Skip to content
This repository has been archived by the owner on Jan 24, 2018. It is now read-only.

[ADD] clouder_template_red_october: File encyption/decryption #187

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

[ADD] clouder_template_red_october: File encyption/decryption #187

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
2455516
[ADD] clouder_template_red_october: File encyption/decryption
lasley Dec 15, 2016
be1aaaa
[FIX] clouder_template_red_october: Review fixes
lasley Dec 28, 2016
7bca20b
Few fixes
lasley Dec 30, 2016
d14d4cd
Fix Dockerfile and add note about non-persisting gopath
lasley Jan 2, 2017
bced5ad
Fix metrics interface binding
lasley Jan 2, 2017
77754a4
Allow bases and link www to application
lasley Jan 2, 2017
f5125b9
Move dockerfile to repo
lasley Jan 3, 2017
73b3fa9
Expose ports
lasley Jan 17, 2017
d07eabd
Switch expose to internet
lasley Jan 18, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions clouder_template_red_october/README.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
.. image:: https://img.shields.io/badge/licence-LGPL--3-blue.svg
:target: http://www.gnu.org/licenses/lgpl-3.0-standalone.html
:alt: License: LGPL-3

==============================
Clouder Template - Red October
==============================

This module provides a Clouder Template for Red October.

Red October is a cryptographically-secure implementation of the two-person rule
to protect sensitive data. From a technical perspective, Red October is a
software-based encryption and decryption server. The server can be used to
encrypt a payload in such a way that no one individual can decrypt it. The
encryption of the payload is cryptographically tied to the credentials of the
authorized users.

Authorized persons can delegate their credentials to the server for a period of
time. The server can decrypt any previously-encrypted payloads as long as the
appropriate number of people have delegated their credentials to the server.

This architecture allows Red October to act as a convenient decryption service.
Other systems, including CloudFlare’s build system, can use it for decryption
and users can delegate their credentials to the server via a simple web interface.
All communication with Red October is encrypted with TLS,
ensuring that passwords are not sent in the clear.

`Read More on CloudFlare's Blog
<https://blog.cloudflare.com/red-october-cloudflares-open-source-implementation-of-the-two-man-rule/>`_.

`Browse Red October on Github
<https://github.com/cloudflare/redoctober>`_.

Configuration
=============

Clouder configuration instructions are available at https://clouder.readthedocs.io/

Usage
=====

To use this module, you need to:

#. Create a new service in the Clouder Control Panel
#. Select ``Red October`` as the application & configure everything else to preference

Known issues / Roadmap
======================

* The service is currently using a self-signed certificate. This should be changed once a CA exists.
* Runit is being installed via community repos, which are HTTP only. This is insecure.
* Path isn't persisting so there is a symlink to redoctober being created. This should be fixed at some point,
likely in a base Go container instead of here.
* Image volume is being mounted as root, then chown is happening in the docker entrypoint. This sseems weird,
so should investigate further, but is how the CloudFlare people rigged it up so it's possible they're simply
smarter than me.
* Add dependency cleanup to Dockerfile.

Bug Tracker
===========

Bugs are tracked on `GitHub Issues
<https://github.com/clouder-community/clouder/issues>`_. In case of trouble, please
check there if your issue has already been reported. If you spotted it first,
help us smashing it by providing a detailed and welcomed feedback.

Credits
=======

Contributors
------------

* Dave Lasley <[email protected]>

Maintainer
----------

This module is maintained by Clouder Community.

To contribute to this module, please visit https://github.com/clouder-community/clouder
5 changes: 5 additions & 0 deletions clouder_template_red_october/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# -*- coding: utf-8 -*-
# Copyright 2016 LasLabs Inc.
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).

from . import models
27 changes: 27 additions & 0 deletions clouder_template_red_october/__manifest__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# -*- coding: utf-8 -*-
# Copyright 2016 LasLabs Inc.
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).

