diff options
Diffstat (limited to 'scripts/docker')
22 files changed, 1248 insertions, 0 deletions
diff --git a/scripts/docker/README.md b/scripts/docker/README.md new file mode 100644 index 0000000..f6e9ae6 --- /dev/null +++ b/scripts/docker/README.md @@ -0,0 +1,200 @@ +# What is FreeRADIUS? + +The FreeRADIUS Server Project is a high performance and highly +configurable multi-protocol policy server, supporting RADIUS, DHCPv4 +and VMPS. Using RADIUS allows authentication and authorization for a network +to be centralized, and minimizes the number of changes that have to +be done when adding or deleting new users to a network. + +FreeRADIUS can authenticate users on systems such as 802.1x +(WiFi), dialup, PPPoE, VPN's, VoIP, and many others. It supports +back-end databases such as MySQL, PostgreSQL, Oracle, Microsoft +Active Directory, Redis, OpenLDAP. It is used daily to +authenticate the Internet access for hundreds of millions of +people, in sites ranging from 10 to 10 million+ users. + +> [wikipedia.org/wiki/FreeRADIUS](https://en.wikipedia.org/wiki/FreeRADIUS) + + +# How to use this image + +## Starting the server + +```console +$ docker run --name my-radius -d freeradius/freeradius-server +``` + +The image contains only the default FreeRADIUS configuration which +has no users, and accepts test clients on 127.0.0.1. In order to +use it in production, as a minimum you will need to add clients to +the `clients.conf` file, and users to the "users" file in +`mods-config/files/authorize`. + +**Without building a local image with a configuration, the +container will refuse to answer any queries.** + + +## Defining a local configuration + +Create a local `Dockerfile` based on the required image and +COPY in the server configuration. + +```Dockerfile +FROM freeradius/freeradius-server:latest +COPY raddb/ /etc/raddb/ +``` + +The `raddb` directory could contain, for example: + +``` +clients.conf +mods-config/ +mods-config/files/ +mods-config/files/authorize +``` + +Where `clients.conf` contains a simple client definition + +``` +client dockernet { + ipaddr = 172.17.0.0/16 + secret = testing123 +} +``` + +and the `authorize` "users" file contains a test user: + +``` +bob Cleartext-Password := "test" +``` + +Build the image locally: + +```console +$ docker build -t my-radius-image -f Dockerfile . +``` + + +## Using the local configuration + +It should now be possible to test authentication against the +server from the host machine, using the `radtest` utility supplied +with FreeRADIUS and the credentials defined above. + +Start the local container. Ports will need to be forwarded to the +server, typically 1812/udp and/or 1813/udp, for example: + +```console +docker run --rm -d --name my-radius -p 1812-1813:1812-1813/udp my-radius-image +``` + +Send a test request, you will need the `radtest` utility: + +```console +$ radtest bob test 127.0.0.1 0 testing123 +``` + +which should return an "Access-Accept". + +The image can now be stopped with: + +```console +docker stop my-radius +``` + + +## Running in debug mode + +FreeRADIUS should always be tested in debug mode, using option +`-X`. Coloured debug output also requres `-t` be passed to docker. + +```console +$ docker run --rm --name my-radius -t -p 1812-1813:1812-1813/udp freeradius/freeradius-server -X +``` + +Guidelines for how to read and interpret the debug output are on the +[FreeRADIUS Wiki](https://wiki.freeradius.org/radiusd-X). + + +## Security notes + +The configuration in the docker image comes with self-signed +certificates for convenience. These should not be used in a +production environment, but replaced with new certificates. See +the file `raddb/certs/README.md` for more information. + + +## Debugging + +By default if you try to use `gdb` in a Docker container, the +pattach call will fail, and you will not be able to trace +processes. + +In order to allow tracing, the ``--privileged`` flag must be +passed to ``docker run``, this restores any Linux ``cap`` +privileges that would not ordinarily be given. + + +# Image variants + +## `freeradius/freeradius-server:<version>` + +The de-facto image which should be used unless you know you need +another image. It is based on +[Ubuntu Linux](https://hub.docker.com/_/ubuntu/) Docker images. + + +## `freeradius/freeradius-server:<version>-alpine` + +Image based on the [Alpine Linux](https://hub.docker.com/_/alpine/) +Docker images, which are much smaller than most Linux +distributions. To keep the basic size as small as possible, **this +image does not include libraries for all modules that have been +built** (especially the