Merge pull request #5 from AXONE-IO/docker-integration

Commissioning configuration file

Author: AXONE-IO

docker/.env

@@ -0,0 +1,6 @@
+# Environment Variables automatically loaded by Docker Compose.
+# ref: https://docs.docker.com/compose/reference/envvars/
+COMPOSE_PROJECT_NAME=ignition-devops
+COMPOSE_PATH_SEPARATOR=:
+#COMPOSE_FILE=docker-compose-automated.yml
+COMPOSE_FILE=docker-compose.yml

docker/docker-compose-automated.yml

@@ -0,0 +1,45 @@
+# ICC 2022 - Docker Basics Workshop - Part II, Docker Compose
+# ref: https://github.com/compose-spec/compose-spec/blob/master/spec.md
+---
+services:
+  gateway:
+    build:
+      context: gw-build
+      dockerfile: Dockerfile
+      args:
+        IGNITION_VERSION: ${IGNITION_VERSION:-8.1.26}
+        SUPPLEMENTAL_MODULES: "git"
+        GATEWAY_ADMIN_USERNAME: admin
+      secrets:
+        - gateway-admin-password
+    hostname: gateway
+    ports:
+      - 9088:8088
+    environment:
+      - ACCEPT_IGNITION_EULA=Y
+      #- GATEWAY_ADMIN_USERNAME=admin
+      #- GATEWAY_ADMIN_PASSWORD_FILE=/run/secrets/gateway-admin-password
+      - GATEWAY_GIT_USER_SECRET_FILE=/run/secrets/gateway-git-user-secret
+      - IGNITION_EDITION=standard
+    networks:
+      - default
+    volumes:
+      - gateway_data:/usr/local/bin/ignition/data
+      - ./gw-init/git.conf:/usr/local/bin/ignition/data/git.conf
+    secrets:
+      - gateway-git-user-secret
+      - gateway-admin-password
+    command: >
+      -n Ignition-DevOps
+
+networks:
+  default:
+
+secrets:
+  gateway-git-user-secret:
+    file: gw-secrets/GATEWAY_GIT_USER_SECRET
+  gateway-admin-password:
+    file: gw-secrets/GATEWAY_ADMIN_PASSWORD
+
+volumes:
+  gateway_data:

docker/docker-compose.yml

@@ -0,0 +1,38 @@
+# ICC 2022 - Docker Basics Workshop - Part II, Docker Compose
+# ref: https://github.com/compose-spec/compose-spec/blob/master/spec.md
+---
+services:
+  gateway:
+    image: inductiveautomation/ignition:8.1.26
+    hostname: gateway
+    ports:
+      - 9088:8088
+    environment:
+      - ACCEPT_IGNITION_EULA=Y
+      - GATEWAY_ADMIN_USERNAME=admin
+      - GATEWAY_ADMIN_PASSWORD_FILE=/run/secrets/gateway-admin-password
+      - GATEWAY_GIT_USER_SECRET_FILE=/run/secrets/gateway-git-user-secret
+      - IGNITION_EDITION=standard
+    networks:
+      - default
+    volumes:
+      - gateway_data:/usr/local/bin/ignition/data
+      - ./modules/Git-1.0.1.modl:/usr/local/bin/ignition/user-lib/modules/Git-1.0.1.modl
+      - ./gw-init/git.conf:/usr/local/bin/ignition/data/git.conf
+    secrets:
+      - gateway-git-user-secret
+      - gateway-admin-password
+    command: >
+      -n Ignition-DevOps
+
+networks:
+  default:
+
+secrets:
+  gateway-git-user-secret:
+    file: gw-secrets/GATEWAY_GIT_USER_SECRET
+  gateway-admin-password:
+    file: gw-secrets/GATEWAY_ADMIN_PASSWORD
+
+volumes:
+  gateway_data:

