Add upgrade documentation

2020-06-02 12:26:41 +02:00 · 2020-06-02 12:26:41 +02:00 · d13352910d
commit d13352910d
parent a2e1f61cf8
9 changed files with 28 additions and 159 deletions
--- a/docker/README.md
+++ b/docker/README.md
@ -0,0 +1,8 @@
 ## How to upgrade our packaged apps to a new version?
 1. Edit `docker-compose.yml`
 2. Change the `VERSION` variable to the desired version
 3. Increment the docker image tag by 1 (eg: superboum/riot:v13 -> superboum/riot:v14)
 4. Run `docker-compose build`
 5. Run `docker-compose push`
 6. Done
--- a/docker/bckp/README.md
+++ b/docker/bckp/README.md
@ -1,27 +0,0 @@
 Install dependencies:
 ```
 GOBIN=$GOPATH/bin go get .
 ```
 Run:
 ```
 go run ./kv_to_s3.go
 ```
 ## Scratchpad
  - https://golang.org/pkg/crypto/cipher/ --> c'est pas clé en main, c'est soit streaming soit authentication
  - https://www.imperialviolet.org/2014/06/27/streamingencryption.html --> gpg ne fait pas l'authentication correctement
  - https://github.com/FiloSottile/age --> age fait de l'authentication et du streaming
  - https://rclone.org/crypt/ --> rclone fait de l'auth+streaming de la même manière que age mais avec un format de fichier différent (stockage du nonce, infos sur les algos utilisés)
  - https://neilmadden.blog/2019/12/30/a-few-comments-on-age/ --> une critique plutôt négative de age qui ne me donne pas envie de l'utiliser, pas plus que rclone du coup
  - https://moxie.org/2011/12/13/the-cryptographic-doom-principle.html
    --> cité par l'article précédent, je ne comprends pas trop mais je crois que pas simple
  - https://godoc.org/golang.org/x/crypto/nacl/box --> du coup je pense me limiter à un lib très reconnue comme nacl/sodium, si possible une implem officielle. Mais là pas de streaming, à nous de chunker et de gérer la rotation des nonces
  - Est ce qu'on a besoin d'authentication ?
  - Oui en fait il y a plein d'attaques apparemment
  - https://blog.minio.io/data-at-rest-encryption-done-right-7446c644ddb6 --> Minio a sa solution mais elle a des requirements bizarres (une clé par fichier, il faut donc un HKDF)
  - https://www.imperialviolet.org/2017/05/14/aesgcmsiv.html --> AES GCM SIV does not break crypto if you reuse nonces (but you should still try to supply unique ones to have different cipher if you encode the same plaintext twice)
--- a/docker/bckp/kv_to_s3.go
+++ b/docker/bckp/kv_to_s3.go
@ -1,83 +0,0 @@
 package main
 import (
  "github.com/hashicorp/consul/api"
  "errors"
  "log"
  "fmt"
  "os"
  "encoding/base64"
  /*"github.com/aws/aws-sdk-go/service/s3"*/
 )
 const consul_addr string = "KV2S3_CONSUL_ADDR"
 const enc_key string = "KV2S3_ENC_KEY"
 const key_exp_bits int = 256
 const key_exp_bytes int = key_exp_bits / 8
 func errIsPanic(err error, format string, a ...interface{}) {
  if err != nil {
    log.Panicf(format, a...)
  }
 }
 func absentIsErr(present bool) error {
  if !present {
    return errors.New("Environement variable is not set.")
  }
  return nil
 }
 func main() {
  log.Println("starting consul kv backup...")
  //--- Ask Consul to Snapshot our KV
  var present bool
  conf := api.DefaultConfig()
  conf.Address, present = os.LookupEnv(consul_addr)
  err := absentIsErr(present)
  errIsPanic(err, "%v env required. %v", consul_addr, err)
  //@FIXME add later support for HTTPS
  options := api.QueryOptions {
    // Prevent from backuping forever silently a desynchronized node
    AllowStale: false,
  }
  consul, err := api.NewClient(conf)
  errIsPanic(err, "Unable to build a new client. %v", err)
  reader, _, err := consul.Snapshot().Save(&options)
  defer reader.Close()
  errIsPanic(err, "Snapshot failed. %v", err)
  //--- Get encryption key and check it
  b64_key, present := os.LookupEnv(enc_key)
  err = absentIsErr(present)
  errIsPanic(err, "%v env required. %v", enc_key, err)
  raw_key, err := base64.StdEncoding.DecodeString(b64_key)
  errIsPanic(err, "Unable to decode base64 key. %v", err)
  err = nil
  key_size_bytes := len(raw_key)
  key_size_bits := key_size_bytes
  if key_size_bytes != key_exp_bytes {
    msg := fmt.Sprintf(
      "Key size is %d bits (%d bytes) instead of %d bits (%d bytes).",
      key_size_bits,
      key_size_bytes,
      key_exp_bits,
      key_exp_bytes)
    err = errors.New(msg)
  }
  errIsPanic(err, "We deliberately support only 256 bits (32 bytes) keys. %v", err)
  //--- Encryption
  // Not a simple thing to do it in a streaming manner - is it only a good idea?
