Move top-level docker images folder to the onprem module (#96)

* move docker folder to the onprme module

* update CHANGELOG

modules/cloud-config-container/onprem/README.md

@@ -4,11 +4,11 @@ This module manages a `cloud-config` configuration that starts an emulated on-pr
 
 The emulated on-premises infrastructure is composed of:
 
-- a Strongswan container managing the VPN tunnel to GCP
+- a [Strongswan container](./docker-images/strongswan) managing the VPN tunnel to GCP
 - an optional Bird container managing the BGP session
 - a CoreDNS container servng local DNS and forwarding to GCP
 - an Nginx container serving a simple static web page
-- a generic Linux container used as a jump host inside the on-premises network
+- a [generic Linux container](./docker-images/toolbox) used as a jump host inside the on-premises network
 
 A [complete scenario using this module](../../../infrastructure/onprem-google-access-dns) is available in the infrastructure examples.
 

modules/cloud-config-container/onprem/docker-images/README.md

@@ -0,0 +1,3 @@
+# Supporting container images
+
+The images in this folder are used by the [`onprem` module](../).

modules/cloud-config-container/onprem/docker-images/strongswan/Dockerfile

@@ -0,0 +1,34 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM alpine:latest
+
+RUN set -xe \
+    && apk add --no-cache strongswan bash sudo
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod 0755 /entrypoint.sh
+
+COPY ipsec-vti.sh /var/lib/strongswan/ipsec-vti.sh
+RUN chmod 0755 /var/lib/strongswan/ipsec-vti.sh
+
+RUN echo 'ipsec ALL=NOPASSWD:SETENV:/usr/sbin/ipsec,/sbin/ip,/sbin/sysctl' > /etc/sudoers.d/ipsec
+RUN chmod 0440 /etc/sudoers.d/ipsec
+
+ENV VPN_DEVICE=eth0
+ENV LAN_NETWORKS=192.168.0.0/24
+
+EXPOSE 500/udp 4500/udp
+
+ENTRYPOINT ["/entrypoint.sh"]

modules/cloud-config-container/onprem/docker-images/strongswan/README.md

@@ -0,0 +1,44 @@
+
+# StrongSwan docker container
+
+## Build
+
+```bash
+gcloud builds submit . --config=cloudbuild.yaml
+```
+
+## Docker compose example
+
+```yaml
+version: "3"
+services:
+  vpn:
+    image: gcr.io/pso-cft-fabric/strongswan:latest
+    networks:
+      default:
+        ipv4_address: 192.168.0.2
+    cap_add:
+      - NET_ADMIN
+    ports:
+      - "500:500/udp"
+      - "4500:4500/udp"
+      - "179:179/tcp"
+    privileged: true
+    volumes:
+      - "/lib/modules:/lib/modules:ro"
+      - "/etc/localtime:/etc/localtime:ro"
+      - "/var/lib/docker-compose/onprem/ipsec/ipsec.conf:/etc/ipsec.conf:ro"
+      - "/var/lib/docker-compose/onprem/ipsec/ipsec.secrets:/etc/ipsec.secrets:ro"
+      - "/var/lib/docker-compose/onprem/ipsec/vti.conf:/etc/strongswan.d/vti.conf:ro"
+  bird:
+    image: pierky/bird
+    network_mode: service:vpn
+    cap_add:
+      - NET_ADMIN
+      - NET_BROADCAST
+      - NET_RAW
+    privileged: true
+    volumes:
+      - "/var/lib/docker-compose/onprem/bird/bird.conf:/etc/bird/bird.conf:ro"
+
+```

modules/cloud-config-container/onprem/docker-images/strongswan/cloudbuild.yaml

@@ -0,0 +1,30 @@
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# In this directory, run the following command to build this builder.
+# $ gcloud builds submit . --config=cloudbuild.yaml
+
+steps:
+- name: 'gcr.io/cloud-builders/docker'
+  args: 
+  - build 
+  - --tag=gcr.io/$PROJECT_ID/strongswan
+  - --tag=gcr.io/$PROJECT_ID/strongswan:latest
+  - .
+    
+images:
+  - 'gcr.io/$PROJECT_ID/strongswan:latest'
+    
+timeout: 1200s

modules/cloud-config-container/onprem/docker-images/strongswan/entrypoint.sh

@@ -0,0 +1,35 @@
+#!/bin/sh -e
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Enable IP forwarding
+sysctl -w net.ipv4.ip_forward=1
+
+# Stop ipsec when terminating
+_stop_ipsec() {
+  echo "Shutting down strongSwan/ipsec..."
+  ipsec stop
+}
+trap _stop_ipsec SIGTERM
+
+# Making the containter to work as a default gateway for LAN_NETWORKS
+iptables -t nat -A POSTROUTING -s ${LAN_NETWORKS} -o ${VPN_DEVICE} -m policy --dir out --pol ipsec -j ACCEPT
+iptables -t nat -A POSTROUTING -s ${LAN_NETWORKS} -o ${VPN_DEVICE} -j MASQUERADE
+
+# Start ipsec
+echo "Starting up strongSwan/ipsec..."
+ipsec start --nofork "$@" &
+child=$!
+wait "$child"