docker/gw-build/Dockerfile

@@ -0,0 +1,89 @@
+# syntax=docker/dockerfile:1.5
+ARG IGNITION_VERSION=${IGNITION_VERSION}
+FROM inductiveautomation/ignition:${IGNITION_VERSION} as prep
+
+# Temporarily become root for system-level updates (required for 8.1.26+)
+USER root
+
+# Install some prerequisite packages
+RUN apt-get update && apt-get install -y wget ca-certificates jq zip unzip sqlite3
+
+ARG SUPPLEMENTAL_AZUREIOTINJECTOR_DOWNLOAD_URL="https://files.inductiveautomation.com/third-party/cirrus-link/4.0.15/Azure-Injector-signed.modl"
+ARG SUPPLEMENTAL_AZUREIOTINJECTOR_DOWNLOAD_SHA256="e952629cebaad75825cf6e57c09c01f5f1772065a6e87cc0cda45fdca4b29f13"
+ARG SUPPLEMENTAL_MQTTTRANSMISSION_DOWNLOAD_URL="https://files.inductiveautomation.com/third-party/cirrus-link/4.0.15/MQTT-Transmission-signed.modl"
+ARG SUPPLEMENTAL_MQTTTRANSMISSION_DOWNLOAD_SHA256="1e1e7428cba02dce6e579e6c82e4b8ad30d892438a7504aa0481eff7a5f87952"
+ARG SUPPLEMENTAL_MQTTTRANSMISSIONNIGHTLY_DOWNLOAD_URL="https://ignition-modules-nightly.s3.amazonaws.com/Ignition8/MQTT-Transmission-signed.modl"
+ARG SUPPLEMENTAL_MQTTTRANSMISSIONNIGHTLY_DOWNLOAD_SHA256="notused"
+ARG SUPPLEMENTAL_MQTTENGINE_DOWNLOAD_URL="https://files.inductiveautomation.com/third-party/cirrus-link/4.0.15/MQTT-Engine-signed.modl"
+ARG SUPPLEMENTAL_MQTTENGINE_DOWNLOAD_SHA256="5693c22b391e6da31351f2bb9245ad65e96dff9d02c0a322cb70eb11a2fb86b6"
+ARG SUPPLEMENTAL_MQTTENGINENIGHTLY_DOWNLOAD_URL="https://ignition-modules-nightly.s3.amazonaws.com/Ignition8/MQTT-Engine-signed.modl"
+ARG SUPPLEMENTAL_MQTTENGINENIGHTLY_DOWNLOAD_SHA256="notused"
+ARG SUPPLEMENTAL_MQTTDISTRIBUTOR_DOWNLOAD_URL="https://files.inductiveautomation.com/third-party/cirrus-link/4.0.15/MQTT-Distributor-signed.modl"
+ARG SUPPLEMENTAL_MQTTDISTRIBUTOR_DOWNLOAD_SHA256="5c81be13a9f749899825a99a109502c1eb28be940d060301a1ddf9967d488f9e"
+ARG SUPPLEMENTAL_MQTTDISTRIBUTORNIGHTLY_DOWNLOAD_URL="https://ignition-modules-nightly.s3.amazonaws.com/Ignition8/MQTT-Distributor-signed.modl"
+ARG SUPPLEMENTAL_MQTTDISTRIBUTORNIGHTLY_DOWNLOAD_SHA256="notused"
+ARG SUPPLEMENTAL_GIT_DOWNLOAD_URL="https://www.axone-io.com/Files/Modules/GIT/1.0.1/doc/module/Git-1.0.1.modl"
+ARG SUPPLEMENTAL_GIT_DOWNLOAD_SHA256="notused"
+ARG SUPPLEMENTAL_MODULES
+
