Configuration and Documentation of the Buildmaster and Workers

buildbot-buildmaster/buildbot/README.md

@@ -91,7 +91,12 @@ If you are unhappy with this location, you can specify another one in docker-com
 To do so, modify the volume of the service "db" accordingly.
 
 #### WEB URL
-If you aren't running this service under mendel.fh-salzburg.ac.at, you have to specify a different URL in docker-compose.yml.
-You'll find this option in the labels of the service buildbot-buildmaster
+If you aren't running this service under `mendel.fh-salzburg.ac.at`, you have to replace all occurences in [docker-compose.yml](docker-compose.yml) with a different URL.
+You'll find them in the labels of the service buildbot-buildmaster.
+### Subnet for non-TLS communication
+Windows workers currently cannot connect to the buildmaster via TLS.
+For this reason, the VM hosting the buildmaster and the Windows 10 VM running the worker share a subnet to ensure secure communication.
+You have to provide the IP of the Subnet in [docker-compose.yml](docker-compose.yml).
+To do so, replace `<Windows-Subnet-IP>` with your the server's IP in that subnet.
 ### db.env
 Specify a database password.

buildbot-buildmaster/buildbot/docker-compose.yml

@@ -21,11 +21,13 @@ services:
     volumes:
         - ./secrets/:/var/lib/buildbot/secrets
         - ./master.cfg:/var/lib/buildbot/master.cfg
+        - ../traefik/dump/mendel.fh-salzburg.ac.at/:/var/lib/buildbot/certificate.pem:ro
+        - ../traefik/dump/mendel.fh-salzburg.ac.at/:/var/lib/buildbot/privateky.pem:ro
     networks:
       - proxy
       - buildbot
     ports:
-      - 10.10.41.44:9988:9989
+      - <Windows-Subnet-IP>:9989:9989
     labels:
       - "traefik.enable=true"
       - "traefik.docker.network=proxy"
@@ -49,6 +51,7 @@ services:
       - "traefik.tcp.routers.buildbot.tls=true"
 
       - "traefik.tcp.services.buildbot.loadbalancer.server.port=9989"
+      - "traefik.tcp.services.buildbot.loadbalancer.terminationDelay=42"
   db:
     env_file:
       - db.env

buildbot-buildmaster/traefik/README.md

@@ -8,8 +8,9 @@ Furthermore, it listens on port 9989 and provides a TLS connection for buildbot-
 The services behind traefik reside in private networks, only the ports needed are exposed to the internet.
 
 Traefik needs access to the docker-socket: `var/run/docker.sock`.
-Since this could result in vulnerabilities, the socket is made available over a socket-proxy (`tecnativa/docker-socket-proxy`), which runs as a service next to traefik.
+Since this could result in vulnerabilities, the socket is made available over a socket-proxy (image: `tecnativa/docker-socket-proxy`), which runs as a service next to traefik.
 
+The automatically obtained certs are extracted from [acme.json](acme.json) by the dockerized service `cert-dumper` (image: `ldez/traefik-certs-dumper:v2.7.0`) and stored in the folder [dynamic](dynamic).
 ## Usage
 This project is dockerized and uses docker-compose.
 The file docker-compose.yml tells docker-compose what to do, so you have to change into the directory containing the file, before executing any of these commands!
@@ -21,7 +22,7 @@ or to restart
 
