google · gdbelvin · Jun 9, 2017 · May 11, 2017
@@ -2,9 +2,9 @@
 *.swo
 *~
 
-keytransparency-server
-keytransparency-signer
-keytransparency-client
+/keytransparency-server
+/keytransparency-signer
+/keytransparency-client
 
 infra*.etcd
 genfiles/*

@@ -1,9 +1,9 @@
-log-key: "../certificate-transparency/test/testdata/ct-server-key-public.pem"
-vrf:    "testdata/vrf-pubkey.pem"
-kt-key: "testdata/server.crt"
-kt-sig: "testdata/p256-pubkey.pem"
+log-key: "../trillian/testdata/ct-http-server.pubkey.pem"
+vrf:    "genfiles/vrf-pubkey.pem"
+kt-key: "genfiles/server.crt"
+kt-sig: "genfiles/p256-pubkey.pem"
 domain: "example.com"
-map-id: 0
+mapid: 0 
 kt-url: "104.199.112.76:5001"
-client-secret: "client_secret.json"
-service-key: ""
+-client-secret: "client_secret.json"
+-service-key: ""
@@ -86,12 +86,15 @@ Set `$GOPATH` variable to point to your Go workspace directory and add `$GOPATH/
 1. Install 
 - [Etcd v3.1.3](https://github.com/coreos/etcd/releases/tag/v3.1.3).
 - [OpenSSL](https://www.openssl.org/community/binaries.html)
+- [Docker](https://docs.docker.com/engine/installation/) 
+  - Docker Engine 1.13.0+ `docker version -f '{{.Server.APIVersion}}'`
+  - Docker Compose 1.11.0+ `docker-compose --version`
 
 2. Install Key Transparency
 
   ```sh
-  go get -u github.com/mattn/goreman
   go get -u github.com/google/keytransparency/...
+  go get -u github.com/google/trillian/...
   ```
 
 4. Get a [service account key](https://console.developers.google.com/apis/credentials) and download the generated JSON file.
@@ -101,7 +104,7 @@ Set `$GOPATH` variable to point to your Go workspace directory and add `$GOPATH/
 5. Run server setup 
 
   ```sh
-  ./scripts/prepare_server.sh
+./scripts/prepare_server.sh
   ```
 
   The tool will build the server binaries, generate keys, and configure the server.
@@ -111,8 +114,24 @@ Set `$GOPATH` variable to point to your Go workspace directory and add `$GOPATH/
   - `genfiles/server.crt`
   - `genfile/p256-pubkey.pem`
 