{
'name': 'Clouder Template - Red October',
'version': '10.0.10.0.0',
'category': 'Clouder',
'depends': [
'clouder',
'clouder_template_proxy',
],
'author': 'LasLabs Inc.',
'license': 'LGPL-3',
'website': 'https://github.com/clouder-community/clouder',
'data': [
'data/image_template.xml',
'data/image.xml',
'data/image_port.xml',
'data/image_volume.xml',
'data/application_type.xml',
'data/application_template.xml',
'data/application.xml',
],
'installable': True,
'application': False,
}
45 changes: 45 additions & 0 deletions clouder_template_red_october/data/application.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Copyright 2016 LasLabs Inc.
License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). -->

<odoo>

<record id="application_redoctober_data" model="clouder.application">
<field name="name">Red October Data</field>
<field name="code">data</field>
<field name="type_id" ref="application_type_redoctober" />
<field name="tag_ids" eval="[(4, ref('clouder.tag_data'))]" />
<field name="default_image_id" ref="image_redoctober_data" />
<field name="sequence">1</field>
<field name="required" eval="True"/>
</record>

<record id="application_redoctober_exec" model="clouder.application">
<field name="name">Red October Exec</field>
<field name="code">exec</field>
<field name="type_id" ref="application_type_redoctober" />
<field name="tag_ids" eval="[(4, ref('clouder.tag_exec'))]" />
<field name="default_image_id" ref="image_redoctober_exec" />
<field name="sequence">2</field>
<field name="required" eval="True"/>
<field name="update_strategy">auto</field>
</record>

<record id="application_redoctober" model="clouder.application">
<field name="name">Red October</field>
<field name="code">redoctober</field>
<field name="base" eval="True" />
<field name="type_id" ref="application_type_redoctober" />
<field name="template_ids"
eval="[(4, ref('clouder.application_template_base_www'))]"
/>
<field name="child_ids"
eval="[(4, ref('application_redoctober_data')),
(4, ref('application_redoctober_exec')),
]"
/>
<field name="sequence">1</field>
<field name="required" eval="True"/>
</record>

</odoo>
13 changes: 13 additions & 0 deletions clouder_template_red_october/data/application_template.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Copyright 2016 LasLabs Inc.
License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). -->

<odoo>

<record id="application_template_redoctober"
model="clouder.application.template"
>
<field name="name">Red October</field>
</record>

</odoo>
14 changes: 14 additions & 0 deletions clouder_template_red_october/data/application_type.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Copyright 2016 LasLabs Inc.
License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). -->

<odoo>

<record id="application_type_redoctober"
model="clouder.application.type"
>
<field name="name">redoctober</field>
<field name="system_user">redoctober</field>
</record>

</odoo>
24 changes: 24 additions & 0 deletions clouder_template_red_october/data/image.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Copyright 2016 LasLabs Inc.
License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). -->

<odoo>

<record id="image_redoctober_data" model="clouder.image">
<field name="name">image_redoctober_data</field>
<field name="template_ids"
eval="[(4, [ref('image_template_redoctober_data')])]"
/>
<field name="parent_from">clouder/base:3.4</field>
Copy link
Contributor Author

@lasley lasley Dec 29, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After inheriting from base, I am getting a build failed due to no command. Looking at the base, this makes sense (because there isn't).

Do we have another Docker layer with just a cat or tail in it that we can use instead?

