documentation

This commit is contained in:
Wolfgang Hottgenroth 2022-09-14 14:19:01 +02:00
parent 3bf3b037f2
commit 35541e6fdc
4 changed files with 60 additions and 21 deletions

View File

@ -10,7 +10,7 @@ ARG MOSQ_GID="1883"
RUN \
apt update && \
apt install -y mariadb-client openssl libwebsockets-dev certbot bash cron supervisor vim-tiny && \
apt install -y mariadb-client openssl libwebsockets-dev certbot bash cron supervisor vim-tiny procps net-tools && \
update-alternatives --set editor /usr/bin/vim.tiny && \
update-alternatives --set vi /usr/bin/vim.tiny && \
groupadd -r -g $MOSQ_GID $MOSQ_USER && \
@ -23,7 +23,7 @@ COPY etc/ /opt/etc
COPY supervisor-mosquitto.conf /etc/supervisor/conf.d/
COPY crontab /etc/
COPY mosquitto.conf-sample /opt/etc/mosquitto/
COPY cert-deploy.sh /opt/sbin/
COPY cert-deploy.sh /opt/bin/
VOLUME /opt/etc
VOLUME /opt/data
@ -38,5 +38,6 @@ EXPOSE 9001/tcp
WORKDIR /opt
CMD /usr/bin/openssl dhparam -out /opt/etc/mosquitto/dh.pem 2048 && /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
CMD [ "/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf" ]

View File

@ -1,3 +1,3 @@
SHELL=/bin/sh
PATH=/usr/bin
*/2 * * * * root supervisorctl start certbot
1 1 * * 1 root supervisorctl start certbot

View File

@ -1,6 +1,6 @@
#!/bin/bash
IMAGE=registry.gitlab.com/wolutator/mosquitto-with-auth:latest
IMAGE=wollud1969/mosquitto-with-auth:latest
VOLUME_CONFIG=mosquitto-config
VOLUME_DATA=mosquitto-data
VOLUME_LOG=mosquitto-log
@ -25,7 +25,6 @@ docker run \
-v $VOLUME_DATA:/opt/data \
-v $VOLUME_LOG:/var/log/supervisor \
-v $VOLUME_LETSENCRYPT:/etc/letsencrypt \
--link mariadb \
--name mosquitto \
$IMAGE