languages such as Perl or Python). Therefore +these extra libraries will need to be installed with `apk add` in +your own Dockerfile if you intend on using modules that require +them. + + +# Building Docker images + +The FreeRADIUS source contains Dockerfiles for several Linux +distributions. They are in +[`freeradius-server/scripts/docker/<os_name>`](https://github.com/FreeRADIUS/freeradius-server/tree/v3.2.x/scripts/docker). + +Build an image with + +```bash +$ cd scripts/docker/<os_name> +$ docker build . -t freeradius-<os_name> +``` + +This will download the OS base image, install/build any dependencies +as necessary, perform a shallow clone of the FreeRADIUS source and +build the server. + +Once built, running ``docker images`` should show the image. + +```bash +$ docker images +REPOSITORY TAG IMAGE ID CREATED SIZE +freeradius-ubuntu16 latest 289b3c7aca94 4 minutes ago 218MB +freeradius-alpine latest d7fb3041bea2 2 hours ago 88.6MB +``` + + +## Build args + +Two ARGs are defined in the Dockerfiles that specify the source +repository and git tag that the release will be built from. These +are + +- source: the git repository URL +- release: the git commit/tag + +To build the image from a specific repository and git tag, set one +or both of these args: + +```console +$ docker build . --build-arg=release=v3.2.x --build-arg=source=https://github.com/FreeRADIUS/freeradius-server.git -t freeradius-<os_name> +``` diff --git a/scripts/docker/alpine/Dockerfile b/scripts/docker/alpine/Dockerfile new file mode 100644 index 0000000..2965525 --- /dev/null +++ b/scripts/docker/alpine/Dockerfile @@ -0,0 +1,83 @@ +ARG from=alpine:3.13 +FROM ${from} as build + +# +# Install build tools +# +RUN apk update +RUN apk add git gcc make + +# +# Create build directory +# +RUN mkdir -p /usr/local/src/repositories +WORKDIR /usr/local/src/repositories + +# +# Shallow clone the FreeRADIUS source +# +ARG source=https://github.com/FreeRADIUS/freeradius-server.git +ARG release=v3.2.x + +RUN git clone --depth 1 --single-branch --branch ${release} ${source} +WORKDIR freeradius-server + +# +# Install build dependencies +# +# essential +RUN apk add libc-dev talloc-dev +RUN apk add openssl openssl-dev +RUN apk add linux-headers +# general +RUN apk add pcre-dev libidn-dev krb5-dev samba-dev curl-dev json-c-dev +RUN apk add openldap-dev unbound-dev +# languages +RUN apk add ruby-dev perl-dev python2-dev +# databases +RUN apk add hiredis-dev libmemcached-dev gdbm-dev libcouchbase-dev +# sql +RUN apk add postgresql-dev mariadb-dev unixodbc-dev sqlite-dev + +# +# Build the server +# +RUN ./configure --prefix=/opt +RUN make -j2 +RUN make install +RUN rm /opt/lib/*.a + +# +# Clean environment and run the server +# +FROM ${from} +COPY --from=build /opt /opt + +# +# These are needed for the server to start +# +RUN apk update \ + && apk add talloc libressl pcre libwbclient tzdata \ + \ +# +# Libraries that are needed dependent on which modules are used +# Some of these (especially the languages) are huge. A reasonable +# selection has been enabled here. If you use modules needing +# other dependencies then install any others required in your +# local Dockerfile. +# + && apk add libcurl json-c libldap hiredis sqlite-dev \ +#RUN apk add libidn krb5 +#RUN apk add unbound-libs +#RUN apk add ruby-libs perl python2-dev +#RUN apk add libmemcached gdbm libcouchbase +#RUN apk add postgresql-dev mariadb-dev unixodbc-dev + \ + && ln -s /opt/etc/raddb /etc/raddb + +COPY docker-entrypoint.sh / +RUN chmod +x /docker-entrypoint.sh + +EXPOSE 1812/udp 1813/udp +ENTRYPOINT ["/docker-entrypoint.sh"] +CMD ["radiusd"] diff --git a/scripts/docker/alpine/docker-entrypoint.sh b/scripts/docker/alpine/docker-entrypoint.sh new file mode 100755 index 0000000..e0f9f6f --- /dev/null +++ b/scripts/docker/alpine/docker-entrypoint.sh @@ -0,0 +1,27 @@ +#!/bin/sh +set -e + +PATH=/opt/sbin:/opt/bin:$PATH +export PATH + +# this if will check if the first argument is a flag +# but only works if all arguments require a hyphenated flag +# -v; -SL; -f arg; etc will work, but not arg1 arg2 +if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then + set -- radiusd "$@" +fi + +# check for the expected command +if [ "$1" = 'radiusd' ]; then + shift + exec radiusd -f "$@" +fi + +# debian people are likely to call "freeradius" as well, so allow that +if [ "$1" = 'freeradius' ]; then + shift + exec radiusd -f "$@" +fi + +# else default to run whatever the user wanted like "bash" or "sh" +exec "$@" diff --git a/scripts/docker/centos7/Dockerfile b/scripts/docker/centos7/Dockerfile new file mode 100644 index 0000000..efa56eb --- /dev/null +++ b/scripts/docker/centos7/Dockerfile @@ -0,0 +1,96 @@ +ARG from=centos:centos7 +FROM ${from} as build + +# +# Install build tools +# +RUN yum groupinstall -y "Development Tools" +RUN yum install -y rpmdevtools +RUN yum install -y openssl + +# +# Create build directory +# +RUN mkdir -p /usr/local/src/repositories +WORKDIR /usr/local/src/repositories + +# +# Shallow clone the FreeRADIUS source +# +ARG source=https://github.com/FreeRADIUS/freeradius-server.git +ARG release=v3.2.x + +RUN git clone --depth 1 --single-branch --branch ${release} ${source} +WORKDIR freeradius-server + +# +# Other requirements +# + +# Use LTB's openldap packages intead of the distribution version to avoid linking against NSS +RUN echo $'[ltb-project]\n\ +name=LTB project packages\n\ +baseurl=https://ltb-project.org/rpm/$releasever/$basearch\n\ +enabled=1\n\ +gpgcheck=1\n\ +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project'\ +> /etc/yum.repos.d/ltb-project.repo +RUN rpm --import https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project + +# EPEL repository for freetds and hiredis +RUN yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm + +# +# Install build dependencies +# +RUN [ -e redhat/freeradius.spec ] && yum-builddep -y redhat/freeradius.spec + +# +# Create RPM build environment +# +ENV BUILDDIR=/root/rpmbuild +RUN rpmdev-setuptree + +RUN ./configure +RUN make freeradius-server-$(cat VERSION).tar.bz2 +RUN cp freeradius-server-$(cat VERSION).tar.bz2 $BUILDDIR/SOURCES/ +RUN cp -r redhat/* $BUILDDIR/SOURCES/ +RUN cp -r redhat/freeradius.spec $BUILDDIR/SPECS/ +WORKDIR $BUILDDIR + +# +# Build the server +# +ENV QA_RPATHS=0x0003 +RUN rpmbuild -bb --define '_release $release' "$BUILDDIR/SPECS/freeradius.spec" + +RUN mkdir /root/rpms +RUN mv $BUILDDIR/RPMS/*/*.rpm /root/rpms/ + +# +# Clean environment and run the server +# +FROM ${from} +COPY --from=build /root/rpms /tmp/ + +# Use LTB's openldap packages intead of the distribution version to avoid linking against NSS +RUN echo $'[ltb-project]\n\ +name=LTB project packages\n\ +baseurl=https://ltb-project.org/rpm/$releasever/$basearch\n\ +enabled=1\n\ +gpgcheck=1\n\ +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project'\ +> /etc/yum.repos.d/ltb-project.repo \ + && rpm --import https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project \ + \ +# EPEL repository for freetds and hiredis + && yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm \ + \ + && yum install -y /tmp/*.rpm + +COPY docker-entrypoint.sh / +RUN chmod +x /docker-entrypoint.sh + +EXPOSE 1812/udp 1813/udp +ENTRYPOINT ["/docker-entrypoint.sh"] +CMD ["radiusd"] diff --git a/scripts/docker/centos7/docker-entrypoint.sh b/scripts/docker/centos7/docker-entrypoint.sh new file mode 100755 index 0000000..900ad6b --- /dev/null +++ b/scripts/docker/centos7/docker-entrypoint.sh @@ -0,0 +1,24 @@ +#!/bin/sh +set -e + +# this if will check if the first argument is a flag +# but only works if all arguments require a hyphenated flag +# -v; -SL; -f arg; etc will work, but not arg1 arg2 +if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then + set -- radiusd "$@" +fi + +# check for the expected command +if [ "$1" = 'radiusd' ]; then + shift + exec radiusd -f "$@" +fi + +# debian people are likely to call "freeradius" as well, so allow that +if [ "$1" = 'freeradius' ]; then + shift + exec radiusd -f "$@" +fi + +# else default to run whatever the user wanted like "bash" or "sh" +exec "$@" diff --git a/scripts/docker/debian10/Dockerfile b/scripts/docker/debian10/Dockerfile new file mode 100644 index 0000000..441bed7 --- /dev/null +++ b/scripts/docker/debian10/Dockerfile @@ -0,0 +1,59 @@ +ARG from=debian:buster +FROM ${from} as build + +ARG DEBIAN_FRONTEND=noninteractive + +# +# Install build tools +# +RUN apt-get update +RUN apt-get install -y devscripts equivs git quilt gcc + +# +# Create build directory +# +RUN mkdir -p /usr/local/src/repositories +WORKDIR /usr/local/src/repositories + +# +# Shallow clone the FreeRADIUS source +# +ARG source=https://github.com/FreeRADIUS/freeradius-server.git +ARG release=v3.2.x + +RUN git clone --depth 1 --single-branch --branch ${release} ${source} +WORKDIR freeradius-server + +# +# Install build dependencies +# +RUN git checkout ${release}; \ + if [ -e ./debian/control.in ]; then \ + debian/rules debian/control; \ + fi; \ + echo 'y' | mk-build-deps -irt'apt-get -yV' debian/control + +# +# Build the server +# +RUN make -j2 deb + +# +# Clean environment and run the server +# +FROM ${from} +COPY --from=build /usr/local/src/repositories/*.deb /tmp/ + +RUN apt-get update \ + && apt-get install -y /tmp/*.deb \ + && apt-get clean \ + && rm -r /var/lib/apt/lists/* /tmp/*.deb \ + \ + && ln -s /etc/freeradius /etc/raddb + +COPY docker-entrypoint.sh / +RUN chmod +x /docker-entrypoint.sh + +EXPOSE 1812/udp 1813/udp +ENTRYPOINT ["/docker-entrypoint.sh"] +CMD ["freeradius"] diff --git a/scripts/docker/debian10/docker-entrypoint.sh b/scripts/docker/debian10/docker-entrypoint.sh new file mode 100755 index 0000000..93141b0 --- /dev/null +++ b/scripts/docker/debian10/docker-entrypoint.sh @@ -0,0 +1,24 @@ +#!