Merge branch '97009'

Dockerfile

@@ -2,6 +2,7 @@ FROM centos:7
 ENTRYPOINT ["/tmp/docker-entrypoint.sh"]
 COPY docker-entrypoint.sh \
      keygen.sh \
+     revoke.sh \
      /tmp/
 COPY openvpn/ /etc/openvpn/
 COPY stonevpn.conf /etc/stonevpn.conf
@@ -11,6 +12,7 @@ RUN set -x \
            && yum install openvpn stonevpn -y \
            && chmod +x /tmp/docker-entrypoint.sh \
            && chmod +x /tmp/keygen.sh \
+           && chmod +x /tmp/revoke.sh \
            && chmod 400 /etc/openvpn/keys/*.key \
            && chmod 440 /etc/openvpn/keys/*.crt \
            && yum install -y https://centos7.iuscommunity.org/ius-release.rpm \

Jenkinsfile

@@ -1,33 +1,52 @@
+def SERIAL
+def CONTAINER_ID_CLIENT
+def ENAMES = [ 'prod', 'dev' ]
+def CLUSTERS = ['prod': 'iru-swarm1-open.infoclinica.lan', 'dev': 'dev-iru-swarm.infoclinica.lan']
+def REGISTRIES = ['prod': 'registry.infoclinica.ru:5000', 'dev': 'dev-registry.infoclinica.ru:5000']
+
 pipeline {
   agent {
     label "swarm"
   }
   environment {
     DOCKER_REGISTRY='dev-registry.infoclinica.ru:5000'
-    DOCKER_IMAGE='ovpn'
-    SERVICE_IMAGE='container_run'
-    SERVICE_NAME='ovpn'
+    DOCKER_IMAGE='ovpn-rsa'
+    SERVICE_NAME='ovpn-rsa_server'
     SWARM_GIT_URL='ssh://git@git.sdsys.ru:8022/iru/stack-deploy.git'
     SWARM_GIT_NAME='stack-deploy'
     PKI_GIT_URL='ssh://git@git.sdsys.ru:8022/iru/openvpn-pki.git'
     PKI_GIT_NAME='openvpn-pki'
-    GOST_GIT_DIR='openvpn'
+    OVPN_GIT_DIR='openvpn'
     JENKINS_MAIL='jenkins@sdsys.ru'
-    CLUSTER_NAME='iru-swarm1-open.infoclinica.ru'
+    DOCKER_CERT_PATH='/run/secrets/swarm'
   }
   parameters {
+    string(
+      name: "branch",
+      defaultValue: "97009",
+      description: "Which branch to use"
+    )
     string(
       name: "mailto",
-      defaultValue: "admin@sdsys.ru",
+      defaultValue: "tomishinets.v@sdsys.ru",
       description: "Email which has to be notified."
     )
   }
   stages {
+    stage ("Discover SERIAL") {
+      steps {
+        script {
+          SERIAL = sh script: "echo -n `date +%y%m%d``printf %03d $BUILD_NUMBER`", returnStdout: true
+        }
+      }
+    }
     stage("Pull PKI repo") {
       steps {
         withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
           sh '''GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
-                git clone ${PKI_GIT_URL}
+                git clone ${PKI_GIT_URL} && cd ${WORKSPACE}/${PKI_GIT_NAME} && git checkout ${branch} && cd ${WORKSPACE}
+                GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
+                git clone ${SWARM_GIT_URL}
              '''
         }
           sh '''cp ${WORKSPACE}/openvpn-pki/open/easy-rsa/keys/ca.crt \
@@ -45,101 +64,72 @@ pipeline {
     }
     stage("Build") {
       steps {
-        echo "Building ${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${BUILD_NUMBER}."
-        sh "docker build --no-cache -t ${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${BUILD_NUMBER} ."
+        echo "Building ${DOCKER_IMAGE}:${SERIAL}."
+        sh """docker build --no-cache -t ${DOCKER_IMAGE}:${SERIAL} .
+              if [ \$? != 0 ]; then echo 'The container was not built'; exit 1; fi
+           """
       }
     }
-    stage("Staging") {
+    stage ("Push to registry") {
       steps {
-        echo "Run ${DOCKER_IMAGE} in server mode."
-        sh '''container_id_server=`docker run -d --rm -e "mode=server" \
-              --privileged ${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${BUILD_NUMBER}`
-              container_ip_server=`docker inspect ${container_id_server} --format='{{.NetworkSettings.IPAddress}}'`
-              container_id_client=`docker run -d --rm -e "mode=client" -e "server=${container_ip_server}" --privileged ${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${BUILD_NUMBER}`
-              sleep 15
-              docker exec ${container_id_client} ping -c 3 -q 10.10.20.1
-              if [ $? != 0 ]
-              then
-                echo "Can not connect to VPN server !!!"
-                docker stop ${container_id_server} ${container_id_client}
-                exit 1
-              else
-                echo "VPN server is started"
-                docker stop ${container_id_server} ${container_id_client}
-              fi
-           '''
+        script {
+          ENAMES.each { item ->
+             echo "Pushing to: ${item}, CLUSTER ${CLUSTERS.get((item))}"
+             sh """docker tag ${DOCKER_IMAGE}:${SERIAL} ${REGISTRIES.get((item))}/iru/${DOCKER_IMAGE}:${SERIAL}
+                   docker push ${REGISTRIES.get((item))}/iru/${DOCKER_IMAGE}:${SERIAL}
+                """
+          }
+        }
       }
     }
-    stage("Publish") {
+    stage("Run in Prod-like") {
       steps {
-        echo "Publishing ${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${BUILD_NUMBER}."
-        sh "docker push ${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${BUILD_NUMBER}"
+        script {
+          echo "Check Prod-like cluster status"
+          sh "echo -n \${SERIAL} > \${SWARM_GIT_NAME}/tags/\${DOCKER_IMAGE}.version" 
+          sh """cd \${SWARM_GIT_NAME}/\${DOCKER_IMAGE}
+                DOCKER_HOST=tcp://${CLUSTERS.get((ENAMES[1]))}:2376 DOCKER_TLS_VERIFY=1 ./ovpn-rsa-open-staging.sh