2016-12-29 23:22:31,950 9723 INFO clouder odoo.addons.clouder.models.model: command : docker build --pull -t dev-red_october-data-20161229.232231 /tmp/dev-red_october-data-20161229.232231
2016-12-29 23:22:32,002 9723 INFO clouder odoo.addons.clouder.models.model: stdout : Sending build context to Docker daemon 2.048 kB
2016-12-29 23:22:32,106 9723 INFO clouder odoo.addons.clouder.models.model: stdout : Step 1 : FROM clouder/base:3.4
2016-12-29 23:22:33,218 9723 INFO ? werkzeug: 10.0.2.2 - - [29/Dec/2016 23:22:33] "GET /web/static/src/img/spin.png HTTP/1.1" 200 -
2016-12-29 23:22:33,273 9723 INFO clouder odoo.addons.clouder.models.model: stdout : 3.4: Pulling from clouder/base
2016-12-29 23:22:33,282 9723 INFO clouder odoo.addons.clouder.models.model: stdout : Digest: sha256:393853d46770a169871d54e6462d3cce1ad2d553ab1522939206b5b389be99e2
2016-12-29 23:22:33,286 9723 INFO clouder odoo.addons.clouder.models.model: stdout : Status: Image is up to date for clouder/base:3.4
2016-12-29 23:22:33,290 9723 INFO clouder odoo.addons.clouder.models.model: stdout :  ---> 2921143ce024
2016-12-29 23:22:33,295 9723 INFO clouder odoo.addons.clouder.models.model: stdout : Step 2 : MAINTAINER [email protected]
2016-12-29 23:22:33,298 9723 INFO clouder odoo.addons.clouder.models.model: stdout :  ---> Using cache
2016-12-29 23:22:33,303 9723 INFO clouder odoo.addons.clouder.models.model: stdout :  ---> 411c56dc580b
2016-12-29 23:22:33,307 9723 INFO clouder odoo.addons.clouder.models.model: stdout : Step 3 : VOLUME data
2016-12-29 23:22:33,736 9723 INFO clouder odoo.addons.clouder.models.model: stdout :  ---> Running in 14a3ba11c900
2016-12-29 23:22:33,997 9723 INFO clouder odoo.addons.clouder.models.model: stdout :  ---> 12fcb9fb3e12
2016-12-29 23:22:34,066 9723 INFO clouder odoo.addons.clouder.models.model: stdout : Removing intermediate container 14a3ba11c900
2016-12-29 23:22:34,091 9723 INFO clouder odoo.addons.clouder.models.model: stdout : Successfully built 12fcb9fb3e12
2016-12-29 23:22:34,096 9723 INFO clouder odoo.addons.clouder.models.model: connect: ssh dev.localhost
2016-12-29 23:22:34,100 9723 INFO clouder odoo.addons.clouder.models.model: 
2016-12-29 23:22:34,104 9723 INFO clouder odoo.addons.clouder.models.model: host : 192.168.69.108
2016-12-29 23:22:34,109 9723 INFO clouder odoo.addons.clouder.models.model: command : rm -rf /tmp/dev-red_october-data-20161229.232231
2016-12-29 23:22:34,150 9723 INFO clouder odoo.addons.clouder.models.model: connect: ssh dev.localhost
2016-12-29 23:22:34,155 9723 INFO clouder odoo.addons.clouder.models.model: 
2016-12-29 23:22:34,159 9723 INFO clouder odoo.addons.clouder.models.model: host : 192.168.69.108
2016-12-29 23:22:34,163 9723 INFO clouder odoo.addons.clouder.models.model: command : docker run -d -t --restart=always --name dev-red_october-data dev-red_october-data-20161229.232231 
2016-12-29 23:22:34,215 9723 INFO clouder odoo.addons.clouder.models.model: stderr : docker: Error response from daemon: No command specified.
2016-12-29 23:22:34,221 9723 INFO clouder odoo.addons.clouder.models.model: stderr : See 'docker run --help'.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ouch, ok I was sure we had a CMD in the inherited base image.

I made a direct commit to resolve it, can you try again with the latest image from Docker hub ? clouder-community/clouder@8695902 https://hub.docker.com/r/clouder/base/builds/bzb6vgezh9o8qk55ycqhedc/

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Woot looks like we're in business thanks! Few more tweaks here and we should be good, I'll let you know

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a sidenote, I shall remove all tail -f I made in the data images, they are all replaced by the CMD cat I added in the base image

</record>

<record id="image_redoctober_exec" model="clouder.image">
<field name="name">image_redoctober_exec</field>
<field name="template_ids"
eval="[(4, [ref('image_template_redoctober_exec')])]"
/>
<field name="parent_from">laslabs/clouder-red-october-exec</field>
<field name="volumes_from">data</field>
</record>

</odoo>
25 changes: 25 additions & 0 deletions clouder_template_red_october/data/image_port.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Copyright 2016 LasLabs Inc.
License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). -->

<odoo>

<record id="image_port_redoctober_http"
model="clouder.image.port"
>
<field name="template_id" ref="image_template_redoctober_exec" />
<field name="name">https</field>
<field name="local_port">8080</field>
<field name="expose">internet</field>
</record>

<record id="image_port_redoctober_metrics"
Copy link
Contributor Author

@lasley lasley Jan 2, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When deploying this from clouder, I'm getting an error when binding to 8081. This isn't happening when I build and run the image on its own, so it has to be something I'm doing wrong in the config here or there's something I don't know about on that port. Any clues where to start?