/bin/sh +set -e + +# this if will check if the first argument is a flag +# but only works if all arguments require a hyphenated flag +# -v; -SL; -f arg; etc will work, but not arg1 arg2 +if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then + set -- freeradius "$@" +fi + +# check for the expected command +if [ "$1" = 'freeradius' ]; then + shift + exec freeradius -f "$@" +fi + +# many people are likely to call "radiusd" as well, so allow that +if [ "$1" = 'radiusd' ]; then + shift + exec freeradius -f "$@" +fi + +# else default to run whatever the user wanted like "bash" or "sh" +exec "$@" diff --git a/scripts/docker/debian11/Dockerfile b/scripts/docker/debian11/Dockerfile new file mode 100644 index 0000000..7a9931c --- /dev/null +++ b/scripts/docker/debian11/Dockerfile @@ -0,0 +1,64 @@ +ARG from=debian:bullseye +FROM ${from} as build + +ARG DEBIAN_FRONTEND=noninteractive + +# +# Install build tools +# +RUN apt-get update +RUN apt-get install -y devscripts equivs git quilt gcc + +# +# Create build directory +# +RUN mkdir -p /usr/local/src/repositories +WORKDIR /usr/local/src/repositories + +# +# Shallow clone the FreeRADIUS source +# +ARG source=https://github.com/FreeRADIUS/freeradius-server.git +ARG release=v3.2.x + +RUN git clone --depth 1 --single-branch --branch ${release} ${source} +WORKDIR freeradius-server + +# +# Install build dependencies +# +RUN git checkout ${release}; \ + if [ -e ./debian/control.in ]; then \ + debian/rules debian/control; \ + fi; \ + echo 'y' | mk-build-deps -irt'apt-get -yV' debian/control + +# +# Build the server +# +RUN make -j2 deb + +# +# Clean environment and run the server +# +FROM ${from} +COPY --from=build /usr/local/src/repositories/*.deb /tmp/ + +ARG freerad_uid=101 +ARG freerad_gid=101 + +RUN groupadd -g ${freerad_gid} -r freerad \ + && useradd -u ${freerad_uid} -g freerad -r -M -d /etc/freeradius -s /usr/sbin/nologin freerad \ + && apt-get update \ + && apt-get install -y /tmp/*.deb \ + && apt-get clean \ + && rm -r /var/lib/apt/lists/* /tmp/*.deb \ + \ + && ln -s /etc/freeradius /etc/raddb + +COPY docker-entrypoint.sh / +RUN chmod +x /docker-entrypoint.sh + +EXPOSE 1812/udp 1813/udp +ENTRYPOINT ["/docker-entrypoint.sh"] +CMD ["freeradius"] diff --git a/scripts/docker/debian11/docker-entrypoint.sh b/scripts/docker/debian11/docker-entrypoint.sh new file mode 100755 index 0000000..93141b0 --- /dev/null +++ b/scripts/docker/debian11/docker-entrypoint.sh @@ -0,0 +1,24 @@ +#!/bin/sh +set -e + +# this if will check if the first argument is a flag +# but only works if all arguments require a hyphenated flag +# -v; -SL; -f arg; etc will work, but not arg1 arg2 +if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then + set -- freeradius "$@" +fi + +# check for the expected command +if [ "$1" = 'freeradius' ]; then + shift + exec freeradius -f "$@" +fi + +# many people are likely to call "radiusd" as well, so allow that +if [ "$1" = 'radiusd' ]; then + shift + exec freeradius -f "$@" +fi + +# else default to run whatever the user wanted like "bash" or "sh" +exec "$@" diff --git a/scripts/docker/debian9/Dockerfile b/scripts/docker/debian9/Dockerfile new file mode 100644 index 0000000..1a34f7f --- /dev/null +++ b/scripts/docker/debian9/Dockerfile @@ -0,0 +1,59 @@ +ARG from=debian:stretch +FROM ${from} as build + +ARG DEBIAN_FRONTEND=noninteractive + +# +# Install build tools +# +RUN apt-get update +RUN apt-get install -y devscripts equivs git quilt gcc + +# +# Create build directory +# +RUN mkdir -p /usr/local/src/repositories +WORKDIR /usr/local/src/repositories + +# +# Shallow clone the FreeRADIUS source +# +ARG source=https://github.com/FreeRADIUS/freeradius-server.git +ARG release=v3.2.x + +RUN git clone --depth 1 --single-branch --branch ${release} ${source} +WORKDIR freeradius-server + +# +# Install build dependencies +# +RUN git checkout ${release}; \ + if [ -e ./debian/control.in ]; then \ + debian/rules debian/control; \ + fi; \ + echo 'y' | mk-build-deps -irt'apt-get -yV' debian/control + +# +# Build the server +# +RUN make -j2 deb + +# +# Clean environment and run the server +# +FROM ${from} +COPY --from=build /usr/local/src/repositories/*.deb /tmp/ + +RUN apt-get update \ + && apt-get install -y /tmp/*.deb \ + && apt-get clean \ + && rm -r /var/lib/apt/lists/* /tmp/*.deb \ + \ + && ln -s /etc/freeradius /etc/raddb + +COPY docker-entrypoint.sh / +RUN chmod +x /docker-entrypoint.sh + +EXPOSE 1812/udp 1813/udp +ENTRYPOINT ["/docker-entrypoint.sh"] +CMD ["freeradius"] diff --git a/scripts/docker/debian9/docker-entrypoint.sh b/scripts/docker/debian9/docker-entrypoint.sh new file mode 100755 index 0000000..93141b0 --- /dev/null +++ b/scripts/docker/debian9/docker-entrypoint.sh @@ -0,0 +1,24 @@ +#!