+             """
+          def NODE = sh (script: "DOCKER_HOST=tcp://${CLUSTERS.get((ENAMES[1]))}:2376 DOCKER_TLS_VERIFY=1 docker service ps \${SERVICE_NAME} --format '{{.Node}}' --filter desired-state=Running" , returnStdout: true).trim()
+          echo "${NODE}"
+          CONTAINER_ID_CLIENT = sh (script: "docker run -e mode=client -e server=${NODE} --privileged -d --rm  ${DOCKER_IMAGE}:${SERIAL}" , returnStdout: true).trim()
+          sh """docker exec -t ${CONTAINER_ID_CLIENT} ping -c 3 -q 10.10.20.1
+                if [ \$? != 0 ]; then exit 1; else echo 'OVPN_RSA is working!!!'; fi
+             """
+          
+             
+        }
       }
     }
-    stage("Prod-like") {
+    stage ("Tagging") {
       steps {
-        echo "Check Prod-like cluster status"
-        sh '''ping -c 2 ${CLUSTER_NAME}
-              if [ $? -eq 0 ]; then
-                export DOCKER_CERT_PATH=/run/secrets/swarm
-                export DOCKER_HOST=tcp://${CLUSTER_NAME}:2376 DOCKER_TLS_VERIFY=1
-                docker node ls --format "{{.Hostname}} {{.TLSStatus}}" | while read host status
-                do
-                  if [ $status != Ready ]; then echo "Cluster ${CLUSTER_NAME} state is inconsistent"; exit 1
-                  else echo "HOST: $host STATUS: $status"
-                  fi
-                done
-              else echo "Host not Found"; exit 1
-              fi
-           '''
-        echo "Run containers in Prod-like"
-        sh '''export DOCKER_CERT_PATH=/run/secrets/swarm
-              export DOCKER_HOST=tcp://${CLUSTER_NAME}:2376 DOCKER_TLS_VERIFY=1
-              export DOCKER_HOST=tcp://$(docker info -f '{{.Name}}'):2376 DOCKER_TLS_VERIFY=1
-              if [ -z $(docker service ps -q ${DOCKER_IMAGE}) ];then
-                docker service create --replicas 1 \
-                --mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock \
-                --name ${SERVICE_NAME} ${DOCKER_REGISTRY}/${SERVICE_IMAGE}:2 -p 1194:1194 \
-                --privileged --security-opt seccomp=unconfined \
-                --tmpfs /run --tmpfs /run/lock -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
-                -e "mode=server" ${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${BUILD_NUMBER}
-              else
-                docker service update \
-                --args "-p 1194:1194 --privileged --security-opt seccomp=unconfined \
-                --tmpfs /run --tmpfs /run/lock -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
-                -e "mode=server" ${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${BUILD_NUMBER}" \
-                ${SERVICE_NAME}
-                if [ $? != 0 ]; then docker service rollback ${SERVICE_NAME}; fi
-              fi
-           '''
+        script {
+          ENAMES.each { item ->
+             echo "Setting latest tag for $item"
+             sh """docker tag ${DOCKER_IMAGE}:${SERIAL} ${REGISTRIES.get((item))}/iru/${DOCKER_IMAGE}:latest
+                   docker push ${REGISTRIES.get((item))}/iru/${DOCKER_IMAGE}:latest
+                """
+          }
+        }
+      echo "Updating tag info in ${SWARM_GIT_NAME} repository"
+        withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
+          sh """cd ${SWARM_GIT_NAME}
+                echo -n ${SERIAL} > tags/${DOCKER_IMAGE}.version
+                git add -A
+                git config --global user.email "${JENKINS_MAIL}"
+                git config --global user.name "Jenkins"
+                git commit -m 'Version update'
+                GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
+                git push origin master
+             """
+        }
       }
     }
-    stage("Tagging") {
-        steps {
-          echo "Tagging ${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${BUILD_NUMBER} to ${DOCKER_REGISTRY}/${DOCKER_IMAGE}:latest"
-          sh '''docker tag ${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${BUILD_NUMBER} \
-                ${DOCKER_REGISTRY}/iru/${DOCKER_IMAGE}:latest
-                docker push ${DOCKER_REGISTRY}/iru/${DOCKER_IMAGE}:latest
-             '''
-          echo "Updating tag info in ${SWARM_GIT_NAME} repository"
-          withCredentials([sshUserPrivateKey(credentialsId: 'provision', keyFileVariable: 'GIT_SSH_KEY', passphraseVariable: '', usernameVariable: 'GIT_SSH_USERNAME')]) {
-            sh '''GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
-                  git clone ${SWARM_GIT_URL}
-                  cd ${SWARM_GIT_NAME}
-                  echo -n ${BUILD_NUMBER} > tags/${DOCKER_IMAGE}.version
-                  git add -A
-                  git config --global user.email "${JENKINS_MAIL}"
-                  git config --global user.name "Jenkins"
-                  git commit -m 'Version update'
-                  GIT_SSH_COMMAND='ssh -i ${GIT_SSH_KEY} -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
-                  git push origin master
-               '''
-         }
-       }
-     }
   }
   post {
     always {
+      sh "docker stop ${CONTAINER_ID_CLIENT}"
+      sh "DOCKER_HOST=tcp://${CLUSTERS.get((ENAMES[1]))}:2376 DOCKER_TLS_VERIFY=1 docker stack rm ${DOCKER_IMAGE}"
       echo "CleaningUp work directory"
       deleteDir()
     }

