chore: simplify run.sh

- get rid of sudo
- do not change permissions of existing files
- use our own docker image to generate certs to make it working on arm
- bump kafka docker image version to have access to multiplatofrm one

.ci/docker-compose-file/docker-compose-kafka.yaml

@@ -10,13 +10,12 @@ services:
     networks:
       emqx_bridge:
   ssl_cert_gen:
-    image: fredrikhgrelland/alpine-jdk11-openssl
+    # see https://github.com/emqx/docker-images
+    image:  ghcr.io/emqx/certgen:latest
     container_name: ssl_cert_gen
+    user: "${DOCKER_USER:-root}"
     volumes:
       - /tmp/emqx-ci/emqx-shared-secret:/var/lib/secret
-      - ./kafka/generate-certs.sh:/bin/generate-certs.sh
-    entrypoint: /bin/sh
-    command: /bin/generate-certs.sh
   kdc:
     hostname: kdc.emqx.net
     image:  ghcr.io/emqx/emqx-builder/5.0-28:1.13.4-24.3.4.2-2-ubuntu20.04
@@ -36,7 +35,7 @@ services:
       - ./kerberos/run.sh:/usr/bin/run.sh
     command: run.sh
   kafka_1:
-    image: wurstmeister/kafka:2.13-2.7.0
+    image: wurstmeister/kafka:2.13-2.8.1
     # ports:
     #   - "9192-9195:9192-9195"
     container_name: kafka-1.emqx.net

.ci/docker-compose-file/docker-compose.yaml

@@ -23,7 +23,7 @@ services:
       - ./kerberos/krb5.conf:/etc/krb5.conf
     working_dir: /emqx
     tty: true
-    user: "${UID_GID}"
+    user: "${DOCKER_USER:-root}"
 
 networks:
   emqx_bridge:

.ci/docker-compose-file/kafka/generate-certs.sh

@@ -1,46 +0,0 @@
-#!/usr/bin/bash
-
-set -euo pipefail
-
-set -x
-
-# Source https://github.com/zmstone/docker-kafka/blob/master/generate-certs.sh
-
-HOST="*."
-DAYS=3650
-PASS="password"
-
-cd /var/lib/secret/
-
-# Delete old files
-(rm ca.key ca.crt server.key server.csr server.crt client.key client.csr client.crt server.p12 kafka.keystore.jks kafka.truststore.jks 2>/dev/null || true)
-
-ls
-
-echo '== Generate self-signed server and client certificates'
-echo '= generate CA'
-openssl req -new -x509 -keyout ca.key -out ca.crt -days $DAYS -nodes -subj "/C=SE/ST=Stockholm/L=Stockholm/O=brod/OU=test/CN=$HOST"
-
-echo '= generate server certificate request'
-openssl req -newkey rsa:2048 -sha256 -keyout server.key -out server.csr -days "$DAYS" -nodes -subj "/C=SE/ST=Stockholm/L=Stockholm/O=brod/OU=test/CN=$HOST"
-
-echo '= sign server certificate'
-openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -days "$DAYS" -CAcreateserial
-
-echo '= generate client certificate request'
-openssl req -newkey rsa:2048 -sha256 -keyout client.key -out client.csr -days "$DAYS" -nodes -subj "/C=SE/ST=Stockholm/L=Stockholm/O=brod/OU=test/CN=$HOST"
-
-echo '== sign client certificate'
-openssl x509 -req -CA ca.crt -CAkey ca.key -in client.csr -out client.crt -days $DAYS -CAserial ca.srl
-
-echo '= Convert self-signed certificate to PKCS#12 format'
-openssl pkcs12 -export -name "$HOST" -in server.crt -inkey server.key -out server.p12 -CAfile ca.crt -passout pass:"$PASS"
-
-echo '= Import PKCS#12 into a java keystore'
-
-echo $PASS | keytool -importkeystore -destkeystore kafka.keystore.jks -srckeystore server.p12 -srcstoretype pkcs12 -alias "$HOST" -storepass "$PASS"
-
-
-echo '= Import CA into java truststore'
-
-echo yes | keytool -keystore kafka.truststore.jks -alias CARoot -import -file ca.crt -storepass "$PASS"

