documentation
This commit is contained in:
parent
3bf3b037f2
commit
35541e6fdc
@ -10,7 +10,7 @@ ARG MOSQ_GID="1883"
|
|||||||
|
|
||||||
RUN \
|
RUN \
|
||||||
apt update && \
|
apt update && \
|
||||||
apt install -y mariadb-client openssl libwebsockets-dev certbot bash cron supervisor vim-tiny && \
|
apt install -y mariadb-client openssl libwebsockets-dev certbot bash cron supervisor vim-tiny procps net-tools && \
|
||||||
update-alternatives --set editor /usr/bin/vim.tiny && \
|
update-alternatives --set editor /usr/bin/vim.tiny && \
|
||||||
update-alternatives --set vi /usr/bin/vim.tiny && \
|
update-alternatives --set vi /usr/bin/vim.tiny && \
|
||||||
groupadd -r -g $MOSQ_GID $MOSQ_USER && \
|
groupadd -r -g $MOSQ_GID $MOSQ_USER && \
|
||||||
@ -23,7 +23,7 @@ COPY etc/ /opt/etc
|
|||||||
COPY supervisor-mosquitto.conf /etc/supervisor/conf.d/
|
COPY supervisor-mosquitto.conf /etc/supervisor/conf.d/
|
||||||
COPY crontab /etc/
|
COPY crontab /etc/
|
||||||
COPY mosquitto.conf-sample /opt/etc/mosquitto/
|
COPY mosquitto.conf-sample /opt/etc/mosquitto/
|
||||||
COPY cert-deploy.sh /opt/sbin/
|
COPY cert-deploy.sh /opt/bin/
|
||||||
|
|
||||||
VOLUME /opt/etc
|
VOLUME /opt/etc
|
||||||
VOLUME /opt/data
|
VOLUME /opt/data
|
||||||
@ -38,5 +38,6 @@ EXPOSE 9001/tcp
|
|||||||
|
|
||||||
WORKDIR /opt
|
WORKDIR /opt
|
||||||
|
|
||||||
CMD /usr/bin/openssl dhparam -out /opt/etc/mosquitto/dh.pem 2048 && /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
|
CMD [ "/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf" ]
|
||||||
|
|
||||||
|
|
||||||
|
2
crontab
2
crontab
@ -1,3 +1,3 @@
|
|||||||
SHELL=/bin/sh
|
SHELL=/bin/sh
|
||||||
PATH=/usr/bin
|
PATH=/usr/bin
|
||||||
*/2 * * * * root supervisorctl start certbot
|
1 1 * * 1 root supervisorctl start certbot
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
IMAGE=registry.gitlab.com/wolutator/mosquitto-with-auth:latest
|
IMAGE=wollud1969/mosquitto-with-auth:latest
|
||||||
VOLUME_CONFIG=mosquitto-config
|
VOLUME_CONFIG=mosquitto-config
|
||||||
VOLUME_DATA=mosquitto-data
|
VOLUME_DATA=mosquitto-data
|
||||||
VOLUME_LOG=mosquitto-log
|
VOLUME_LOG=mosquitto-log
|
||||||
@ -25,7 +25,6 @@ docker run \
|
|||||||
-v $VOLUME_DATA:/opt/data \
|
-v $VOLUME_DATA:/opt/data \
|
||||||
-v $VOLUME_LOG:/var/log/supervisor \
|
-v $VOLUME_LOG:/var/log/supervisor \
|
||||||
-v $VOLUME_LETSENCRYPT:/etc/letsencrypt \
|
-v $VOLUME_LETSENCRYPT:/etc/letsencrypt \
|
||||||
--link mariadb \
|
|
||||||
--name mosquitto \
|
--name mosquitto \
|
||||||
$IMAGE
|
$IMAGE
|
||||||
|
|
||||||
|
69
readme.md
69
readme.md
@ -2,6 +2,8 @@
|
|||||||
|
|
||||||
This project includes the mosquitto MQTT broker (https://github.com/eclipse/mosquitto, see also https://mosquitto.org/) and the mosquitto-go-auth (https://github.com/iegomez/mosquitto-go-auth forked into https://github.com/wollud1969/mosquitto-go-auth) as submodules.
|
This project includes the mosquitto MQTT broker (https://github.com/eclipse/mosquitto, see also https://mosquitto.org/) and the mosquitto-go-auth (https://github.com/iegomez/mosquitto-go-auth forked into https://github.com/wollud1969/mosquitto-go-auth) as submodules.
