ -12,7 +12,7 @@ persistence_location /var/lib/mosquitto ###### ENABLE WS ###### #listener 8080 #protocol websockets -#cafile /var/lib/mosquitto/DST_Root_CA_X3.pem +#capath /etc/ssl/certs #certfile /var/lib/mosquitto/fullchain.pem #keyfile /var/lib/mosquitto/privkey.pem #require_certificate false @@ -20,7 +20,7 @@ persistence_location /var/lib/mosquitto ###### ENABLE TLS ###### #listener 8883 #protocol mqtt -#cafile /var/lib/mosquitto/DST_Root_CA_X3.pem +#capath /etc/ssl/certs #certfile /var/lib/mosquitto/fullchain.pem #keyfile /var/lib/mosquitto/privkey.pem #require_certificate false diff --git a/mosquitto/data/mosquitto.conf b/mosquitto/data/mosquitto.conf index 1504640..5f2de9f 100644 --- a/mosquitto/data/mosquitto.conf +++ b/mosquitto/data/mosquitto.conf @@ -12,7 +12,7 @@ persistence_location /var/lib/mosquitto ###### ENABLE WS ###### #listener 8080 #protocol websockets -#cafile /var/lib/mosquitto/DST_Root_CA_X3.pem +#capath /etc/ssl/certs #certfile /var/lib/mosquitto/fullchain.pem #keyfile /var/lib/mosquitto/privkey.pem #require_certificate false @@ -20,7 +20,7 @@ persistence_location /var/lib/mosquitto ###### ENABLE TLS ###### #listener 8883 #protocol mqtt -#cafile /var/lib/mosquitto/DST_Root_CA_X3.pem +#capath /etc/ssl/certs #certfile /var/lib/mosquitto/fullchain.pem #keyfile /var/lib/mosquitto/privkey.pem #require_certificate false diff --git a/netdata/arm/Dockerfile b/netdata/arm/Dockerfile index ed7e85e..c295195 100644 --- a/netdata/arm/Dockerfile +++ b/netdata/arm/Dockerfile @@ -2,48 +2,36 @@ # Dockerfile for netdata-arm # -FROM resin/rpi-raspbian:jessie +FROM easypi/alpine-arm MAINTAINER EasyPi Software Foundation -ENV NETDATA_VER 1.6.0 -ENV NETDATA_URL https://github.com/firehol/netdata/releases/download/v${NETDATA_VER}/netdata-${NETDATA_VER}.tar.gz -ENV NETDATA_DEB netdata_${NETDATA_VER}_armhf.deb - -WORKDIR /usr/src +ENV NETDATA_VERSION 1.6.0 RUN set -xe \ - && apt-get update \ - && apt-get -y install autoconf \ - autoconf-archive \ - autogen \ + && apk add --no-cache autoconf \ automake \ - build-essential \ + bash \ + build-base \ curl \ - debhelper \ - dh-autoreconf \ - dh-systemd \ - fakeroot \ + libmnl \ libmnl-dev \ - pkg-config \ - uuid-dev \ - zlib1g-dev \ - && curl -sSL ${NETDATA_URL} | tar xz \ - && cd netdata-${NETDATA_VER} \ - && ln -s contrib/debian \ - && dpkg-buildpackage -us -uc -rfakeroot \ + libuuid \ + util-linux-dev \ + zlib-dev \ + && addgroup -g 1000 netdata \ + && adduser -D -H -u 1000 -G netdata netdata \ + && curl -sSL https://github.com/firehol/netdata/releases/download/v$NETDATA_VERSION/netdata-$NETDATA_VERSION.tar.gz | tar xz \ + && cd netdata-$NETDATA_VERSION \ + && ./netdata-installer.sh --dont-wait \ && cd .. \ - && dpkg -i ${NETDATA_DEB} \ - && apt-get remove -y autoconf \ - autoconf-archive \ - autogen \ - automake \ - build-essential \ - curl \ - debhelper \ - dh-autoreconf \ - dh-systemd \ - pkg-config \ - && rm -rf netdata-${NETDATA_VER} /var/lib/apt/lists/* + && rm -rf netdata-$NETDATA_VERSION \ + && apk del autoconf \ + automake \ + build-base \ + curl \ + libmnl-dev \ + util-linux-dev \ + zlib-dev VOLUME /etc/netdata