+# Set working directory for this prep image and ensure that exits from sub-shells bubble up and report an error
+WORKDIR /root
+SHELL [ "/usr/bin/env", "-S", "bash", "-euo", "pipefail", "-O", "inherit_errexit", "-c" ]
+
+# Retrieve all targeted modules and verify their integrity
+COPY --chmod=0755 retrieve-modules.sh .
+RUN ./retrieve-modules.sh \
+    -m "${SUPPLEMENTAL_MODULES:-}"
+
+# Set CERTIFICATES/EULAS acceptance in gateway backup config db
+COPY base.gwbk .
+COPY --chmod=0755 register-module.sh register-password.sh ./
+ARG GATEWAY_ADMIN_USERNAME="admin"
+RUN --mount=type=secret,id=gateway-admin-password \
+    unzip -q base.gwbk db_backup_sqlite.idb && \
+    shopt -s nullglob; \
+    for module in *.modl; do \
+    ./register-module.sh \
+      -f "${module}" \
+      -d db_backup_sqlite.idb; \
+    done; \
+    shopt -u nullglob && \
+    ./register-password.sh \
+      -u "${GATEWAY_ADMIN_USERNAME}" \
+      -f /run/secrets/gateway-admin-password \
+      -d db_backup_sqlite.idb && \
+    zip -q -f base.gwbk db_backup_sqlite.idb || \
+    if [[ ${ZIP_EXIT_CODE:=$?} == 12 ]]; then \
+    echo "No changes to internal database needed during module registration."; \
+    else \
+    echo "Unknown error (${ZIP_EXIT_CODE}) encountered during re-packaging of config db, exiting." && \
+    exit ${ZIP_EXIT_CODE}; \
+    fi
+
+# Final Image
+FROM inductiveautomation/ignition:${IGNITION_VERSION} as final
+
+# Temporarily become root for system-level updates (required for 8.1.26+)
+USER root
+
+# Add supplemental packages, such as git if needed/desired
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+    git && \
+    rm -rf /var/lib/apt/lists/*
+
+# Embed modules and base gwbk from prep image as well as entrypoint shim
+COPY --from=prep --chown=ignition:ignition /root/*.modl ${IGNITION_INSTALL_LOCATION}/user-lib/modules/
+COPY --from=prep --chown=ignition:ignition /root/base.gwbk ${IGNITION_INSTALL_LOCATION}/base.gwbk
+COPY --chmod=0755 --chown=root:root docker-entrypoint-shim.sh /usr/local/bin/
+
+# Return to ignition user
+USER ignition
+
+# Supplement other default environment variables
+ENV ACCEPT_IGNITION_EULA=Y \
+    IGNITION_EDITION=standard \
+    GATEWAY_MODULES_ENABLED=all
+
+# Target the entrypoint shim for any custom logic prior to gateway launch
+ENTRYPOINT [ "docker-entrypoint-shim.sh" ]