Relevant Docker logs:

2017/01/02 19:52:25 core.init success: path=/var/lib/redoctober/data/diskrecord.json
2017/01/02 19:52:25 metrics.init start: addr=localhost:8081
2017/01/02 19:52:25 http.serve start: addr=:8080
2017/01/02 19:52:25 listen tcp 198.23.230.10:8081: bind: cannot assign requested address

Without Clouder:

root@odoo-dev-10:/media/sf_Repos/clouder/clouder_template_red_october/images/exec# docker run -t lasley/redoctober-exec
Generating RSA private key, 2048 bit long modulus
....+++
....................................................................................................................+++
e is 65537 (0x10001)
writing RSA key
Signature ok
subject=/C=US/ST=California/L=Everywhere/CN=localhost
Getting Private key

Generated default certificates for RedOctobeer at /var/lib/redoctober/data/server.crt and /var/lib/redoctober/data/server.pem

2017/01/02 19:56:24 core.init success: path=/var/lib/redoctober/data/diskrecord.json
2017/01/02 19:56:24 metrics.init start: addr=localhost:8081
2017/01/02 19:56:24 http.serve start: addr=:8080

I tried removing this port definition just for the hell of it, but that had no effect.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems the problem is located inside your container.

listen tcp 198.23.230.10:8081 I suspect this is not the port which can't be allocated, it's the IP adress. Probably 198.23.230.10 can be used by the node but not by the container, which has probably another IP like 172.17.. more often used by Docker. You probably have a setting somewhere which should be set to 0.0.0.0.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Woot good call! No idea what that IP is either, it doesn't match with any of my infrastructure (both internal and external facing).

2d241b1a6c52        dev-red_october-exec-20170102.203532              "/usr/lib/go/src/gith"   24 seconds ago      Up 18 seconds                   0.0.0.0:30012->8080/tcp, 0.0.0.0:30011->8081/tcp                                         dev-red_october-exec

model="clouder.image.port"
>
<field name="template_id" ref="image_template_redoctober_exec" />
<field name="name">metrics</field>
<field name="local_port">8081</field>
<field name="expose">internet</field>
</record>

</odoo>
19 changes: 19 additions & 0 deletions clouder_template_red_october/data/image_template.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Copyright 2016 LasLabs Inc.
License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). -->

<odoo>

<record id="image_template_redoctober_data"
model="clouder.image.template"
>
<field name="name">image_template_redoctober_data</field>
</record>

<record id="image_template_redoctober_exec"
model="clouder.image.template"
>
<field name="name">image_template_redoctober_exec</field>
</record>

</odoo>
16 changes: 16 additions & 0 deletions clouder_template_red_october/data/image_volume.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Copyright 2016 LasLabs Inc.
License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). -->

<odoo>

<record id="image_volume_redoctober_cert_store"
model="clouder.image.volume"
>
<field name="template_id" ref="image_template_redoctober_data" />
<field name="name">data</field>
<field name="localpath">/var/lib/redoctober/data</field>
<field name="user">root</field>
</record>

</odoo>
5 changes: 5 additions & 0 deletions clouder_template_red_october/models/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# -*- coding: utf-8 -*-
# Copyright 2016 LasLabs Inc.
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).

from . import service
18 changes: 18 additions & 0 deletions clouder_template_red_october/models/service.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# -*- coding: utf-8 -*-
# Copyright 2016 LasLabs Inc.
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).

from odoo import api, models


class ClouderService(models.Model):
_inherit = 'clouder.service'

@api.multi
def deploy_post(self):
super(ClouderService, self).deploy_post()
for record in self:
if record.application_id.type_id.name == 'redoctober':
if record.application_id.code == 'data':
# @TODO: Create a CSR, sign it with the CA, execute echo
pass