From 9ff0efeb519696d8fa1f317a41fed502905fca24 Mon Sep 17 00:00:00 2001
From: Robert Clark <hyakuhei@gmail.com>
Date: Tue, 8 Sep 2015 13:47:22 +0100
Subject: [PATCH] Created a dockerfile that runs Anchor

It works but probably doesn't run Anchor in the best way.

Once this is in the repo I can create a docker build job that
will auto generate a new upstream anchor image each time a new
merge occurs. When that is established, the process for running
the container can be simplified.

Change-Id: Ida199d4286a4b476e52d69864c97ff24633ca073
---
 Dockerfile.anchorbase | 33 ++++++++++++++++++++++++++++
 Dockerfile.ubuntu     | 37 ++++++++++++++++++++++++++++++++
 README.md             | 50 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 120 insertions(+)
 create mode 100644 Dockerfile.anchorbase
 create mode 100644 Dockerfile.ubuntu

diff --git a/Dockerfile.anchorbase b/Dockerfile.anchorbase
new file mode 100644
index 0000000..c18071c
--- /dev/null
+++ b/Dockerfile.anchorbase
@@ -0,0 +1,33 @@
+FROM openstacksecurity/anchor:base
+# According to http://crosbymichael.com/dockerfile-best-practices-take-2.html
+# Rolling your own python base is in line with probably best practice
+MAINTAINER Robert Clark <hyakuhei@gmail.com>
+
+# Clone our repo
+# Users may want to use --no-cache to ensure that when building the container
+# an up to date version of Anchor is cloned.
+WORKDIR /root
+RUN git clone git://git.openstack.org/openstack/anchor
+WORKDIR /root/anchor
+
+RUN pip install -e .
+
+RUN cp config.py /home/anchor/                   ;\
+    cp config.json /home/anchor/                 ;\
+    chown anchor:anchor /home/anchor/config.py   ;\
+    chown anchor:anchor /home/anchor/config.json
+
+RUN su - anchor
+
+WORKDIR /home/anchor
+RUN mkdir CA
+RUN openssl req -out CA/root-ca.crt \
+  -keyout CA/root-ca-unwrapped.key \
+  -newkey rsa:4096 \
+  -subj "/CN=Anchor Test CA" \
+  -nodes \
+  -x509 \
+  -days 365                                      ;\
+  chmod 0400 CA/root-ca-unwrapped.key
+
+ENTRYPOINT ["/usr/local/bin/pecan", "serve", "/home/anchor/config.py"]
diff --git a/Dockerfile.ubuntu b/Dockerfile.ubuntu
new file mode 100644
index 0000000..4a099f0
--- /dev/null
+++ b/Dockerfile.ubuntu
@@ -0,0 +1,37 @@
+FROM ubuntu:latest
+MAINTAINER Robert Clark <hyakuhei@gmail.com>
+
+# root user operations
+# Upgrade the base and install required packages
+RUN apt-get update && apt-get install -y \
+  python-dev \
+  libssl-dev \
+  libffi-dev \
+  python-pip \
+  git
+
+# Clone Anchor, install required python packages
+# Setup a user to run anchor
+WORKDIR /root
+RUN git clone git://git.openstack.org/openstack/anchor
+WORKDIR /root/anchor
+RUN pip install -e .
+RUN adduser --disabled-password --gecos '' anchor
+
+# anchor user operations
+RUN cp config.py /home/anchor/
+RUN cp config.json /home/anchor/
+RUN chown anchor:anchor /home/anchor/config.py
+RUN chown anchor:anchor /home/anchor/config.json
+RUN su - anchor
+WORKDIR /home/anchor
+RUN mkdir CA
+RUN openssl req -out CA/root-ca.crt \
+  -keyout CA/root-ca-unwrapped.key \
+  -newkey rsa:4096 \
+  -subj "/CN=Anchor Test CA" \
+  -nodes \
+  -x509 \
+  -days 365
+RUN chmod 0400 CA/root-ca-unwrapped.key
+ENTRYPOINT ["/usr/local/bin/pecan", "serve", "/home/anchor/config.py"]
diff --git a/README.md b/README.md
index 74c4fb9..b394b34 100644
--- a/README.md
+++ b/README.md
@@ -90,6 +90,56 @@ running):
 
 This will result in the signed request being created in the `certs` directory.
 
+Docker test environment
+=======================
+We have prepared a base docker container for Anchor and a Dockerfile that will
+install the latest upstream version of Anchor and start the service. These
+instructions expect the reader to have a working Docker install already.
+
+Docker should *not* be used to serve Anchor in any production environments.
+
+We use two Dockerfiles for Anchor. "Dockerfile.anchorbase" is a custom image,
+built on ubuntu that has lots of libraries and requirements installed in order
+to quickly test anchor changes and build into CI processes. "Dockerfile.ubuntu"
+is used to build a complete Anchor stack, based on the latest available ubuntu
+docker image.
+
+Fetch the most recent version of the Dockerfile.ubuntu:
+
+    git clone -n git://git.openstack.org/openstack/anchor --depth 1
+    cd anchor
+    git checkout HEAD Dockerfile.ubuntu
+
+Build a new Anchor container image using the Dockerfile:
+
+    docker build -t anchor-dev -f Dockerfile.ubuntu .
+
+[Optional] If you have previously built a container using the Dockerfile it will contain
+a cached version of the Anchor source code. If you require the latest version
+of anchor, build using the --no-cache option:
+
+    docker build --no-cache -t anchor-dev -f Dockerfile.ubuntu .
+
+Start the service in the container and serve Anchor on port 8080:
+
+    docker run -p 8080:5000 anchor-dev
+
+The anchor application should be accessible on port 8080. If you are running
+docker natively on Linux, that will be 8080 on localhost (127.0.0.1). If you
+are running docker under Microsoft Windows or Apple OSX it will be running in
+a docker machine. To find the docker machine IP address run:
+
+    docker-machine ip default
+
+Docker development environment
+==============================
+Users who want to quickly test out changes to Anchor or who want to experiment
+in other ways may find it more convenient to use Dockerfile.anchorbase file.
+The instructions are very similar to using the ubuntu base as described above.
+
+Simply replace "Dockerfile.ubuntu" with "Dockerfile.anchorbase" in the above
+instructions.
+
 Running Anchor in production
 ============================