Jenkinsfile_keygen

@@ -85,7 +85,7 @@ pipeline {
             sh """set +x
                   docker pull $DOCKER_REGISTRY/iru/$DOCKER_IMAGE:latest 
                   docker run -i --rm -e TZ=Europe/Moscow -e mode=keygen -e "SSHKEY=`cat ${GIT_SSH_KEY}`" \
-                  -e git_url=$PKI_GIT_URL -e git_dir=$PKI_GIT_NAME \
+                  -e git_url=${PKI_GIT_URL} -e git_dir=${PKI_GIT_NAME} \
                   $DOCKER_REGISTRY/iru/$DOCKER_IMAGE:latest /tmp/$COMMAND $key_name $branch
                """
           }
@@ -184,11 +184,10 @@ pipeline {
       steps {
         script {
           def NODE = sh (script: "DOCKER_HOST=tcp://${CLUSTER_NAME}:2376 DOCKER_TLS_VERIFY=1 docker service ps \${SERVICE_NAME} --format '{{.Node}}' --filter desired-state=Running" , returnStdout: true).trim()
-          sh "if [ -z ${NODE} ]; then echo '${SERVICE_NAME} doesn't running'; exit 1"
+          sh "if [ -z ${NODE} ]; then echo '${SERVICE_NAME} does not running'; exit 1; fi"
           def container_id = sh (script: "DOCKER_HOST=tcp://${NODE}:2376 DOCKER_TLS_VERIFY=1 docker ps -q -f label=ru.sdsys.subcontainer=\${SERVICE_NAME}" , returnStdout: true).trim()
           sh "DOCKER_HOST=tcp://${NODE}:2376 DOCKER_TLS_VERIFY=1 docker cp ${WORKSPACE}/${OVPN_GIT_DIR}/${OVPN_GIT_DIR}/ccd/ ${container_id}:/etc/${OVPN_GIT_DIR}/persist"
-          sh "DOCKER_HOST=tcp://${NODE}:2376 DOCKER_TLS_VERIFY=1 docker cp ${WORKSPACE}/${PKI_GIT_NAME}/open/easy-rsa/keys/stonevpn.crl"
-
+          sh "DOCKER_HOST=tcp://${NODE}:2376 DOCKER_TLS_VERIFY=1 docker cp ${WORKSPACE}/${PKI_GIT_NAME}/open/easy-rsa/keys/stonevpn.crl ${container_id}:/etc/${OVPN_GIT_DIR}/persist/stonevpn.crl"
         }
       }
     }
@@ -213,4 +212,4 @@ pipeline {
            body: "<b>ATTENTION!!!</b> <b><br> Jenkins job aborted.\n\n <b><br> The CNAME ${key_name} is already exists!\n\n <b><br>Project Name:</b> ${env.JOB_NAME} <b><br>\nBuild Number:</b> ${env.BUILD_NUMBER} <b><br>\nURL Build:</b> ${RUN_DISPLAY_URL}"
     }
   }
-}
+}