  // https://neilmadden.blog/2019/12/30/a-few-comments-on-age/
  // https://moxie.org/2011/12/13/the-cryptographic-doom-principle.html
 }
--- a/docker/bckp/sodium.go
+++ b/docker/bckp/sodium.go
@ -1,35 +0,0 @@
 package main
 /*
 #cgo CFLAGS: -g -Wall
 #cgo LDFLAGS: -lsodium
 #include <sodium.h>
 */
 import "C"
 import "log"
 const block_size int = 16 * 1024 // 16 KiB
 func main() {
  log.Println("Test cgo")
  ret := C.sodium_init()
  if ret < 0 {
    log.Panic("Failed to init sodium.")
  }
  //unsigned char array as requested
  var key [C.crypto_secretstream_xchacha20poly1305_KEYBYTES]C.uchar
  C.crypto_secretstream_xchacha20poly1305_keygen(&key[0])
  var state C.crypto_secretstream_xchacha20poly1305_state
  var header [C.crypto_secretstream_xchacha20poly1305_HEADERBYTES]C.uchar
  C.crypto_secretstream_xchacha20poly1305_init_push(&state, &header[0], &key[0])
  log.Print("key", key)
  log.Print("header", header)
  var plain [block_size]C.uchar
  var c1 [block_size + C.crypto_secretstream_xchacha20poly1305_ABYTES]C.uchar
  C.crypto_secretstream_xchacha20poly1305_push(&state, &c1[0], nil, &plain[0], C.ulonglong(len(plain)), nil, 0, 0)
  log.Print("c1", c1)
 }
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@ -0,0 +1,14 @@
 version: '3.4'
 services:
  riot:
    build:
      context: ./riotweb
      args:
        VERSION: 1.6.2
    image: superboum/amd64_riotweb:v11
  synapse:
    build: 
      context: ./matrix-synapse
      args:
        VERSION: 1.14.0
    image: superboum/amd64_synapse:v29
--- a/docker/matrix-synapse/Dockerfile
+++ b/docker/matrix-synapse/Dockerfile
@ -1,7 +1,6 @@
 FROM amd64/debian:buster as builder
-ENV VERSION 1.12.4
+ARG VERSION
 RUN apt-get update && \
    apt-get -qq -y full-upgrade && \
    apt-get install -y \
--- a/docker/matrix-synapse/README.md
+++ b/docker/matrix-synapse/README.md
@ -1,3 +0,0 @@
 ```
 docker build -t superboum/amd64_synapse:v28 .
 ```
--- a/docker/riotweb/Dockerfile
+++ b/docker/riotweb/Dockerfile
@ -1,13 +1,13 @@
-FROM amd64/debian:stretch as builder
+FROM amd64/debian:buster as builder
 ARG VERSION
 WORKDIR /root
 ENV VERSION v1.6.0
 RUN apt-get update && \
    apt-get install -y wget && \
-    wget https://github.com/vector-im/riot-web/releases/download/${VERSION}/riot-${VERSION}.tar.gz && \
+    wget https://github.com/vector-im/riot-web/releases/download/v${VERSION}/riot-v${VERSION}.tar.gz && \
-    tar xf riot-${VERSION}.tar.gz && \
+    tar xf riot-v${VERSION}.tar.gz && \
-    mv riot-${VERSION}/ riot/
+    mv riot-v${VERSION}/ riot/
 FROM superboum/amd64_webserver:v3
 COPY --from=builder /root/riot /srv/http
--- a/docker/riotweb/README.md
+++ b/docker/riotweb/README.md
@ -1,4 +0,0 @@
 ```
 sudo docker build -t superboum/amd64_riotweb:v10 .
 sudo docker push superboum/amd64_riotweb:v10
 ```