-
Notifications
You must be signed in to change notification settings - Fork 4
HUB management
If you need to setup a shrine hub, the corresponding container must be added to the stack. The corresponding docker-compose file is called docker-compose-hub.yml
For this reason you Must use the -f option of docker compose for every interactions with the stack
#examples of docker-compose commands for a hub deployment
sudo docker-compose -f docker-compose-hub.yml up
sudo docker-compose -f docker-compose-hub.yml exec shrine /bin/bash
Secondly you need to update secrets.txt and set IS_HUB=true
Then you can follow the readme file for installation instruction Except that you should add -f option to docker compose (until the Manage certificates section starts).
At the end you will obtain a shrine node and a hub (shrine container and hub container). In order to connect them you need init the hub certificate authority and perform the certificate exchange locally for your own shrine node.
sudo cp shrine/cert/shrine/shrinelocal.csr shrine/cert/hub/
sudo cp shrine/cert/shrine/shrinelocal_HTTPS.cer shrine/cert/hub/
sudo docker-compose -f docker-compose-hub.yml exec hub /bin/bash
execute from /opt/shrine
./initHubCa.sh
Answer all the asked questions
execute from /opt/shrine
./sign-cert.sh
exit #leave hub container
sudo cp shrine/cert/hub/shrinelocal-signed.crt shrine/cert/shrine/
sudo cp shrine/cert/hub/shrine-hub-ca.crt shrine/cert/shrine/
sudo cp shrine/cert/hub/shrine-hub-https-ca.crt shrine/cert/shrine/
sudo docker-compose -f docker-compose-hub.yml exec shrine /bin/bash
./import-cert.sh
sudo docker-compose -f docker-compose-hub.yml restart shrine hub
You should be able to query your own shrine instance.
sudo docker-compose -f docker-compose-hub.yml exec hub /bin/bash
execute from /opt/shrine
./sign-cert.sh <host-name-to-sign> <node-name>
# <host-name-to-sign> corresponds to file in /opt/cert/<host-to-sign>.csr
# <node-name> must be a simple character name [A-Z] only without spaces (identifies the node for result output if it fails)
The resulting signed certificate is available with the shrine-hub-ca.crt
and the shrine-hub-https-ca.crt
at /opt/cert/<host-to-sign>-signed.csr
, they are available outside the container at SHRINEDocker/shrine/cert/hub/
Send these three crt files back to the node adminitrator
The node as been added as a downstreamnode
in the /opt/shrine/tomcat/lib/shrine.conf
file. You can change the human readable name.
If you need to re-sign known host (i.e. certificat expiration) it is necessary to suppress corresponding keytool alias before signing cert.
- Enter into the shrine container
sudo docker-compose -f docker-compose-hub.yml exec hub /bin/bash
- Execute from /opt/shrine
keytool -delete -v -alias <hostname> -keystore shrine.keystore
keytool -delete -v -alias <hostname>_HTTPS -keystore shrine.keystore