 Note: If the Raspberry Pis can't connect to the buildmaster, simply run `docker-compose` restart.
 ### Stopping
-- `docker-compose dow`n
+- `docker-compose down`
 ### Updating
 Run the following steps in this order:
 ```
@@ -38,10 +39,26 @@ To view logs in realtime, run
 Exit with `CTRL+C`
 
 ## Setup / Configuration
-Traefik has a static configuration ([`docker-compose.yml`](docker-compose.yml) and [`traefik.yml`](traefik.yml)) and a dynamic configuration (folders [`certs`](certs) and [`dynamic`](dynamic))
-Everything is preconfigured, so no action is required.
-The only thing to keep in mind is to renew the certificates, located in [`certs`](certs) (please refer to the [README](certs/README.md) in this folder).
-Traefik could handle renewals by itself when using letsencrypt, but in this setup we specified a certificate manually.
+Traefik has a static configuration ([docker-compose.yml](docker-compose.yml) and [traefik.yml](traefik.yml)) and a dynamic configuration ([acme.json](acme.json) and [dynamic](dynamic)).
+Trafik handles certificate renewals automatically.
+The certificates are stored in [acme.json](acme.json).
+The service `cert-dumper` extracts and stores the certificates in the folder [dump](dump).
 
-The services handled by traefik are configured via labels in the corresponding docker-compose.yml files, in our case [`../buildbot/docker-compose.yml`](../buildbot/docker-compose.yml), so please have a look there
+### Steps:
+
+You have to change the file permissions for [acme.json](acme.json) and [dynamic](dynamic).
+Todo so, run:
+- `chmod 600 acme.json`
+- `chmod 600 acme.json`
+
+For the `cert-dumper` to be able to create files under a username running the services, you have to add the following to your `~/.bashrc`:
+
+```
+export COMPOSE_UID=$(id -u)
+export COMPOSE_GID=$(id -g)
+```
+
+### Configuration of services behind traefik:
+The services handled by traefik are configured via labels in the corresponding docker-compose.yml files, in our case [../buildbot/docker-compose.yml](../buildbot/docker-compose.yml).
+Please refer to [../buildbot/README.md](../buildbot/README.md) for setup instructions.
 

buildbot-buildmaster/traefik/docker-compose.yml

@@ -11,6 +11,21 @@ services:
       CONTAINERS: 1
     networks:
       - socketproxy
+  cert-dumper:
+    image: ldez/traefik-certs-dumper:v2.7.0
+    restart: unless-stopped
+    container_name: cert-dumper
+    # add the following to your ~/.bashrc:
+    # export COMPOSE_UID=$(id -u)
+    # export COMPOSE_GID=$(id -g)
+    # OR add IDs directly to .env
+    user: ${COMPOSE_UID:?Please export COMPOSE_UID; see comments in docker-compose.yml}:${COMPOSE_GID:?Please export COMPOSE_UID; see comments in docker-compose.yml}
+    working_dir: $HOME
+    entrypoint: "/usr/bin/traefik-certs-dumper file --source $HOME/acme.json --dest $HOME/dump --domain-subdir --crt-ext=.pem --key-ext=.pem --version v2 --watch"
+    network_mode: "none"
+    volumes:
+      - ./acme.json:$HOME/acme.json:ro
+      - ./dump:$HOME/dump
 
   traefik:
     image: traefik:v2.0
@@ -29,7 +44,7 @@ services:
       - /etc/localtime:/etc/localtime:ro
       - ./traefik.yml:/traefik.yml:ro
       - ./dynamic/:/etc/traefik/conf/:ro
-      - ./certs/:/etc/traefik/certs:ro
+      - ./acme.json:/acme.json
 networks:
   socketproxy:
     external: true

buildbot-buildmaster/traefik/dynamic/tls.yml

@@ -9,9 +9,6 @@ http:
           Strict-Transport-Security: "max-age=63072000"
         stsPreload: true
 tls:
-  certificates:
-    - certFile: /etc/traefik/certs/mendel_fh-salzburg_ac_at.crt
-      keyFile: /etc/traefik/certs/mendel_fh-salzburg_ac_at.key
   options:
     default:
       minVersion:  "VersionTLS12"

buildbot-buildmaster/traefik/traefik.yml

@@ -1,6 +1,3 @@
-#api:
-#  dashboard: true
-
 entryPoints:
   http:
     address: ":80"
@@ -18,3 +15,10 @@ providers:
   file:
     directory: "/etc/traefik/conf/"
 
+certificatesResolvers:
+  http:
+    acme:
+      email: sebastian.burkhart@fh-salzburg.ac.at
+      storage: acme.json
+      httpChallenge:
+        entryPoint: http