From 845b296aedaef6d22bab0184e0e2f8bc5a326fcb Mon Sep 17 00:00:00 2001 From: Dave Page Date: Thu, 12 Oct 2017 10:12:55 +0100 Subject: [PATCH] Add optional TLS support to the docker container. --- pkg/docker/Dockerfile | 14 ++++++- pkg/docker/README | 76 +++++++++++++++++++++++++++++++++++++ pkg/docker/build.sh | 2 +- pkg/docker/entry.sh | 2 + pkg/docker/pgadmin4.conf | 22 ----------- pkg/docker/pgadmin4.conf.j2 | 43 +++++++++++++++++++++ 6 files changed, 134 insertions(+), 25 deletions(-) create mode 100644 pkg/docker/README delete mode 100644 pkg/docker/pgadmin4.conf create mode 100644 pkg/docker/pgadmin4.conf.j2 diff --git a/pkg/docker/Dockerfile b/pkg/docker/Dockerfile index 86a79ad48..aa9a64a85 100644 --- a/pkg/docker/Dockerfile +++ b/pkg/docker/Dockerfile @@ -19,20 +19,28 @@ COPY web /var/www/pgadmin COPY requirements.txt /var/www/pgadmin # Install everything we need. Use easy_install to get pip, to avoid setting up EPEL -RUN yum install -y python-setuptools python-devel httpd mod_wsgi gcc +RUN yum install -y python-setuptools python-devel httpd mod_wsgi mod_ssl gcc RUN easy_install pip +RUN pip install j2cli # Now install the Python runtime dependencies RUN pip install -r /var/www/pgadmin/requirements.txt +# Create required directories for config + + # Create required directories for running RUN mkdir -p /var/log/pgadmin RUN chown -R apache /var/log/pgadmin RUN mkdir -p /var/lib/pgadmin RUN chown -R apache /var/lib/pgadmin +RUN mkdir -p /certs +RUN chown -R apache /certs +RUN chmod 700 /certs # Apache config time -COPY pgadmin4.conf /etc/httpd/conf.d/ +RUN mkdir -p /templates +COPY pgadmin4.conf.j2 /templates/ COPY entry.sh / # Finally, remove packages we only needed for building @@ -41,6 +49,8 @@ RUN yum -y remove gcc cpp glibc-devel glibc-headers kernel-headers libgomp libmp # Default config options ENV PGADMIN_DEFAULT_EMAIL container@pgadmin.org ENV PGADMIN_DEFAULT_PASSWORD Conta1ner +ENV PGADMIN_ENABLE_TLS False +ENV PGADMIN_SERVER_NAME pgadmin4 EXPOSE 80 443 diff --git a/pkg/docker/README b/pkg/docker/README new file mode 100644 index 000000000..88893f5ef --- /dev/null +++ b/pkg/docker/README @@ -0,0 +1,76 @@ +This directory contains the files required to create a docker container running pgAdmin. + +Building +======== + +Whilst you can just use the Dockerfile directly, it requires that various pre-configuration steps are performed, for +example, the pgAdmin web code must be copied to ./web and yarn install/yarn run bundle must be executed. +requirements.txt is also expected to be in this directory, and the pre-built docs must be in web/docs. + +The recommended (and easy) way to build the container is to do: + +cd $PGADMIN_SRC/ +workon pgadmin-venv +make docker + +This will call the build script $PGADMIN_SRC/pkg/docker/build.sh which will prepare a staging directory containing all +the required files, then build the container and push it to your repo. + +Running +======= + +The container will accept the following variables at startup: + +PGADMIN_DEFAULT_EMAIL +--------------------- + +Default: container@pgadmin.org) + +This is the email address used when setting up the initial administrator account to login to pgAdmin. + +PGADMIN_DEFAULT_PASSWORD +------------------------ + +Default: Conta1ner + +This is the password used when setting up the initial administrator account to login to pgAdmin. + +PGADMIN_ENABLE_TLS +------------------ + +Default: Conta1ner + +If set to the default, False, the container will listen on port 80 for connections in plain text. If set to True, the +container will listen on port 443 for TLS connections. + +When TLS is enabled, a certificate and key must be provided. Typically these should be stored on the host file system +and mounted from the container. The