From 4f194a879478c90503fe4899570d789c8729b161 Mon Sep 17 00:00:00 2001 From: Gernot Schulz Date: Fri, 14 Aug 2020 13:24:45 +0200 Subject: [PATCH] Docker: Add a Docker secret for the Django key We have decided against including an insecure default key with a mere warning. Therefore, unlike the admin and user secrets, the availability of this secret is a hard requirement. The instance will not be able to start before a secret has been generated manually or by a management tool. --- docker/docker-compose.yml.m4 | 9 +++++++-- docker/docker-stack.yml.m4 | 9 +++++++-- docker/secrets/django.env.example | 3 +++ server/build.sh | 8 -------- server/docker/entrypoint | 9 +++++++++ server/docker/entrypoint-db-setup | 9 +++++++++ 6 files changed, 35 insertions(+), 12 deletions(-) create mode 100644 docker/secrets/django.env.example diff --git a/docker/docker-compose.yml.m4 b/docker/docker-compose.yml.m4 index d0d9fa1dc..2c5902fd0 100644 --- a/docker/docker-compose.yml.m4 +++ b/docker/docker-compose.yml.m4 @@ -73,6 +73,8 @@ services: - server-db-setup environment: << : *default-osserver-env + secrets: + - django ifelse(read_env(`OPENSLIDES_BACKEND_SERVICE_REPLICAS'),,,deploy: replicas: ifenvelse(`OPENSLIDES_BACKEND_SERVICE_REPLICAS', 1)) @@ -81,7 +83,8 @@ services: entrypoint: /usr/local/sbin/entrypoint-db-setup environment: << : *default-osserver-env - ifelse(ADMIN_SECRET_AVAILABLE, 0, secrets:, USER_SECRET_AVAILABLE, 0, secrets:) + secrets: + - django ifelse(ADMIN_SECRET_AVAILABLE, 0,- os_admin) ifelse(USER_SECRET_AVAILABLE, 0,- os_user) depends_on: @@ -195,7 +198,9 @@ networks: back: dbnet: -ifelse(ADMIN_SECRET_AVAILABLE, 0, secrets:, USER_SECRET_AVAILABLE, 0, secrets:) +secrets: + django: + file: ./secrets/django.env ifelse(ADMIN_SECRET_AVAILABLE, 0,os_admin: file: ./secrets/adminsecret.env) ifelse(USER_SECRET_AVAILABLE, 0,os_user: diff --git a/docker/docker-stack.yml.m4 b/docker/docker-stack.yml.m4 index 238d13caf..9ade06f77 100644 --- a/docker/docker-stack.yml.m4 +++ b/docker/docker-stack.yml.m4 @@ -71,6 +71,8 @@ services: # command: "daphne -b 0.0.0.0 -p 8000 openslides.asgi:application" environment: << : *default-osserver-env + secrets: + - django deploy: restart_policy: condition: on-failure @@ -82,7 +84,8 @@ services: entrypoint: /usr/local/sbin/entrypoint-db-setup environment: << : *default-osserver-env - ifelse(ADMIN_SECRET_AVAILABLE, 0, secrets:, USER_SECRET_AVAILABLE, 0, secrets:) + secrets: + - django ifelse(ADMIN_SECRET_AVAILABLE, 0,- os_admin) ifelse(USER_SECRET_AVAILABLE, 0,- os_user) @@ -229,7 +232,9 @@ networks: driver_opts: encrypted: "" -ifelse(ADMIN_SECRET_AVAILABLE, 0, secrets:, USER_SECRET_AVAILABLE, 0, secrets:) +secrets: + django: + file: ./secrets/django.env ifelse(ADMIN_SECRET_AVAILABLE, 0,os_admin: file: ./secrets/adminsecret.env) ifelse(USER_SECRET_AVAILABLE, 0,os_user: diff --git a/docker/secrets/django.env.example b/docker/secrets/django.env.example new file mode 100644 index 000000000..100a0ed3f --- /dev/null +++ b/docker/secrets/django.env.example @@ -0,0 +1,3 @@ +# Define a secret key for Django +# https://docs.djangoproject.com/en/1.10/howto/deployment/checklist/#secret-key +DJANGO_SECRET_KEY= diff --git a/server/build.sh b/server/build.sh index 234260600..8ce7ef779 100755 --- a/server/build.sh +++ b/server/build.sh @@ -7,12 +7,4 @@ printf "Server built on %s:\n\nBranch: %s\n\n%s\n" \ "$(git rev-parse --abbrev-ref HEAD)" \ "$(git show -s --format=raw)" > docker/server-version.txt -# @Gernot: TODO -# SECRET_KEY=$(head /dev/urandom | tr -dc 'A-Za-z0-9!"#$%&()*+,-./:;<=>?@[]^_`{|}~' | head -c 64) -# sed: \/& must be escaped... -# ESCAPED_SECRET_KEY=$(printf "%s\n" "$SECRET_KEY" | sed -e 's/[\/&]/\\&/g') -# sed -i \ -# -e "/SECRET_KEY/s/%%secret-key%%/$ESCAPED_SECRET_KEY/" \ -# docker/settings.py - docker build -f docker/Dockerfile . $@ diff --git a/server/docker/entrypoint b/server/docker/entrypoint index 1ab56163e..b9388da92 100755 --- a/server/docker/entrypoint +++ b/server/docker/entrypoint @@ -2,6 +2,15 @@ set -e +# Set DJANGO_SECRET_KEY variable +source /run/secrets/django +[[ -n "$DJANGO_SECRET_KEY" ]] || { + echo "ERROR: Django secret key undefined! Cannot continue." + sleep 5 + exit 2 +} +export SECRET_KEY="$DJANGO_SECRET_KEY" + # TODO: env variable for this host wait-for-it -t 0 "server-db-setup:8000" diff --git a/server/docker/entrypoint-db-setup b/server/docker/entrypoint-db-setup index 2153196ac..acd327e06 100755 --- a/server/docker/entrypoint-db-setup +++ b/server/docker/entrypoint-db-setup @@ -15,6 +15,15 @@ EOF sleep 10 } +# Set DJANGO_SECRET_KEY variable +source /run/secrets/django +[[ -n "$DJANGO_SECRET_KEY" ]] || { + echo "ERROR: Django secret key undefined! Cannot continue." + sleep 5 + exit 2 +} +export SECRET_KEY="$DJANGO_SECRET_KEY" + # Configure database # TODO: env variables?? echo "postgres:5432:instancecfg:openslides:openslides" > "${HOME}/.pgpass"