View File

@ -2,6 +2,8 @@
This project includes the mosquitto MQTT broker (https://github.com/eclipse/mosquitto, see also https://mosquitto.org/) and the mosquitto-go-auth (https://github.com/iegomez/mosquitto-go-auth forked into https://github.com/wollud1969/mosquitto-go-auth) as submodules.
It additionally includes the Let's Encrypt `certbot` and some mimic for automatic renewal of certificates using `supervisord` and `cron`.
Using Gitlab CI and a Dockerfile included in this project a Docker image based on Debian Linux is created.
@ -17,41 +19,53 @@ The mosquitto-go-auth supports a couple of backends and it seems that all backen
## Running the container
You can not run a container based on this image "out-of-the-box". You need to edit the configuration, and if desired, run all the Let's Encrypt stuff. For details see below.
The container exposed the ports 1883 (MQTT), 8883 (MQTT over SSL) and 9001 (MQTT over websockets). Only the configuration directory containing `mosquitto.conf` and friends is prepared as a volume.
All logging is send to `stdout`, so it can be inspected using `docker logs -f <mosquitto-container>`
Besides the mosquitto configuration volume, there are volume required for the Let's Encrypt configuration and state, the data directory of the broker and for the logfiles for `supervisord`.
Due to the requirements of `certbot` it also exposed the port 80 and 443. So, be careful when trying to start this image as a container on the same host as a webserver.
All logging is send into a dedicated logfile under control of `supervisord`.
To start the container a script is provided, which might need to adjusted to the actual environment:
#!/bin/bash
IMAGE=registry.gitlab.com/wolutator/mosquitto-with-auth:latest
IMAGE=wollud1969/mosquitto-with-auth:latest
VOLUME_CONFIG=mosquitto-config
VOLUME_DATA=mosquitto-data
VOLUME_LOG=mosquitto-log
VOLUME_LETSENCRYPT=mosquitto-letsencrypt
docker volume inspect $VOLUME_CONFIG > /dev/null || docker volume create $VOLUME_CONFIG
docker volume inspect $VOLUME_DATA > /dev/null || docker volume create $VOLUME_DATA
docker volume inspect $VOLUME_LOG > /dev/null || docker volume create $VOLUME_LOG
docker volume inspect $VOLUME_LETSENCRYPT > /dev/null || docker volume create $VOLUME_LETSENCRYPT
docker pull $IMAGE
docker run \
-d \
--rm \
-p80:80 \
-p443:443 \
-p1883:1883 \
-p8883:8883 \
-p9001:9001 \
-v $VOLUME_CONFIG:/opt/etc/mosquitto \
-v $VOLUME_DATA:/opt/data \
--link mariadb \
-v $VOLUME_LOG:/var/log/supervisor \
-v $VOLUME_LETSENCRYPT:/etc/letsencrypt \
--name mosquitto \
$IMAGE
The container expects the main configuration file in the root of the configuration volume named `mosquitto.conf`.
The container expects the main configuration file in the root of the volume named `mosquitto.conf`.
A very simple configuration, only supporting MQTT on port 1883 is:
A very simple configuration, supporting MQTT on port 1883 and over TLS on port 8883 is:
log_dest stdout
@ -64,6 +78,15 @@ A very simple configuration, only supporting MQTT on port 1883 is:
#allow_anonymous true
allow_anonymous false
listener 8883
protocol mqtt
#allow_anonymous true
allow_anonymous false
certfile /opt/etc/mosquitto/server.crt
keyfile /opt/etc/mosquitto/server.key
dhparamfile /opt/etc/mosquitto/dh.pem
tls_version tlsv1.2
auth_plugin /opt/lib/go-auth.so
auth_opt_log_dest stdout
auth_opt_log_level debug
@ -123,5 +146,21 @@ The password is generated using the `pw` tool provided by mosquitto-go-auth, whi
For further information consult the readme and the examples in the mosquitto-go-auth project (https://github.com/iegomez/mosquitto-go-auth or https://github.com/wollud1969/mosquitto-go-auth).
## Preparing configuration and certificates
* Start the container using the provided start script, follow the container log using `docker logs -f <containername>`, you will see that `supervisord` start `cron` and `mosquitto` and you will see that the start of `mosquitto` fails
* Go into the container using `docker exec -it <containername> bash`
* Go into the directory `/opt/etc/mosquitto`, copy `mosquitto.conf-sample` into `mosquitto.conf` and edit it if required
If you want to register at Let's Encrypt and obtain a certificate follow the next steps:
* Generate Diffie-Hellman parameters in the broker's configuration directory using `openssl dhparam -out /opt/etc/mosquitto/dh.pem 2048`
* Register at Let's Encrypt using `certbot register`
* Obtain a certificate using `certbot certonly -d <domainname> --standalone`, make sure to add the domainname into DNS first
* Copy the deployment script into the deploy hooks directory of Let's Encrypt: `cp /opt/bin/cert-deploy.sh /etc/letsencrypt/renewal-hooks/deploy/`, edit it to fill in the right domainname
* Run the deployment script manually for the very first deployment of certificates: `env RENEWED_DOMAINS=<domainname> RENEWED_LINEAGE=/etc/letsencrypt/live/<domainname> ./cert-deploy.sh`
* The certificate and private key is now copied from the Let's Encrypt state directory into the configuration directory of `mosquitto` and the broker is restarted, you can observe that in the container logging output
* Finally, test the broker using something like `mosquitto_sub -h <domainname> -p 8883 --tls-version tlsv1.2 -v -t test` and `mosquitto_pub -h <domainname> -p 8883 --tls-version tlsv1.2 -t test -m test123`
* Renewal of the certificate will be triggered once a week