/bin/sh +set -e + +# this if will check if the first argument is a flag +# but only works if all arguments require a hyphenated flag +# -v; -SL; -f arg; etc will work, but not arg1 arg2 +if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then + set -- freeradius "$@" +fi + +# check for the expected command +if [ "$1" = 'freeradius' ]; then + shift + exec freeradius -f "$@" +fi + +# many people are likely to call "radiusd" as well, so allow that +if [ "$1" = 'radiusd' ]; then + shift + exec freeradius -f "$@" +fi + +# else default to run whatever the user wanted like "bash" or "sh" +exec "$@" diff --git a/scripts/docker/debiansid/Dockerfile b/scripts/docker/debiansid/Dockerfile new file mode 100644 index 0000000..191ec49 --- /dev/null +++ b/scripts/docker/debiansid/Dockerfile @@ -0,0 +1,64 @@ +ARG from=debian:sid +FROM ${from} as build + +ARG DEBIAN_FRONTEND=noninteractive + +# +# Install build tools +# +RUN apt-get update +RUN apt-get install -y devscripts equivs git quilt gcc + +# +# Create build directory +# +RUN mkdir -p /usr/local/src/repositories +WORKDIR /usr/local/src/repositories + +# +# Shallow clone the FreeRADIUS source +# +ARG source=https://github.com/FreeRADIUS/freeradius-server.git +ARG release=v3.2.x + +RUN git clone --depth 1 --single-branch --branch ${release} ${source} +WORKDIR freeradius-server + +# +# Install build dependencies +# +RUN git checkout ${release}; \ + if [ -e ./debian/control.in ]; then \ + debian/rules debian/control; \ + fi; \ + echo 'y' | mk-build-deps -irt'apt-get -yV' debian/control + +# +# Build the server +# +RUN make -j2 deb + +# +# Clean environment and run the server +# +FROM ${from} +COPY --from=build /usr/local/src/repositories/*.deb /tmp/ + +ARG freerad_uid=101 +ARG freerad_gid=101 + +RUN groupadd -g ${freerad_gid} -r freerad \ + && useradd -u ${freerad_uid} -g freerad -r -M -d /etc/freeradius -s /usr/sbin/nologin freerad \ + && apt-get update \ + && apt-get install -y /tmp/*.deb \ + && apt-get clean \ + && rm -r /var/lib/apt/lists/* /tmp/*.deb \ + \ + && ln -s /etc/freeradius /etc/raddb + +COPY docker-entrypoint.sh / +RUN chmod +x /docker-entrypoint.sh + +EXPOSE 1812/udp 1813/udp +ENTRYPOINT ["/docker-entrypoint.sh"] +CMD ["freeradius"] diff --git a/scripts/docker/debiansid/docker-entrypoint.sh b/scripts/docker/debiansid/docker-entrypoint.sh new file mode 100755 index 0000000..93141b0 --- /dev/null +++ b/scripts/docker/debiansid/docker-entrypoint.sh @@ -0,0 +1,24 @@ +#!/bin/sh +set -e + +# this if will check if the first argument is a flag +# but only works if all arguments require a hyphenated flag +# -v; -SL; -f arg; etc will work, but not arg1 arg2 +if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then + set -- freeradius "$@" +fi + +# check for the expected command +if [ "$1" = 'freeradius' ]; then + shift + exec freeradius -f "$@" +fi + +# many people are likely to call "radiusd" as well, so allow that +if [ "$1" = 'radiusd' ]; then + shift + exec freeradius -f "$@" +fi + +# else default to run whatever the user wanted like "bash" or "sh" +exec "$@" diff --git a/scripts/docker/docker.mk b/scripts/docker/docker.mk new file mode 100644 index 0000000..9773625 --- /dev/null +++ b/scripts/docker/docker.mk @@ -0,0 +1,86 @@ +# +# Docker-related targets +# +# Intended for internal use to publish Docker images to docker hub. Likely need to run +# "docker login" before any push commands. +# +# Examples: +# +# Publish to Dockerhub "freeradius-server" +# make DOCKER_VERSION=3.2.0 DOCKER_BUILD_ARGS="--no-cache" docker-publish +# +# Build and push "freeradius-dev" image to Dockerhub (e.g. CI on every commit): +# make DOCKER_VERSION=latest DOCKER_COMMIT=v3.2.x DOCKER_TAG="freeradius-dev-3.2.x" DOCKER_BUILD_ARGS="--no-cache" docker-push +# +# Push to local repository: +# make DOCKER_VERSION=3.2.0 DOCKER_TAG="our-freeradius-build" DOCKER_REGISTRY="docker.somewhere.example" docker-publish +# +# See what is going to happen: +# make Q=": " ... +# +# +# Variables: +# +# Which version to tag as, e.g. "3.2.0". If this is not an actual release +# version, DOCKER_COMMIT _must_ also be set. +DOCKER_VERSION := $(RADIUSD_VERSION_STRING) +# +# Commit hash/tag/branch to build, will be taken from VERSION above if not overridden, e.g. "release_3_2_0" +DOCKER_COMMIT := release_$(shell echo $(DOCKER_VERSION) | tr .