|
||||||
|
|
||||||
|
It additionally includes the Let's Encrypt `certbot` and some mimic for automatic renewal of certificates using `supervisord` and `cron`.
|
||||||
|
|
||||||
Using Gitlab CI and a Dockerfile included in this project a Docker image based on Debian Linux is created.
|
Using Gitlab CI and a Dockerfile included in this project a Docker image based on Debian Linux is created.
|
||||||
|
|
||||||
|
|
||||||
@ -17,41 +19,53 @@ The mosquitto-go-auth supports a couple of backends and it seems that all backen
|
|||||||
|
|
||||||
## Running the container
|
## Running the container
|
||||||
|
|
||||||
|
You can not run a container based on this image "out-of-the-box". You need to edit the configuration, and if desired, run all the Let's Encrypt stuff. For details see below.
|
||||||
|
|
||||||
The container exposed the ports 1883 (MQTT), 8883 (MQTT over SSL) and 9001 (MQTT over websockets). Only the configuration directory containing `mosquitto.conf` and friends is prepared as a volume.
|
The container exposed the ports 1883 (MQTT), 8883 (MQTT over SSL) and 9001 (MQTT over websockets). Only the configuration directory containing `mosquitto.conf` and friends is prepared as a volume.
|
||||||
|
|
||||||
All logging is send to `stdout`, so it can be inspected using `docker logs -f <mosquitto-container>`
|
Besides the mosquitto configuration volume, there are volume required for the Let's Encrypt configuration and state, the data directory of the broker and for the logfiles for `supervisord`.
|
||||||
|
|
||||||
|
Due to the requirements of `certbot` it also exposed the port 80 and 443. So, be careful when trying to start this image as a container on the same host as a webserver.
|
||||||
|
|
||||||
|
All logging is send into a dedicated logfile under control of `supervisord`.
|
||||||
|
|
||||||
To start the container a script is provided, which might need to adjusted to the actual environment:
|
To start the container a script is provided, which might need to adjusted to the actual environment:
|
||||||
|
|
||||||
|
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
IMAGE=registry.gitlab.com/wolutator/mosquitto-with-auth:latest
|
IMAGE=wollud1969/mosquitto-with-auth:latest
|
||||||
VOLUME_CONFIG=mosquitto-config
|
VOLUME_CONFIG=mosquitto-config
|
||||||
VOLUME_DATA=mosquitto-data
|
VOLUME_DATA=mosquitto-data
|
||||||
|
VOLUME_LOG=mosquitto-log
|
||||||
|
VOLUME_LETSENCRYPT=mosquitto-letsencrypt
|
||||||
|
|
||||||
docker volume inspect $VOLUME_CONFIG > /dev/null || docker volume create $VOLUME_CONFIG
|
docker volume inspect $VOLUME_CONFIG > /dev/null || docker volume create $VOLUME_CONFIG
|
||||||
docker volume inspect $VOLUME_DATA > /dev/null || docker volume create $VOLUME_DATA
|
docker volume inspect $VOLUME_DATA > /dev/null || docker volume create $VOLUME_DATA
|
||||||
|
docker volume inspect $VOLUME_LOG > /dev/null || docker volume create $VOLUME_LOG
|
||||||
|
docker volume inspect $VOLUME_LETSENCRYPT > /dev/null || docker volume create $VOLUME_LETSENCRYPT
|
||||||
|
|
||||||
docker pull $IMAGE
|
docker pull $IMAGE
|
||||||
|
|
||||||
docker run \
|
docker run \
|
||||||
-d \
|
-d \
|
||||||
--rm \
|
--rm \
|
||||||
-p1883:1883 \
|
-p80:80 \
|
||||||
-p8883:8883 \
|
-p443:443 \
|
||||||
-p9001:9001 \
|
-p1883:1883 \
|
||||||
-v $VOLUME_CONFIG:/opt/etc/mosquitto \
|
-p8883:8883 \
|
||||||
-v $VOLUME_DATA:/opt/data \
|
-p9001:9001 \
|
||||||
--link mariadb \
|
-v $VOLUME_CONFIG:/opt/etc/mosquitto \
|
||||||
--name mosquitto \
|
-v $VOLUME_DATA:/opt/data \
|
||||||
$IMAGE
|
-v $VOLUME_LOG:/var/log/supervisor \
|
||||||
|
-v $VOLUME_LETSENCRYPT:/etc/letsencrypt \
|
||||||
|
--name mosquitto \
|
||||||
|
$IMAGE
|
||||||
|
|
||||||
|
|
||||||
|
The container expects the main configuration file in the root of the configuration volume named `mosquitto.conf`.