-6. Run the server and the signer using
+6. Run the trillian-map server 
 
   ```sh
-  goreman start
+docker-compose up -d trillian-map
   ```
+
+7. Provision a log and a map 
+```sh
+MAP_IP=`docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' keytransparency_trillian-map_1`
+go run $GOPATH/src/github.com/google/trillian/cmd/createtree/main.go --admin_server=$MAP_IP:8090 --pem_key_path=testdata/log-rpc-server.privkey.pem --pem_key_password="towel" --signature_algorithm=ECDSA --tree_type=LOG
+go run $GOPATH/src/github.com/google/trillian/cmd/createtree/main.go --admin_server=$MAP_IP:8090 --pem_key_path=testdata/log-rpc-server.privkey.pem --pem_key_password="towel" --signature_algorithm=ECDSA --tree_type=MAP
+```
+
+Set the `LOG_ID` and `MAP_ID` environment variables in `docker-compose.yml` with the output
+of the respective commands.
+
+8. Launch the rest of the cluster and observe.
+- `docker-compose up -d`
+- `docker-compose logs --tail=0 --follow`
+- [https://localhost:8080/v1/users/foo@bar.com](https://localhost:8080/v1/users/foo@bar.com)
+
@@ -0,0 +1,41 @@
+FROM golang
+
+ENV DB_USER=test \
+    DB_PASSWORD=zaphod \
+    DB_DATABASE=test \
+    DB_HOST=db:3306
+
+ENV HOST=0.0.0.0 \
+    RPC_PORT=8080
+
+# TLS Certificate needs 0.0.0.0 to be in the SAN IP field.
+ENV VRF_PRIV=genfiles/vrf-key.pem \
+    TLS_KEY_PATH=genfiles/server.key \
+    TLS_CRT_PATH=genfiles/server.crt
+
+ENV MAP_ID=0 \
+    MAP_URL=""
+ENV LOG_ID=0 \
+    LOG_URL=localhost:8090 
+ENV GOOGLE_APPLICATION_CREDENTIALS=genfiles/service_key.json
+ENV VERBOSE=0
+
+ADD . /go/src/github.com/google/keytransparency
+WORKDIR /go/src/github.com/google/keytransparency 
+
+RUN go get -tags="mysql" ./cmd/keytransparency-server
+
+ENTRYPOINT /go/bin/keytransparency-server \
+	--addr="$HOST:$RPC_PORT" \
+	--db="${DB_USER}:${DB_PASSWORD}@tcp(${DB_HOST})/${DB_DATABASE}" \
+	--vrf="$VRF_PRIV" \
+	--key="$TLS_KEY_PATH" --cert="$TLS_CRT_PATH" \
+	--log-id="$LOG_ID" --log-url="$LOG_URL" \
+	--map-id="$MAP_ID" --map-url="$MAP_URL" \
+	--alsologtostderr \
+	--verbose="$VERBOSE"
+
+EXPOSE $RPC_PORT
+
+HEALTHCHECK --interval=5m --timeout=3s \
+  CMD curl -f http://localhost:$RPC_PORT/debug/vars || exit 1
@@ -0,0 +1,26 @@
+FROM golang
+
+ENV DB_USER=test \
+    DB_PASSWORD=zaphod \
+    DB_DATABASE=test \
+    DB_HOST=127.0.0.0:3306
+
+ENV MAP_ID=0 \
+    MAP_URL=""
+ENV LOG_ID=0 \
+    LOG_URL=localhost:8090 \
+    LOG_KEY=../trillian/testdata/log-rpc-server.pubkey.pem
+
+ENV SIGN_PERIOD=5s
+
+ADD . /go/src/github.com/google/keytransparency
+WORKDIR /go/src/github.com/google/keytransparency 
+
+RUN go get -tags="mysql" ./cmd/keytransparency-signer
+
+ENTRYPOINT /go/bin/keytransparency-signer \
+	--db="${DB_USER}:${DB_PASSWORD}@tcp(${DB_HOST})/${DB_DATABASE}" \
+	--period="$SIGN_PERIOD" --key="$SIGN_KEY" --password="$SIGN_KEY_PW" \
+	--log-id="$LOG_ID" --log-url="$LOG_URL" --log-key="$LOG_KEY" \
+	--map-id="$MAP_ID" --map-url="$MAP_URL" \
+	--alsologtostderr 
@@ -52,6 +52,7 @@ var (
 
 	// Info to replicate the Trillian Map Server locally.
 	signingKey = flag.String("key", "", "Path to private key PEM for STH signing")
+	signingKeyPassword = flag.String("password", "", "Password of the private key PEM file for STH signing")
 
 	// Info to send Signed Map Heads to a Trillian Log.
 	logID     = flag.Int64("log-id", 0, "Trillian Log ID")
@@ -80,8 +81,7 @@ func newMapServer(ctx context.Context, sqldb *sql.DB, factory ctxn.Factory) (tri
 	if err != nil {
 		return nil, err
 	}
-
-	signer, err := keys.NewFromPrivatePEM(*signingKey, "")
+	signer, err := keys.NewFromPrivatePEMFile(*signingKey, *signingKeyPassword)
 	if err != nil {
 		return nil, err
 	}

@@ -67,7 +67,7 @@ func New(realm string,
 func (s *Signer) StartSigning(ctx context.Context, interval time.Duration) {
 	for range time.NewTicker(interval).C {
 		if err := s.CreateEpoch(ctx); err != nil {
-			glog.Fatalf("CreateEpoch failed: %v", err)
+			glog.Errorf("CreateEpoch failed: %v", err)
 		}
 	}
 }