- __) +# +# Build args, most likely "--no-cache" +DOCKER_BUILD_ARGS := +# +# Tag name, likely "freeradius-server" for releases, or "freeradius-dev" for nightlies. +DOCKER_TAG := freeradius-server +# +# Repository name +DOCKER_REPO := freeradius +# +# Registry to push to +DOCKER_REGISTRY := +# + +ifneq "$(DOCKER_REPO)" "" + override DOCKER_REPO := $(DOCKER_REPO)/ +endif + +ifneq "$(DOCKER_REGISTRY)" "" + override DOCKER_REGISTRY := $(DOCKER_REGISTRY)/ +endif + + +.PHONY: docker-ubuntu +docker-ubuntu: + @echo Building ubuntu $(DOCKER_COMMIT) + $(Q)docker build $(DOCKER_BUILD_ARGS) scripts/docker/ubuntu22 --build-arg=release=$(DOCKER_COMMIT) -t $(DOCKER_REGISTRY)$(DOCKER_REPO)$(DOCKER_TAG):$(DOCKER_VERSION) + +.PHONY: docker-alpine +docker-alpine: + @echo Building alpine $(DOCKER_COMMIT) + $(Q)docker build $(DOCKER_BUILD_ARGS) scripts/docker/alpine --build-arg=release=$(DOCKER_COMMIT) -t $(DOCKER_REGISTRY)$(DOCKER_REPO)$(DOCKER_TAG):$(DOCKER_VERSION)-alpine + +.PHONY: docker +docker: docker-ubuntu docker-alpine + +.PHONY: docker-push +docker-push: docker + $(Q)docker push $(DOCKER_REGISTRY)$(DOCKER_REPO)$(DOCKER_TAG):$(DOCKER_VERSION) + $(Q)docker push $(DOCKER_REGISTRY)$(DOCKER_REPO)$(DOCKER_TAG):$(DOCKER_VERSION)-alpine + +.PHONY: docker-tag-latest +docker-tag-latest: docker + $(Q)docker tag $(DOCKER_REGISTRY)$(DOCKER_REPO)$(DOCKER_TAG):$(DOCKER_VERSION) $(DOCKER_REGISTRY)$(DOCKER_REPO)$(DOCKER_TAG):latest + $(Q)docker tag $(DOCKER_REGISTRY)$(DOCKER_REPO)$(DOCKER_TAG):$(DOCKER_VERSION)-alpine $(DOCKER_REGISTRY)$(DOCKER_REPO)$(DOCKER_TAG):latest-alpine + $(Q)docker tag $(DOCKER_REGISTRY)$(DOCKER_REPO)$(DOCKER_TAG):$(DOCKER_VERSION) $(DOCKER_REGISTRY)$(DOCKER_REPO)$(DOCKER_TAG):latest-3.2 + $(Q)docker tag $(DOCKER_REGISTRY)$(DOCKER_REPO)$(DOCKER_TAG):$(DOCKER_VERSION)-alpine $(DOCKER_REGISTRY)$(DOCKER_REPO)$(DOCKER_TAG):latest-3.2-alpine + +.PHONY: docker-push-latest +docker-push-latest: docker-push docker-tag-latest + $(Q)docker push $(DOCKER_REGISTRY)$(DOCKER_REPO)$(DOCKER_TAG):latest + $(Q)docker push $(DOCKER_REGISTRY)$(DOCKER_REPO)$(DOCKER_TAG):latest-alpine + $(Q)docker push $(DOCKER_REGISTRY)$(DOCKER_REPO)$(DOCKER_TAG):latest-3.2 + $(Q)docker push $(DOCKER_REGISTRY)$(DOCKER_REPO)$(DOCKER_TAG):latest-3.2-alpine + +.PHONY: docker-publish +docker-publish: docker-push-latest diff --git a/scripts/docker/rocky8/Dockerfile b/scripts/docker/rocky8/Dockerfile new file mode 100644 index 0000000..ca821a3 --- /dev/null +++ b/scripts/docker/rocky8/Dockerfile @@ -0,0 +1,108 @@ +ARG from=rockylinux/rockylinux:8 +FROM ${from} as build + +RUN rpmkeys --import /etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial + +# +# Install build tools +# +RUN yum groupinstall -y "Development Tools" +RUN yum install -y rpmdevtools openssl dnf-utils + +# +# Create build directory +# +RUN mkdir -p /usr/local/src/repositories +WORKDIR /usr/local/src/repositories + +# +# Shallow clone the FreeRADIUS source +# +ARG source=https://github.com/FreeRADIUS/freeradius-server.git +ARG release=v3.2.x + +RUN git clone --depth 1 --single-branch --branch ${release} ${source} +WORKDIR freeradius-server + +# +# Other requirements +# + +# Use LTB's openldap packages intead of the distribution version to avoid linking against NSS +RUN echo $'[ltb-project]\n\ +name=LTB project packages\n\ +baseurl=https://ltb-project.org/rpm/$releasever/$basearch\n\ +enabled=1\n\ +gpgcheck=1\n\ +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project'\ +> /etc/yum.repos.d/ltb-project.repo +RUN rpm --import https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project + +# EPEL repository for freetds and hiredis +RUN yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm + +RUN yum config-manager --enable powertools +# Currently needed for hiredis-devel +RUN yum config-manager --enable epel-testing + +# +# Install build dependencies +# +RUN [ -e redhat/freeradius.spec ] && yum-builddep -y redhat/freeradius.spec + +# +# Create RPM build environment +# +ENV BUILDDIR=/root/rpmbuild +RUN rpmdev-setuptree + +RUN ./configure +RUN make freeradius-server-$(cat VERSION).tar.bz2 +RUN cp freeradius-server-$(cat VERSION).tar.bz2 $BUILDDIR/SOURCES/ +RUN cp -r redhat/* $BUILDDIR/SOURCES/ +RUN cp -r redhat/freeradius.spec $BUILDDIR/SPECS/ +WORKDIR $BUILDDIR + +# +# Build the server +# +ENV QA_RPATHS=0x0003 +RUN rpmbuild -bb --define '_release $release' "$BUILDDIR/SPECS/freeradius.spec" + +RUN mkdir /root/rpms +RUN mv $BUILDDIR/RPMS/*/*.rpm /root/rpms/ + +# +# Clean environment and run the server +# +FROM ${from} +COPY --from=build /root/rpms /tmp/ + +# Use LTB's openldap packages intead of the distribution version to avoid linking against NSS +RUN echo $'[ltb-project]\n\ +name=LTB project packages\n\ +baseurl=https://ltb-project.org/rpm/$releasever/$basearch\n\ +enabled=1\n\ +gpgcheck=1\n\ +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project'\ +> /etc/yum.repos.d/ltb-project.repo \ + && rpm --import https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project \ + \ +# EPEL repository for freetds and hiredis + && yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \ + && yum install -y dnf-utils \ + && yum config-manager --enable epel-testing + +ARG radiusd_uid=95 +ARG radiusd_gid=95 + +RUN groupadd -g ${radiusd_gid} -r radiusd \ + && useradd -u ${radiusd_uid} -g radiusd -r -M -d /home/radiusd -s /sbin/nologin radiusd \ + && yum install -y /tmp/*.rpm + +COPY docker-entrypoint.sh / +RUN chmod +x /docker-entrypoint.sh + +EXPOSE 1812/udp 1813/udp +ENTRYPOINT ["/docker-entrypoint.sh"] +CMD ["radiusd"] diff --git a/scripts/docker/rocky8/docker-entrypoint.sh b/scripts/docker/rocky8/docker-entrypoint.sh new file mode 100755 index 0000000..900ad6b --- /dev/null +++ b/scripts/docker/rocky8/docker-entrypoint.sh @@ -0,0 +1,24 @@ +#!/bin/sh +set -e + +# this if will check if the first argument is a flag +# but only works if all arguments require a hyphenated flag +# -v; -SL; -f arg; etc will work, but not arg1 arg2 +if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then + set -- radiusd "$@" +fi + +# check for the expected command +if [ "$1" = 'radiusd' ]; then + shift + exec radiusd -f "$@" +fi + +# debian people are likely to call "freeradius" as well, so allow that +if [ "$1" = 'freeradius' ]; then + shift + exec radiusd -f "$@" +fi + +# else default to run whatever the user wanted like "bash" or "sh" +exec "$@" diff --git a/scripts/docker/ubuntu18/Dockerfile b/scripts/docker/ubuntu18/Dockerfile new file mode 100644 index 0000000..7322026 --- /dev/null +++ b/scripts/docker/ubuntu18/Dockerfile @@ -0,0 +1,59 @@ +ARG from=ubuntu:18.04 +FROM ${from} as build + +ARG DEBIAN_FRONTEND=noninteractive + +# +# Install build tools +# +RUN apt-get update +RUN apt-get install -y devscripts equivs git quilt gcc + +# +# Create build directory +# +RUN mkdir -p /usr/local/src/repositories +WORKDIR /usr/local/src/repositories + +# +# Shallow clone the FreeRADIUS source +# +ARG source=https://github.com/FreeRADIUS/freeradius-server.git +ARG release=v3.2.x + +RUN git clone --depth 1 --single-branch --branch ${release} ${source} +WORKDIR freeradius-server + +# +# Install build dependencies +# +RUN git checkout ${release}; \ + if [ -e ./debian/control.in ]; then \ + debian/rules debian/control; \ + fi; \ + echo 'y' | mk-build-deps -irt'apt-get -yV' debian/control + +# +# Build the server +# +RUN make -j2 deb + +# +# Clean environment and run the server +# +FROM ${from} +COPY --from=build /usr/local/src/repositories/*.deb /tmp/ + +RUN apt-get update \ + && apt-get install -y /tmp/*.deb \ + && apt-get clean \ + && rm -r /var/lib/apt/lists/* /tmp/*.deb \ + \ + && ln -s /etc/freeradius /etc/raddb + +COPY docker-entrypoint.sh / +RUN chmod +x /docker-entrypoint.sh + +EXPOSE 1812/udp 1813/udp +ENTRYPOINT ["/docker-entrypoint.sh"] +CMD ["freeradius"] diff --git a/scripts/docker/ubuntu18/docker-entrypoint.sh b/scripts/docker/ubuntu18/docker-entrypoint.sh new file mode 100755 index 0000000..93141b0 --- /dev/null +++ b/scripts/docker/ubuntu18/docker-entrypoint.sh @@ -0,0 +1,24 @@ +#!/bin/sh +set -e + +# this if will check if the first argument is a flag +# but only works if all arguments require a hyphenated flag +# -v; -SL; -f arg; etc will work, but not arg1 arg2 +if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then + set -- freeradius "$@" +fi + +# check for the expected command +if [ "$1" = 'freeradius' ]; then + shift + exec freeradius -f "$@" +fi + +# many people are likely to call "radiusd" as well, so allow that +if [ "$1" = 'radiusd' ]; then + shift + exec freeradius -f "$@" +fi + +# else default to run whatever the user wanted like "bash" or "sh" +exec "$@" diff --git a/scripts/docker/ubuntu20/Dockerfile b/scripts/docker/ubuntu20/Dockerfile new file mode 100644 index 0000000..783ebc9 --- /dev/null +++ b/scripts/docker/ubuntu20/Dockerfile @@ -0,0 +1,61 @@ +ARG from=ubuntu:20.04 +FROM ${from} as build + +ARG DEBIAN_FRONTEND=noninteractive + +# +# Install build tools +# +RUN apt-get update +RUN apt-get install -y devscripts equivs git quilt gcc + +# +# Create build directory +# +RUN mkdir -p /usr/local/src/repositories +WORKDIR /usr/local/src/repositories + +# +# Shallow clone the FreeRADIUS source +# +ARG source=https://github.com/FreeRADIUS/freeradius-server.git +ARG release=v3.2.x + +RUN git clone --depth 1 --single-branch --branch ${release} ${source} +WORKDIR freeradius-server + +# +# Install build dependencies +# +RUN git checkout ${release}; \ + if [ -e ./debian/control.in ]; then \ + debian/rules debian/control; \ + fi; \ + echo 'y' | mk-build-deps -irt'apt-get -yV' debian/control + +# +# Build the server +# +RUN make -j2 deb + +# +# Clean environment and run the server +# +FROM ${from} +COPY --from=build /usr/local/src/repositories/*.deb /tmp/ + +ARG DEBIAN_FRONTEND=noninteractive + +RUN apt-get update \ + && apt-get install -y /tmp/*.deb \ + && apt-get clean \ + && rm -r /var/lib/apt/lists/* /tmp/*.deb \ + \ + && ln -s /etc/freeradius /etc/raddb + +COPY docker-entrypoint.sh / +RUN chmod +x /docker-entrypoint.sh + +EXPOSE 1812/udp 1813/udp +ENTRYPOINT ["/docker-entrypoint.sh"] +CMD ["freeradius"] diff --git a/scripts/docker/ubuntu20/docker-entrypoint.sh b/scripts/docker/ubuntu20/docker-entrypoint.sh new file mode 100755 index 0000000..93141b0 --- /dev/null +++ b/scripts/docker/ubuntu20/docker-entrypoint.sh @@ -0,0 +1,24 @@ +#!/bin/sh +set -e + +# this if will check if the first argument is a flag +# but only works if all arguments require a hyphenated flag +# -v; -SL; -f arg; etc will work, but not arg1 arg2 +if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then + set -- freeradius "$@" +fi + +# check for the expected command +if [ "$1" = 'freeradius' ]; then + shift + exec freeradius -f "$@" +fi + +# many people are likely to call "radiusd" as well, so allow that +if [ "$1" = 'radiusd' ]; then + shift + exec freeradius -f "$@" +fi + +# else default to run whatever the user wanted like "bash" or "sh" +exec "$@" diff --git a/scripts/docker/ubuntu22/Dockerfile b/scripts/docker/ubuntu22/Dockerfile new file mode 100644 index 0000000..9e6aa57 --- /dev/null +++ b/scripts/docker/ubuntu22/Dockerfile @@ -0,0 +1,66 @@ +ARG from=ubuntu:22.04 +FROM ${from} as build + +ARG DEBIAN_FRONTEND=noninteractive + +# +# Install build tools +# +RUN apt-get update +RUN apt-get install -y devscripts equivs git quilt gcc + +# +# Create build directory +# +RUN mkdir -p /usr/local/src/repositories +WORKDIR /usr/local/src/repositories + +# +# Shallow clone the FreeRADIUS source +# +ARG source=https://github.com/FreeRADIUS/freeradius-server.git +ARG release=v3.2.x + +RUN git clone --depth 1 --single-branch --branch ${release} ${source} +WORKDIR freeradius-server + +# +# Install build dependencies +# +RUN git checkout ${release}; \ + if [ -e ./debian/control.in ]; then \ + debian/rules debian/control; \ + fi; \ + echo 'y' | mk-build-deps -irt'apt-get -yV' debian/control + +# +# Build the server +# +RUN make -j2 deb + +# +# Clean environment and run the server +# +FROM ${from} +COPY --from=build /usr/local/src/repositories/*.deb /tmp/ + +ARG freerad_uid=101 +ARG freerad_gid=101 + +ARG DEBIAN_FRONTEND=noninteractive + +RUN groupadd -g ${freerad_gid} -r freerad \ + && useradd -u ${freerad_uid} -g freerad -r -M -d /etc/freeradius -s /usr/sbin/nologin freerad \ + && apt-get update \ + && apt-get install -y /tmp/*.deb \ + && apt-get clean \ + && rm -r /var/lib/apt/lists/* /tmp/*.deb \ + \ + && ln -s /etc/freeradius /etc/raddb + +COPY docker-entrypoint.sh / +RUN chmod +x /docker-entrypoint.sh + +EXPOSE 1812/udp 1813/udp +ENTRYPOINT ["/docker-entrypoint.sh"] +CMD ["freeradius"] diff --git a/scripts/docker/ubuntu22/docker-entrypoint.sh b/scripts/docker/ubuntu22/docker-entrypoint.sh new file mode 100755 index 0000000..93141b0 --- /dev/null +++ b/scripts/docker/ubuntu22/docker-entrypoint.sh @@ -0,0 +1,24 @@ +#!/bin/sh +set -e + +# this if will check if the first argument is a flag +# but only works if all arguments require a hyphenated flag +# -v; -SL; -f arg; etc will work, but not arg1 arg2 +if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then + set -- freeradius "$@" +fi + +# check for the expected command +if [ "$1" = 'freeradius' ]; then + shift + exec freeradius -f "$@" +fi + +# many people are likely to call "radiusd" as well, so allow that +if [ "$1" = 'radiusd' ]; then + shift + exec freeradius -f "$@" +fi + +# else default to run whatever the user wanted like "bash" or "sh" +exec "$@" |