Docker Deployment

This deploys Veraison a series of Docker containers on a dedicated Docker network on the local machine.

Dependencies

You will need to make sure you have make, git, docker (and its builder), and jq installed on your system. Optionally, tmux can be used to conveniently monitor output from running services. The CLI front-end relies on bash shell, which should already be installed on most systems, but if not, it would also need to be installed.

# on Ubuntu
sudo apt install bash make git docker.io docker-buildx jq tmux

# on Arch
sudo pacman -S bash make git docker docker-buildx jq tmux

# On MacOSX with Homebrew
brew install step coreutils gettext openssl sqlite3 protobuf jq
brew link --force gettext

important

Ubuntu users: Make sure you have docker installed natively (via sudo apt install docker.io), and not via snap, as the later won't have access to the default build contexts under /tmp. You could, of course, change those locations via the config, however we cannot guarantee that there won't be other issues -- if you decide to stick with snap, you're on your own.

Docker set up

If you're not already set up to use Docker on your system, you will need to make sure that it is enabled and running, and that you can access it by adding your account to the docker group:

sudo systemctl enable --now docker
sudo usrmod -a -G docker $USER

The user group modification won't take effect until you log out and log back in, or, alternatively, you can force in a specific shell with

newgrp docker

Creating the Deployment

Once you have the pre-requisites, you can create the deployment on your local system

git clone https://github.com/veraison/services.git
cd services/deployments/docker

make

Once the deployment is created, you can set up the front end by executing

source env.bash

inside a bash shell. There is an equivalent env.zsh for zsh (other shells are currently not supported). You can interact with the deployment via the veraison command. E.g.:

veraison status

You should see output similar to

         vts: stopped
provisioning: stopped
verification: stopped
  management: stopped
    keycloak: stopped

To start Veraison services run:

veraison start

The provisioning service is now listening on port 9443, and verification service on port 8443 (these can be changed via configuration -- see below).

Use the -h option to see the full list of available commands.

Deployment Composition

The deployment exists on its own Docker network. Each of the services runs in its own container. Service logs and VTS stores reside inside docker volumes, independent of any container.

deployment composition

On the diagram above, the network is shown in orange, the volumes in purple, the containers in blue, and the images the containers are based on in green.

In addition to the service container images, there also two images without permanent containers. They are used to spawn ephemeral containers via docker run --rm.

The builder image contains the Go toolchain and other tools necessary to build Veraison. It is used to compile the service binaries and their plugins that are then used to construct the service containers. This image is also used to spawn debug shells.

The manager image is used by the veraison frontend to, among other things, access the volumes where the logs and provisioned values are stored.

Configuration

The deployment may be configured by changing the settings inside deployment.cfg. See the comments inside that file for the explanation of the individual configuration values.

note

The individual services rely on configuration inside config.yaml.template. This currently uses the sqlite3 driver for the store backend, which limits request throughput and makes the deployment unsuitable for production or performance testing (for the latter, one can modify the template to use memory backend for the stores).

`make` Options

You can set the following variables to influence the behaviour while executing make targets:

DEBUG_HOST: sets the host name for the debug container. This is useful if you want to substitute the debug container in place of one of the service containers.

DEBUG_PORT: if set with a port number, that port on the debug container will be forwarded to the host (debug container is run with -p $(DEBUG_PORT):$(DEBUG_PORT)).

DOCKER_BUILD_FLAGS: additional flags to be passed to Docker when building various images. This is passed to all image build invocations, so should only be used for globally-applicable flags such as --no-cache.

Debugging

Running make debug will pop up a "debug" shell inside the builder image. The image has the build toolchain and the debugger installed, and /veraison/build/ directory is mapped onto the root of Veraison repo on your host. This means you can make modifications to the source using your preferred editor/IDE on the host, and then build and debug them in the debug shell.

Example: debugging scheme verification plugin

For example, say you are implementing a new attestation scheme, and are running into issues when attempting to verify your token (e.g. via an integration tests test-case). There is not enough output in the logs to identify the issue, and so, you'd like to set a breakpoint inside your code.

This needs to be done inside vts-service, as this is the component that loads the evidence handler plugin used on the verification path.

First, assuming you have frontend set up, and the services running, (if not, you can do so with source env.bash; veraison start), you will need to stop the "production" VTS service with:

veraison stop vts

this will stop vts-service but should leave the other services running (you can verify that by running veraison status).

Next, enter the debug shell:

make DEBUG_HOST=vts-service debug

this will pop open a bash shell inside the builder. The DEBUG_HOST argument will set the hostname of the builder container. Here, we're setting it to the hostname of the VTS service we just stopped, so that the provisioning and verification services that are still running will now talk to our debug container instead.

(Note: if you were replacing a REST service, rather than VTS, you would also set the DEBUG_PORT variable to the value appropriate to the service (see deployment.cfg.)

Next, navigate to the location of the VTS service executable (keeping in mind that the root of the repo is mapped to /veraison/build inside the container), and start the debugger:

# inside the debug shell:
cd /veraison/build/vts/cmd/vts-service
debug

The debug command is an alias for dlv debug that will make sure that the debug executable will be built with evidence handling plugins compiled in (same as if you ran make SCHEME_LOADER=builtin). This means you can set the breakpoint inside your code directly from here, and you don't need to worry about attaching the debugger to a separate plugin process.

(Note: the config.yaml files in service directories -- such as /veraison/build/vts/cmd/vts-service/config.yaml -- that are loaded by default, are configured for running the service directly on the build host, outside docker. For running inside a docker container, the config-docker.yaml in the same location should be used. debug command demonstrated above does that, so you don't need to worry about it. However, if you want to run the service executable directly, then you must remember to specify the appropriate config, e.g.

# inside the debug shell:
cd /veraison/build/vts/cmd/vts-service
./vts-service --config config-docker.yaml

Veraison Project