modules/cloud-config-container/onprem/docker-images/strongswan/ipsec-vti.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# originally published at
+# https://cloud.google.com/community/tutorials/using-cloud-vpn-with-strongswan
+
+set -o nounset
+set -o errexit
+
+IP=$(which ip)
+
+PLUTO_MARK_OUT_ARR=(${PLUTO_MARK_OUT//// })
+PLUTO_MARK_IN_ARR=(${PLUTO_MARK_IN//// })
+
+VTI_TUNNEL_ID=${1}
+VTI_REMOTE=${2}
+VTI_LOCAL=${3}
+
+LOCAL_IF="${PLUTO_INTERFACE}"
+VTI_IF="vti${VTI_TUNNEL_ID}"
+# GCP's MTU is 1460
+GCP_MTU="1460"
+# ipsec overhead is 73 bytes, we need to compute new mtu.
+VTI_MTU=$((GCP_MTU-73))
+
+case "${PLUTO_VERB}" in
+    up-client)
+        sudo ${IP} link add ${VTI_IF} type vti local ${PLUTO_ME} remote ${PLUTO_PEER} okey ${PLUTO_MARK_OUT_ARR[0]} ikey ${PLUTO_MARK_IN_ARR[0]}
+        sudo ${IP} addr add ${VTI_LOCAL} remote ${VTI_REMOTE} dev "${VTI_IF}"
+        sudo ${IP} link set ${VTI_IF} up mtu ${VTI_MTU}
+
+        # Disable IPSEC Policy
+        sudo /sbin/sysctl -w net.ipv4.conf.${VTI_IF}.disable_policy=1
+
+        # Enable loosy source validation, if possible. Otherwise disable validation.
+        sudo /sbin/sysctl -w net.ipv4.conf.${VTI_IF}.rp_filter=2 || sysctl -w net.ipv4.conf.${VTI_IF}.rp_filter=0
+
+        # If you would like to use VTI for policy-based you shoud take care of routing by yourselv, e.x.
+        if [[ "${PLUTO_PEER_CLIENT}" != "0.0.0.0/0" ]]; then
+            ${IP} r add "${PLUTO_PEER_CLIENT}" dev "${VTI_IF}"
+        fi
+        ;;
+    down-client)
+        sudo ${IP} tunnel del "${VTI_IF}"
+        ;;
+esac
+
+# Enable IPv4 forwarding
+sudo /sbin/sysctl -w net.ipv4.ip_forward=1
+
+# Disable IPSEC Encryption on local net
+sudo /sbin/sysctl -w net.ipv4.conf.${LOCAL_IF}.disable_xfrm=1
+sudo /sbin/sysctl -w net.ipv4.conf.${LOCAL_IF}.disable_policy=1

modules/cloud-config-container/onprem/docker-images/toolbox/Dockerfile

@@ -0,0 +1,30 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+FROM google/cloud-sdk:alpine
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod 0755 /entrypoint.sh
+
+RUN apk update && \
+    apk add bash curl bind-tools busybox-extras netcat-openbsd && \
+    rm /var/cache/apk/*
+
+RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl && \
+    chmod 755 kubectl && mv kubectl /usr/local/bin/
+
+CMD ["/bin/bash"]
+
+ENTRYPOINT ["/entrypoint.sh"]

modules/cloud-config-container/onprem/docker-images/toolbox/README.md

@@ -0,0 +1,26 @@
+
+# ToolBox docker container
+
+Lightweight container with some basic console tools used for testing and probing.
+
+## Build
+
+```bash
+gcloud builds submit . --config=cloudbuild.yaml
+```
+
+## Docker compose
+
+```yaml
+version: "3"
+services:
+  vpn:
+    image: gcr.io/pso-cft-fabric/toolbox:latest
+    networks:
+      default:
+        ipv4_address: 192.168.0.5
+    cap_add:
+      - NET_ADMIN
+    privileged: true
+
+```

modules/cloud-config-container/onprem/docker-images/toolbox/cloudbuild.yaml

@@ -0,0 +1,30 @@
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# In this directory, run the following command to build this builder.
+# $ gcloud builds submit . --config=cloudbuild.yaml
+
+steps:
+- name: 'gcr.io/cloud-builders/docker'
+  args: 
+  - build 
+  - --tag=gcr.io/$PROJECT_ID/toolbox
+  - --tag=gcr.io/$PROJECT_ID/toolbox:latest
+  - .
+    
+images:
+  - 'gcr.io/$PROJECT_ID/toolbox:latest'
+    
+timeout: 1200s

modules/cloud-config-container/onprem/docker-images/toolbox/entrypoint.sh

@@ -0,0 +1,18 @@
+#!/bin/sh -e
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+echo "Entering sleep..."
+trap : TERM INT; (while true; do sleep 1000; done) & wait