docker/gw-build/base.gwbk

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+### add other custom logic here that will run at container launch
+
+# Kick off the built-in entrypoint, with an in-built restore (-r <gwbk path>) directive
+exec docker-entrypoint.sh -r base.gwbk "$@"

docker/gw-build/docker-entrypoint-shim.sh

@@ -0,0 +1,119 @@
+#!/usr/bin/env bash
+set -euo pipefail
+shopt -s inherit_errexit
+
+###############################################################################
+# Performs auto-acceptance of EULA and import of certificates for third-party modules
+###############################################################################
+function main() {
+    if [ ! -f "${MODULE_LOCATION}" ]; then
+        echo ""
+        return 0  # Silently exit if there is no /modules path
+    elif [ ! -f "${DB_LOCATION}" ]; then
+        echo "WARNING: ${DB_FILE} not found, skipping module registration"
+        return 0
+    fi
+
+    register_module
+}
+
+###############################################################################
+# Register the module with the target Config DB
+###############################################################################
+function register_module() {
+    local SQLITE3=( sqlite3 "${DB_LOCATION}" )
+
+    # Tie into db
+    local keytool module_sourcepath
+    module_basename=$(basename "${MODULE_LOCATION}")
+    module_sourcepath=${MODULE_LOCATION}
+    keytool=$(which keytool)
+
+    echo "Processing Module: ${module_basename}"
+
+    # Populate CERTIFICATES table
+    local cert_info subject_name thumbprint next_certificates_id thumbprint_already_exists
+    cert_info=$( unzip -qq -c "${module_sourcepath}" certificates.p7b | $keytool -printcert -v | head -n 9 ) 
+    thumbprint=$( echo "${cert_info}" | grep -A 2 "Certificate fingerprints" | grep SHA1 | cut -d : -f 2- | sed -e 's/\://g' | awk '{$1=$1;print tolower($0)}' ) 
+    subject_name=$( echo "${cert_info}" | grep -m 1 -Po '^Owner: CN=\K(.+)(?=, OU)' | sed -e 's/"//g' )
+    echo " Thumbprint: ${thumbprint}"
+    echo " Subject Name: ${subject_name}"
+    next_certificates_id=$( "${SQLITE3[@]}" "SELECT COALESCE(MAX(CERTIFICATES_ID)+1,1) FROM CERTIFICATES" ) 
+    thumbprint_already_exists=$( "${SQLITE3[@]}" "SELECT 1 FROM CERTIFICATES WHERE lower(hex(THUMBPRINT)) = '${thumbprint}'" )
+    if [ "${thumbprint_already_exists}" != "1" ]; then
+        echo " Accepting Certificate as CERTIFICATES_ID=${next_certificates_id}"
+        "${SQLITE3[@]}" "INSERT INTO CERTIFICATES (CERTIFICATES_ID, THUMBPRINT, SUBJECTNAME) VALUES (${next_certificates_id}, x'${thumbprint}', '${subject_name}'); UPDATE SEQUENCES SET val=${next_certificates_id} WHERE name='CERTIFICATES_SEQ'"
+    else
+        echo " Thumbprint already found in CERTIFICATES table, skipping INSERT"
+    fi
+
+    # Populate EULAS table
+    local next_eulas_id license_crc32 module_id module_id_already_exists
+    next_eulas_id=$( "${SQLITE3[@]}" "SELECT COALESCE(MAX(EULAS_ID)+1,1) FROM EULAS" ) 
+    license_crc32=$( unzip -qq -c "${module_sourcepath}" license.html | gzip -c | tail -c8 | od -t u4 -N 4 -A n | cut -c 2- ) 
+    module_id=$( unzip -qq -c "${module_sourcepath}" module.xml | grep -oP '(?<=<id>).*(?=</id)' )
+    module_id_already_exists=$( "${SQLITE3[@]}" "SELECT 1 FROM EULAS WHERE MODULEID='${module_id}' AND CRC=${license_crc32}" )
+    if [ "${module_id_already_exists}" != "1" ]; then
+        echo " Accepting License on your behalf as EULAS_ID=${next_eulas_id}"
+        "${SQLITE3[@]}" "INSERT INTO EULAS (EULAS_ID, MODULEID, CRC) VALUES (${next_eulas_id}, '${module_id}', ${license_crc32}); UPDATE SEQUENCES SET val=${next_eulas_id} WHERE name='EULAS_SEQ'"
+    else
+        echo " License EULA already found in EULAS table, skipping INSERT"
+    fi
+}
+
+###############################################################################
+# Outputs to stderr
+###############################################################################
+function debug() {
+  # shellcheck disable=SC2236
+  if [ ! -z ${verbose+x} ]; then
+    >&2 echo "  DEBUG: $*"
+  fi
+}
+
+###############################################################################
+# Print usage information
+###############################################################################
+function usage() {
+  >&2 echo "Usage: $0 -f <path/to/module> -d <path/to/db>"
+}
+
+# Argument Processing
+while getopts ":hvf:d:" opt; do
+  case "$opt" in
+  v)
+    verbose=1
+    ;;
+  f)
+    MODULE_LOCATION="${OPTARG}"
+    ;;
+  d)
+    DB_LOCATION="${OPTARG}"
+    DB_FILE=$(basename "${DB_LOCATION}")
+    ;;
+  h)
+    usage
+    exit 0
+    ;;
+  \?)
+    usage
+    echo "Invalid option: -${OPTARG}" >&2
+    exit 1
+    ;;
+  :)
+    usage
+    echo "Invalid option: -${OPTARG} requires an argument" >&2
+    exit 1
+    ;;
+  esac
+done
+
+# shift positional args based on number consumed by getopts
+shift $((OPTIND-1))
+
+if [ -z "${MODULE_LOCATION:-}" ] || [ -z "${DB_LOCATION:-}" ]; then
+  usage
+  exit 1
+fi
+
+main