keygen.sh

@@ -1,29 +1,21 @@
 #!/bin/bash
-git_url_pki="ssh://git@git.sdsys.ru:8022/iru/openvpn-pki.git"
-git_url_ovpn="ssh://git@git.sdsys.ru:8022/iru/openvpn.git"
-git_dir_pki="openvpn-pki"
-git_dir_ovpn="openvpn"
+#git_url="ssh://git@git.sdsys.ru:8022/iru/openvpn-pki.git"
+#git_dir_pki="openvpn-pki"
+
 JENKINS_MAIL="jenkins.dev@sdsys.ru"
 cd /
-GIT_SSH_COMMAND='ssh -i /tmp/keyfile -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' git clone ${git_url_pki}
-GIT_SSH_COMMAND='ssh -i /tmp/keyfile -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' git clone ${git_url_ovpn}
+GIT_SSH_COMMAND='ssh -i /tmp/keyfile -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' git clone ${git_url}
+cd /${git_dir} && git checkout $2
 
 stonevpn -f $1 -n "$1" -z
 
 echo "Generate new key and cert for $1" > /tmp/commit.txt
 
-cd ${git_dir_pki}
+cd /${git_dir}
 
 git add -A
 git config --global user.email "${JENKINS_MAIL}"
 git config --global user.name "Jenkins"
 git commit -F /tmp/commit.txt
-GIT_SSH_COMMAND='ssh -i /tmp/keyfile -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' git push origin master
-
-#cd ${git_dir_ovpn}
+GIT_SSH_COMMAND='ssh -i /tmp/keyfile -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' git push origin $2
 
-#git add -A
-#git config --global user.email "${JENKINS_MAIL}"
-#git config --global user.name "Jenkins"
-#git commit -F /tmp/commit.txt
-#GIT_SSH_COMMAND='ssh -i /tmp/keyfile -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' git push origin master

openvpn/ccd/client_down

@@ -1,30 +0,0 @@
-#!/bin/bash
-
-#set -o xtrace
-#logfile=/tmp/client_down
-#exec >> $logfile 2>&1
-#date
-
-echo ===========================================
-echo $common_name
-echo ===========================================
-ext_ovpn=`/sbin/ifconfig external | grep inet | /bin/sed 's/^ *inet addr://g' | /bin/sed 's/ .*//g'`
-echo 'Ext_Ovpn '$ext_ovpn
-paddr=`grep ifconfig-push "/etc/openvpn/ccd/$common_name" | sed 's/ifconfig-push //g' | sed 's/ .*//g'`
-echo 'Paddr '$paddr
-if [ $? -eq 0 ]
-then
-#    ping -c3 $paddr
-#    [ $? -gt 0 ] && 
-    /usr/bin/sudo /sbin/ip route del $paddr via $ext_ovpn
-fi
-caddr=`grep iroute "/etc/openvpn/ccd/$common_name" | sed 's/iroute //g' | sed 's/ .*//g'`
-echo 'Caddr '$caddr
-if [ $? -eq 0 ]
-then
-#    ping -c3 $caddr
-#    [ $? -gt 0 ] && 
-    /usr/bin/sudo /sbin/ip route del $caddr via $ext_ovpn
-fi
-
-