expected paths are /certs/server.crt and /certs/server.key + +PGADMIN_SERVER_NAME +------------------- + +Default: pgadmin4 + +This variable allows you to specify the value used for the Apache HTTPD ServerName directive. This is commonly used to +ensure the CN of the TLS certificate matches what the server expects. + +Examples +======== + +Run a simple container over port 80: + +docker run -p 80:80 \ + -e "PGADMIN_DEFAULT_EMAIL=user@domain.com" \ + -e "PGADMIN_DEFAULT_PASSWORD=SuperSecret" \ + -d pgadmin4 + +Run a TLS secured container: + +docker run -p 443:443 \ + -v "/path/to/certificate.cert:/certs/server.cert" \ + -v "/path/to/certificate.key:/certs/server.key" \ + -e "PGADMIN_DEFAULT_EMAIL=user@domain.com" \ + -e "PGADMIN_DEFAULT_PASSWORD=SuperSecret" \ + -e "PGADMIN_ENABLE_TLS=True" \ + -e "PGADMIN_SERVER_NAME=pgadmin.domain.com" \ + -d pgadmin4 \ No newline at end of file diff --git a/pkg/docker/build.sh b/pkg/docker/build.sh index ca8d631f5..2edce5399 100755 --- a/pkg/docker/build.sh +++ b/pkg/docker/build.sh @@ -88,7 +88,7 @@ echo "}" >> docker-build/web/config_distro.py # Copy the Docker specific assets into place cp pkg/docker/Dockerfile docker-build/ cp pkg/docker/entry.sh docker-build/ -cp pkg/docker/pgadmin4.conf docker-build/ +cp pkg/docker/pgadmin4.conf.j2 docker-build/ cp requirements.txt docker-build/ # Build the container diff --git a/pkg/docker/entry.sh b/pkg/docker/entry.sh index b5e6b5c37..9ca87458e 100644 --- a/pkg/docker/entry.sh +++ b/pkg/docker/entry.sh @@ -12,4 +12,6 @@ export PGADMIN_SETUP_EMAIL=${PGADMIN_DEFAULT_EMAIL} export PGADMIN_SETUP_PASSWORD=${PGADMIN_DEFAULT_PASSWORD} +j2 /templates/pgadmin4.conf.j2 > /etc/httpd/conf.d/pgadmin4.conf + /usr/sbin/httpd -D FOREGROUND \ No newline at end of file diff --git a/pkg/docker/pgadmin4.conf b/pkg/docker/pgadmin4.conf deleted file mode 100644 index ddd518875..000000000 --- a/pkg/docker/pgadmin4.conf +++ /dev/null @@ -1,22 +0,0 @@ -######################################################################## -# -# pgAdmin 4 - PostgreSQL Tools -# -# Copyright (C) 2013 - 2017, The pgAdmin Development Team -# This software is released under the PostgreSQL Licence -# -######################################################################### - -ServerName pgadmin4 - - - WSGIDaemonProcess pgadmin processes=1 threads=25 - WSGIScriptAlias / /var/www/pgadmin/pgAdmin4.wsgi - - - WSGIProcessGroup pgadmin - WSGIApplicationGroup %{GLOBAL} - Order deny,allow - Allow from all - - \ No newline at end of file diff --git a/pkg/docker/pgadmin4.conf.j2 b/pkg/docker/pgadmin4.conf.j2 new file mode 100644 index 000000000..fcd84527a --- /dev/null +++ b/pkg/docker/pgadmin4.conf.j2 @@ -0,0 +1,43 @@ +######################################################################## +# +# pgAdmin 4 - PostgreSQL Tools +# +# Copyright (C) 2013 - 2017, The pgAdmin Development Team +# This software is released under the PostgreSQL Licence +# +######################################################################### + +ServerName {{ PGADMIN_SERVER_NAME }} +{% if PGADMIN_ENABLE_TLS|default('False') == 'True' %} +LoadModule ssl_module modules/mod_ssl.so + + + SSLEngine on + SSLCipherSuite HIGH:!aNULL:!MD5 + SSLCertificateFile "/certs/server.cert" + SSLCertificateKeyFile "/certs/server.key" + + ServerName pgadmin4 + WSGIDaemonProcess pgadmin processes=1 threads=25 + WSGIScriptAlias / /var/www/pgadmin/pgAdmin4.wsgi + + + WSGIProcessGroup pgadmin + WSGIApplicationGroup %{GLOBAL} + Order deny,allow + Allow from all + + +{% else %} + + WSGIDaemonProcess pgadmin processes=1 threads=25 + WSGIScriptAlias / /var/www/pgadmin/pgAdmin4.wsgi + + + WSGIProcessGroup pgadmin + WSGIApplicationGroup %{GLOBAL} + Order deny,allow + Allow from all + + +{% endif %} \ No newline at end of file