Add KRA and OCSP containers #4750
Conversation
| RUN chgrp -Rf root /var/lib/pki/pki-tomcat | ||
| RUN chmod -Rf g+rw /var/lib/pki/pki-tomcat | ||
|
|
||
| CMD [ "/usr/share/pki/kra/bin/pki-kra-run" ] |
There was a problem hiding this comment.
This CMD is executed when the container is executed with run command but it is also executed when the container is started with start command after it has been stopped.
Looking at the executable, if the container is restarted for some reason, it will deploy again the KRA subsystem with potential problems/errors.
| RUN chgrp -Rf root /var/lib/pki/pki-tomcat | ||
| RUN chmod -Rf g+rw /var/lib/pki/pki-tomcat | ||
|
|
||
| CMD [ "/usr/share/pki/ocsp/bin/pki-ocsp-run" ] |
There was a problem hiding this comment.
Same as above and I think also the already provided container have the same problem.
| echo "################################################################################" | ||
| echo "INFO: Starting PKI KRA" | ||
|
|
||
| if [ "$UID" = "0" ]; then |
There was a problem hiding this comment.
To avoid restart problems, all the above configuration could be optional so the subsystem will be configured only if it has not been done before.
| echo "################################################################################" | ||
| echo "INFO: Starting OCSP Responder" | ||
|
|
||
| if [ "$UID" = "0" ]; then |
There was a problem hiding this comment.
Same as above and the same should apply to other pki_<subsystem>_run command.
|
@fmarco76 Thanks for the feedback! I have updated the tests to confirm that the containers can be restarted properly (except for |
The PKI Server container has been updated to keep the certs and CSRs created during startup.
The CA container test has been updated to verify that the container can be restarted successfully.
The ACME container test has been updated to verify that the container can be restarted successfully.
The Dockerfile has been updated to define a new KRA container. A new test has been added to create CA and KRA containers, then verify key archival and recovery.
The Dockerfile has been updated to define a new OCSP container. A new test has been added to create CA and OCSP containers, then verify CRL publishing and revocation checking.
|
|
@fmarco76 Thanks! |
The
Dockerfilehas been updated to define new KRA and OCSP containers.A new test has been added to create CA and KRA containers, then verify key archival and recovery. A new test has also been added to create CA and OCSP containers, then verify CRL publishing and revocation checking.
https://github.com/dogtagpki/pki/wiki/Deploying-KRA-on-Podman
https://github.com/dogtagpki/pki/wiki/Deploying-OCSP-on-Podman