@@ -0,0 +1,142 @@
+version: "3"
+services:
+  db:
+    image: mysql
+    volumes:
+      - ../trillian/storage/mysql/storage.sql:/docker-entrypoint-initdb.d/storage.sql
+    restart: always
+    environment:
+      MYSQL_PASSWORD: zaphod
+      MYSQL_USER: test
+      MYSQL_DATABASE: test
+      MYSQL_RANDOM_ROOT_PASSWORD: "yes"
+
+  trillian-log:
+    depends_on:
+      - db
+    image: trillian_log_server:latest
+    build: 
+      context: ../trillian
+      dockerfile: server/trillian_log_server/Dockerfile
+    restart: always
+    ports:
+      - "8090:8090" # RPCs
+      - "8091:8091" # Metrics
+    environment:
+      DB_HOST: db:3306
+      DB_DATABASE: test
+      DB_USER: test
+      DB_PASSWORD: zaphod 
+
+  trillian-log-signer:
+    depends_on:
+      - db
+    image: trillian_log_signer:latest
+    volumes:
+         - ../keytransparency/genfiles:/kt
+    build: 
+      context: ../trillian
+      dockerfile: server/trillian_log_signer/Dockerfile
+    restart: always
+    ports:
+      - "8092:8091" # Metrics
+    environment:
+      DB_HOST: db:3306
+      DB_DATABASE: test
+      DB_USER: test
+      DB_PASSWORD: zaphod
+      GOOGLE_APPLICATION_CREDENTIALS: /genfiles/service_key.json
+      KEY: /kt/server.key
+      CERT: /kt/server.crt
+      VRF_PRIV: /kt/vrf-key.pem
+      VRF_PUB: /kt/vrf-pubkey.pem
+      SIGN_KEY: /kt/p256-key.pem
+      SIGN_KEY_PW: "towel"
+
+
+  trillian-map:
+    depends_on:
+      - db
+    image: trillian_map_server:latest
+    build: 
+      context: ../trillian
+      dockerfile: server/trillian_map_server/Dockerfile
+    restart: always
+    ports:
+      - "8093:8090" # RPCs
+      - "8094:8091" # Metrics
+    environment:
+      DB_HOST: db:3306
+      DB_DATABASE: test
+      DB_USER: test
+      DB_PASSWORD: zaphod 
+
+  kt-server:
+    depends_on:
+      - db
+      - trillian-log
+      - trillian-map
+    build:
+      context: .
+      dockerfile: ./cmd/keytransparency-server/Dockerfile
+    image: keytransparency-server:latest
+    volumes:
+      - ./genfiles/:/kt/
+    restart: always
+    ports:
+      - "8080:8080" # JSON & gRPC
+    environment:
+      LOG_ID: 4450861294505218766 # Update with trillian admin CLI.
+      LOG_URL: trillian-log:8090
+      MAP_ID: 5698043027494814677 # Update with trillian admin CLI.
+      MAP_URL: trillian-map:8090
+      DB_HOST: db:3306
+      DB_DATABASE: test
+      DB_USER: test
+      DB_PASSWORD: zaphod
+      GOOGLE_APPLICATION_CREDENTIALS: /kt/service_key.json
+      KEY: /kt/server.key
+      CERT: /kt/server.crt
+      VRF_PRIV: /kt/vrf-key.pem
+      VRF_PUB: /kt/vrf-pubkey.pem
+      TLS_KEY_PATH: /kt/server.key
+      TLS_CRT_PATH: /kt/server.crt
+
+
+
+  kt-signer:
+    depends_on:
+      - db
+      - trillian-log
+      - trillian-map
+    build:
+      context: .
+      dockerfile: ./cmd/keytransparency-signer/Dockerfile
+    image: keytransparency-signer:latest
+    volumes:
+      - ./genfiles/:/kt/
+      - ../trillian/testdata/:/trillian/
+    restart: always
+    environment:
+      LOG_ID: 4450861294505218766 # Update with trillian admin CLI.
+      LOG_URL: trillian-log:8090
+      MAP_ID: 5698043027494814677 # Update with trillian admin CLI.
+      MAP_URL: trillian-map:8090
+      DB_HOST: db:3306
+      DB_DATABASE: test
+      DB_USER: test
+      DB_PASSWORD: zaphod
+      GOOGLE_APPLICATION_CREDENTIALS: /kt/service_key.json
+      KEY: /kt/server.key
+      LOG_KEY: /trillian/log-rpc-server.pubkey.pem
+      CERT: /kt/server.crt
+      VRF_PRIV: /kt/genfiles/vrf-key.pem
+      VRF_PUB: /kt/genfiles/vrf-pubkey.pem
+      SIGN_KEY: /trillian/log-rpc-server.privkey.pem
+      SIGN_KEY_PW: towel
+
+volumes:
+  kt:
+
+
+
@@ -17,20 +17,20 @@ package config
 
 import (
 	"fmt"
-	"log"
 
 	"github.com/google/trillian"
 	"github.com/google/trillian/client"
 	"github.com/google/trillian/crypto/keys"
 	"github.com/google/trillian/merkle/objhasher"
 	"google.golang.org/grpc"
+	"github.com/golang/glog"
 )
 
 // LogClient creates a log client.
 func LogClient(logID int64, logURL, pubKeyFile string) (client.VerifyingLogClient, error) {
 	sthPubKey, err := keys.NewFromPublicPEMFile(pubKeyFile)
 	if err != nil {
-		log.Fatalf("Failed to open public key %v: %v", pubKeyFile, err)
+		glog.Fatalf("Failed to open public key %v: %v", pubKeyFile, err)
 	}
 	// The log should be in a restricted access backend environment.
 	cc, err := grpc.Dial(logURL, grpc.WithInsecure())