|
||||||
|
|
||||||
The container expects the main configuration file in the root of the volume named `mosquitto.conf`.
|
A very simple configuration, supporting MQTT on port 1883 and over TLS on port 8883 is:
|
||||||
|
|
||||||
A very simple configuration, only supporting MQTT on port 1883 is:
|
|
||||||
|
|
||||||
|
|
||||||
log_dest stdout
|
log_dest stdout
|
||||||
@ -64,6 +78,15 @@ A very simple configuration, only supporting MQTT on port 1883 is:
|
|||||||
#allow_anonymous true
|
#allow_anonymous true
|
||||||
allow_anonymous false
|
allow_anonymous false
|
||||||
|
|
||||||
|
listener 8883
|
||||||
|
protocol mqtt
|
||||||
|
#allow_anonymous true
|
||||||
|
allow_anonymous false
|
||||||
|
certfile /opt/etc/mosquitto/server.crt
|
||||||
|
keyfile /opt/etc/mosquitto/server.key
|
||||||
|
dhparamfile /opt/etc/mosquitto/dh.pem
|
||||||
|
tls_version tlsv1.2
|
||||||
|
|
||||||
auth_plugin /opt/lib/go-auth.so
|
auth_plugin /opt/lib/go-auth.so
|
||||||
auth_opt_log_dest stdout
|
auth_opt_log_dest stdout
|
||||||
auth_opt_log_level debug
|
auth_opt_log_level debug
|
||||||
@ -123,5 +146,21 @@ The password is generated using the `pw` tool provided by mosquitto-go-auth, whi
|
|||||||
For further information consult the readme and the examples in the mosquitto-go-auth project (https://github.com/iegomez/mosquitto-go-auth or https://github.com/wollud1969/mosquitto-go-auth).
|
For further information consult the readme and the examples in the mosquitto-go-auth project (https://github.com/iegomez/mosquitto-go-auth or https://github.com/wollud1969/mosquitto-go-auth).
|
||||||
|
|
||||||
|
|
||||||
|
## Preparing configuration and certificates
|
||||||
|
|
||||||
|
* Start the container using the provided start script, follow the container log using `docker logs -f <containername>`, you will see that `supervisord` start `cron` and `mosquitto` and you will see that the start of `mosquitto` fails
|
||||||
|
* Go into the container using `docker exec -it <containername> bash`
|
||||||
|
* Go into the directory `/opt/etc/mosquitto`, copy `mosquitto.conf-sample` into `mosquitto.conf` and edit it if required
|
||||||
|
|
||||||
|
If you want to register at Let's Encrypt and obtain a certificate follow the next steps:
|
||||||
|
|
||||||
|
* Generate Diffie-Hellman parameters in the broker's configuration directory using `openssl dhparam -out /opt/etc/mosquitto/dh.pem 2048`
|
||||||
|
* Register at Let's Encrypt using `certbot register`
|
||||||
|
* Obtain a certificate using `certbot certonly -d <domainname> --standalone`, make sure to add the domainname into DNS first
|
||||||
|
* Copy the deployment script into the deploy hooks directory of Let's Encrypt: `cp /opt/bin/cert-deploy.sh /etc/letsencrypt/renewal-hooks/deploy/`, edit it to fill in the right domainname
|
||||||
|
* Run the deployment script manually for the very first deployment of certificates: `env RENEWED_DOMAINS=<domainname> RENEWED_LINEAGE=/etc/letsencrypt/live/<domainname> ./cert-deploy.sh`
|
||||||
|
* The certificate and private key is now copied from the Let's Encrypt state directory into the configuration directory of `mosquitto` and the broker is restarted, you can observe that in the container logging output
|
||||||
|
* Finally, test the broker using something like `mosquitto_sub -h <domainname> -p 8883 --tls-version tlsv1.2 -v -t test` and `mosquitto_pub -h <domainname> -p 8883 --tls-version tlsv1.2 -t test -m test123`
|
||||||
|
* Renewal of the certificate will be triggered once a week
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user