.ci/docker-compose-file/kafka/kafka-entrypoint.sh

@@ -17,6 +17,7 @@ timeout $TIMEOUT bash -c 'until [ -f /var/lib/secret/kafka.keytab ]; do sleep 1;
 echo "+++++++ Wait until SSL certs are generated ++++++++"
 
 timeout $TIMEOUT bash -c 'until [ -f /var/lib/secret/kafka.truststore.jks ]; do sleep 1; done'
+keytool -list -v -keystore /var/lib/secret/kafka.keystore.jks -storepass password
 
 sleep 3
 

scripts/ct/run.sh

@@ -154,9 +154,6 @@ for dep in ${CT_DEPS}; do
                      '.ci/docker-compose-file/docker-compose-pgsql-tls.yaml' )
             ;;
         kafka)
-            # Kafka container generates root owned ssl files
-            # the files are shared with EMQX (with a docker volume)
-            NEED_ROOT=yes
             FILES+=( '.ci/docker-compose-file/docker-compose-kafka.yaml' )
             ;;
         tdengine)
@@ -180,35 +177,14 @@ F_OPTIONS=""
 for file in "${FILES[@]}"; do
     F_OPTIONS="$F_OPTIONS -f $file"
 done
-ORIG_UID_GID="$UID:$UID"
-if [[ "${NEED_ROOT:-}" == 'yes' ]]; then
-    export UID_GID='root:root'
-else
-    # Passing $UID to docker-compose to be used in erlang container
-    # as owner of the main process to avoid git repo permissions issue.
-    # Permissions issue happens because we are mounting local filesystem
-    # where files are owned by $UID to docker container where it's using
-    # root (UID=0) by default, and git is not happy about it.
-    export UID_GID="$ORIG_UID_GID"
-fi
 
-# /emqx is where the source dir is mounted to the Erlang container
-# in .ci/docker-compose-file/docker-compose.yaml
+export DOCKER_USER="$(id -u)"
+
 TTY=''
 if [[ -t 1 ]]; then
     TTY='-t'
 fi
 
-function restore_ownership {
-    if [[ -n ${EMQX_TEST_DO_NOT_RUN_SUDO+x} ]] || ! sudo chown -R "$ORIG_UID_GID" . >/dev/null 2>&1; then
-        docker exec -i $TTY -u root:root "$ERLANG_CONTAINER" bash -c "chown -R $ORIG_UID_GID /emqx" >/dev/null 2>&1 || true
-    fi
-}
-
-restore_ownership
-trap restore_ownership EXIT
-
-
 if [ "$STOP" = 'no' ]; then
     # some left-over log file has to be deleted before a new docker-compose up
     rm -f '.ci/docker-compose-file/redis/*.log'
@@ -216,11 +192,10 @@ if [ "$STOP" = 'no' ]; then
     $DC $F_OPTIONS up -d --build --remove-orphans
 fi
 
-echo "Fixing file owners and permissions for $UID_GID"
-# rebar and hex cache directory need to be writable by $UID
-docker exec -i $TTY -u root:root "$ERLANG_CONTAINER" bash -c "mkdir -p /.cache && chown $UID_GID /.cache && chown -R $UID_GID /emqx/.git /emqx/.ci /emqx/_build/default/lib"
-# need to initialize .erlang.cookie manually here because / is not writable by $UID
-docker exec -i $TTY -u root:root "$ERLANG_CONTAINER" bash -c "openssl rand -base64 16 > /.erlang.cookie && chown $UID_GID /.erlang.cookie && chmod 0400 /.erlang.cookie"
+# rebar and hex cache directory need to be writable by $DOCKER_USER
+docker exec -i $TTY -u root:root "$ERLANG_CONTAINER" bash -c "mkdir -p /.cache && chown $DOCKER_USER /.cache"
+# need to initialize .erlang.cookie manually here because / is not writable by $DOCKER_USER
+docker exec -i $TTY -u root:root "$ERLANG_CONTAINER" bash -c "openssl rand -base64 16 > /.erlang.cookie && chown $DOCKER_USER /.erlang.cookie && chmod 0400 /.erlang.cookie"
 
 if [ "$ONLY_UP" = 'yes' ]; then
     exit 0
@@ -242,7 +217,6 @@ else
         docker exec -e IS_CI="$IS_CI" -e PROFILE="$PROFILE" -i $TTY "$ERLANG_CONTAINER" bash -c "./rebar3 ct $REBAR3CT"
     fi
     RESULT=$?
-    restore_ownership
     if [ $RESULT -ne 0 ]; then
         LOG='_build/test/logs/docker-compose.log'
         echo "Dumping docker-compose log to $LOG"