openvpn/ccd/client_up

@@ -1,25 +0,0 @@
-#!/bin/bash
-
-#set -o xtrace
-#logfile=/tmp/client_up
-#exec >> $logfile 2>&1
-#date
-
-echo ===========================================
-echo $common_name
-echo ===========================================
-ext_ovpn=`/sbin/ifconfig external | grep inet | /bin/sed 's/^ *inet addr://g' | /bin/sed 's/ .*//g'`
-echo 'Ext_Ovpn '$ext_ovpn
-paddr=`grep ifconfig-push "/etc/openvpn/ccd/$common_name" | sed 's/ifconfig-push //g' | sed 's/ .*//g'`
-echo 'Paddr '$paddr
-#if [ $? -eq 0 ]
-#then
-    [[ ! -z $paddr ]] && /usr/bin/sudo /sbin/ip route add $paddr via $ext_ovpn
-#fi
-caddr=`grep iroute "/etc/openvpn/ccd/$common_name" | sed 's/iroute //g' | sed 's/ .*//g'`
-echo 'Caddr '$caddr
-#if [ $? -eq 0 ]
-#then
-    [[ ! -z $caddr ]] && /usr/bin/sudo /sbin/ip route add $caddr via $ext_ovpn
-#fi
-exit 0

openvpn/ccd/test

@@ -1 +0,0 @@
-ifconfig-push 10.10.20.94 255.255.255.0

openvpn/client.conf.ori

@@ -1,26 +0,0 @@
-# tap or tun
-dev             tun
-# tcp or udp. If GOST - TCP only
-proto           udp
-# Log-file
-log      /var/log/openvpn.log
-# Verbosity 0-11
-verb            3 
-
-persist-key
-persist-tun
-comp-lzo       yes
-#push comp-lzo  yes
-
-# Client mode
-client
-nobind
-#resolv-retry infinite
-#ns-cert-type server
-# Address and port of OpenVPN-GOST server
-remote server 1195
-
-ca              /etc/openvpn/keys/ca.crt
-cert            /etc/openvpn/keys/test-client.crt
-key             /etc/openvpn/keys/test-client.key
-

openvpn/keys/README.md

@@ -1,19 +0,0 @@
-# Docker образ OpenVPN GOST
-Состав дистрибутива:
-
-  - Docker образ на основе **Centos 6.9**
-  - OpenVPN
-  - StoneVPN
-  - Easy-RSA
-
-Для запуска контейнера используется исполняемый файл docker-entrypoint.sh, в которомм:
-
-
-
-### Пример запуска контейнера
-
-`docker run -ti --rm -e "mode=server" --name openvpn --privileged -p 1194:1194/tcp --net=host openvpn:1`
-
-#### Примечание:
-
-

openvpn/server.conf

@@ -2,19 +2,22 @@ port 1194
 proto udp
 dev external
 dev-type tun
-verb           4 
 ca  /etc/openvpn/keys/ca.crt
 cert  /etc/openvpn/keys/server.crt
 key  /etc/openvpn/keys/server.key 
 dh  /etc/openvpn/keys/dh2048.pem
-crl-verify /etc/openvpn/keys/stonevpn.crl
+crl-verify /etc/openvpn/persist/stonevpn.crl
 tls-auth /etc/openvpn/keys/ta.key 0
 server 10.10.20.0 255.255.255.0
-client-config-dir /etc/openvpn/ccd
+push "route 192.168.200.0 255.255.248.0"
+client-config-dir /etc/openvpn/persist/ccd
 ccd-exclusive
-keepalive 10 60
+keepalive 5 10
 comp-lzo
+user openvpn
+group openvpn
 persist-key
 persist-tun
+status /var/log/openvpn-status.log
 topology subnet
-push "route 192.168.200.0 255.255.248.0"
+verb 3

revoke.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+#git_url_pki="https://git.sdsys.ru/iru/openvpn-pki.git"
+#git_dir_pki="openvpn-pki"
+
+JENKINS_MAIL="jenkins.dev@sdsys.ru"
+cd /
+GIT_SSH_COMMAND='ssh -i /tmp/keyfile -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' git clone ${git_url_pki}
+cd /${git_dir_pki} && git checkout $2
+
+serial=$(stonevpn -a | grep "$1" | awk '{print $1}')
+stonevpn -r ${serial}
+
+cd /${git_dir_pki}
+echo "Revoke $1" > /tmp/commit.txt
+
+git add -A
+git config --global user.email "${JENKINS_MAIL}"
+git config --global user.name "Jenkins"
+git commit -F /tmp/commit.txt
+GIT_SSH_COMMAND='ssh -i /tmp/keyfile -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' git push origin $2