diff --git a/.docker/Dockerfile b/.docker/Dockerfile index b01727d..838c2d9 100644 --- a/.docker/Dockerfile +++ b/.docker/Dockerfile @@ -26,48 +26,18 @@ WORKDIR /app COPY . . RUN cargo build --release -# Stage 5: Annotate the base image with OCI Image Annotations, also install runtime-dependencies -FROM ${BASE_IMAGE} AS annotated_base_image +# Stage 5: Install runtime-dependencies in the base image +FROM ${BASE_IMAGE} AS base_image_with_dependencies RUN apt-get update && apt-get install -y iproute2 && rm -rf /var/lib/apt/lists/* -ARG VERSION -ARG REF_NAME -ARG BUILD_DATE -ARG VCS_REF -ARG AUTHORS="Karolin Varner , wucke13 " -ARG URL="https://rosenpass.eu/" -ARG DOCUMENTATION="https://rosenpass.eu/docs/" -ARG SOURCE="https://github.com/rosenpass/rosenpass" -ARG VENDOR="Rosenpass e.V." -ARG LICENSES="MIT OR Apache-2.0" -ARG TITLE="Rosenpass" -ARG DESCRIPTION -ARG BASE_DIGEST -ARG BASE_IMAGE -LABEL org.opencontainers.image.created=${BUILD_DATE} \ - org.opencontainers.image.authors=${AUTHORS} \ - org.opencontainers.image.url=${URL} \ - org.opencontainers.image.documentation=${DOCUMENTATION} \ - org.opencontainers.image.source=${SOURCE} \ - org.opencontainers.image.version=${VERSION} \ - org.opencontainers.image.revision=${VCS_REF} \ - org.opencontainers.image.vendor=${VENDOR} \ - org.opencontainers.image.licenses=${LICENSES} \ - org.opencontainers.image.ref.name=${REF_NAME} \ - org.opencontainers.image.title=${TITLE} \ - org.opencontainers.image.description=${DESCRIPTION} \ - org.opencontainers.image.base.digest=${BASE_DIGEST} \ - org.opencontainers.image.base.name=${BASE_IMAGE} - - # Final Stage (rosenpass): Copy the rosenpass binary -FROM annotated_base_image AS rosenpass +FROM base_image_with_dependencies AS rosenpass COPY --from=builder /app/target/release/rosenpass /usr/local/bin/rosenpass ENTRYPOINT [ "/usr/local/bin/rosenpass" ] # Final Stage (rp): Copy the rp binary -FROM annotated_base_image AS rp +FROM base_image_with_dependencies AS rp RUN apt-get update && apt-get install -y wireguard && rm -rf /var/lib/apt/lists/* diff --git a/.docker/README.md b/.docker/USAGE.md similarity index 56% rename from .docker/README.md rename to .docker/USAGE.md index 7292f2c..8999051 100644 --- a/.docker/README.md +++ b/.docker/USAGE.md @@ -1,57 +1,14 @@ -# Rosenpass +# Rosenpass in Docker -Rosenpass is used to create post-quantum-secure VPNs. Rosenpass computes a shared key, [Wireguard](https://www.wireguard.com/papers/wireguard.pdf) uses the shared key to establish a secure connection. Rosenpass can also be used without WireGuard, deriving post-quantum-secure symmetric keys for another application. -The Rosenpass protocol builds on “Post-quantum WireGuard” ([PQWG](https://eprint.iacr.org/2020/379)) and improves it by using a cookie mechanism to provide security against state disruption attacks. +Rosenpass provides post-quantum-secure key exchange for VPNs. It generates symmetric keys used by [WireGuard](https://www.wireguard.com/papers/wireguard.pdf) or other applications. The protocol enhances "Post-Quantum WireGuard" ([PQWG](https://eprint.iacr.org/2020/379)) with a cookie mechanism for better security against state disruption attacks. -The rosenpass tool is written in Rust and uses liboqs. The tool establishes a symmetric key and provides it to WireGuard. Since it supplies WireGuard with key through the PSK feature using Rosenpass+WireGuard is cryptographically no less secure than using WireGuard on its own ("hybrid security"). Rosenpass refreshes the symmetric key every two minutes. +Prebuilt Docker images are available for easy deployment: -As with any application a small risk of critical security issues (such as buffer overflows, remote code execution) exists; the Rosenpass application is written in the Rust programming language which is much less prone to such issues. Rosenpass can also write keys to files instead of supplying them to WireGuard With a bit of scripting the stand alone mode of the implementation can be used to run the application in a Container, VM or on another host. This mode can also be used to integrate tools other than WireGuard with Rosenpass. +- [`ghcr.io/rosenpass/rosenpass`](https://github.com/rosenpass/rosenpass/pkgs/container/rosenpass) – the core key exchange tool +- [`ghcr.io/rosenpass/rp`](https://github.com/rosenpass/rosenpass/pkgs/container/rp) – a frontend for setting up WireGuard VPNs -The `rp` tool written in Rust makes it easy to create a VPN using WireGuard and Rosenpass. - -`rp` is easy to get started with but has a few drawbacks; it runs as root, demanding access to both WireGuard -and Rosenpass private keys, takes control of the interface and works with exactly one interface. If you do not feel confident about running Rosenpass as root, you should use the stand-alone mode to create a more secure setup using containers, jails, or virtual machines. - -## Building the Docker Image - -Clone the Rosenpass repository: - -``` -git clone https://github.com/rosenpass/rosenpass -cd rosenpass -``` - -Use the `docker-buildscript.sh` script to build images from the source. - -```bash -bash docker-buildscript.sh -docker images - -| REPOSITORY | TAG | IMAGE ID | CREATED | SIZE | -|------------------------------|------------------|----------------|-----------------|--------| -| ghcr.io/rosenpass/rp | commit-aeb0671 | dc2997662d2c | 9 hours ago | 93.2MB | -| ghcr.io/rosenpass/rosenpass | commit-aeb0671 | 65ccc5e5b9fb | 9 hours ago | 93.6MB | -``` - -Set environment variable `TAG_AS_RELEASE=true` to tag the built images with the current versions. - -Set environment variable `TAG_AS_LATEST=true` to tag the built images as latest. - -```bash -export TAG_AS_RELEASE=true -export TAG_AS_LATEST=true -bash docker-buildscript.sh -docker images - -| REPOSITORY | TAG | IMAGE ID | CREATED | SIZE | -|-----------------------------|----------------|--------------|-------------|--------| -| ghcr.io/rosenpass/rp | 0.2.1 | 253338c948ab | 9 hours ago | 93.2MB | -| ghcr.io/rosenpass/rp | commit-05f0ac0 | 253338c948ab | 9 hours ago | 93.2MB | -| ghcr.io/rosenpass/rp | latest | 253338c948ab | 9 hours ago | 93.2MB | -| ghcr.io/rosenpass/rosenpass | 0.3.0-dev | 6958e24fd240 | 9 hours ago | 93.6MB | -| ghcr.io/rosenpass/rosenpass | commit-05f0ac0 | 6958e24fd240 | 9 hours ago | 93.6MB | -| ghcr.io/rosenpass/rosenpass | latest | 6958e24fd240 | 9 hours ago | 93.6MB | -``` +The entrypoint of the `rosenpass` image is the `rosenpass` executable, whose documentation can be found [here](https://rosenpass.eu/docs/rosenpass-tool/manuals/rp_manual/). +Similarly, the entrypoint of the `rp` image is the `rp` executable, with its documentation available [here](https://rosenpass.eu/docs/rosenpass-tool/manuals/rp1/). ## Usage - Standalone Key Exchange @@ -116,14 +73,15 @@ Now the containers will exchange shared keys and each put them into their respec Comparing the outfiles shows that these shared keys equal: ```bash -cmp workdir/server-sharedkey workdir/client-sharedkey +cmp workdir-server/server-sharedkey workdir-client/client-sharedkey ``` It is now possible to set add these keys as pre-shared keys within a wireguard interface. +For example as the server, ```bash -PREKEY=$(cat workdir/client-sharedkey) -wg set peer preshared-key <(echo "$PREKEY") +PREKEY=$(cat workdir-server/server-sharedkey) +wg set peer preshared-key <(echo "$PREKEY") ``` ## Usage - Combined with wireguard @@ -158,8 +116,8 @@ docker run -it --rm -v ./workdir-client:/workdir ghcr.io/rosenpass/rp \ pubkey workdir/client.rosenpass-secret workdir/client.rosenpass-public # share the public keys between client and server -cp workdir-client/client.rosenpass-public workdir-server/client.rosenpass-public -cp workdir-server/server.rosenpass-public workdir-client/server.rosenpass-public +cp -r workdir-client/client.rosenpass-public workdir-server/client.rosenpass-public +cp -r workdir-server/server.rosenpass-public workdir-client/server.rosenpass-public ``` Start the server container. @@ -223,14 +181,23 @@ While the ping is running, you may stop the server container, and verify that th docker stop -t 1 rpserver ``` -## Contributing +## Building the Docker Images Locally -The rosenpass project is maintained on [Github](https://github.com/rosenpass/rosenpass). +Clone the Rosenpass repository: -Contributions are generally welcome. Join our [Matrix Chat](https://matrix.to/#/#rosenpass:matrix.org) if you are looking for guidance on how to contribute or for people to collaborate with. +``` +git clone https://github.com/rosenpass/rosenpass +cd rosenpass +``` -We also have a – as of now, very minimal – [contributors guide](https://github.com/rosenpass/rosenpass/blob/main/CONTRIBUTING.md). +Build the rp image from the root of the repository as follows: -## Acknowledgements +``` +docker build -f .docker/Dockerfile -t ghcr.io/rosenpass/rp --target rp . +``` -Funded through NLNet with financial support for the European Commission's NGI Assure program. +Build the rosenpass image from the root of the repostiry with the following command: + +``` +docker build -f .docker/Dockerfile -t ghcr.io/rosenpass/rosenpass --target rosenpass . +``` diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index c61376d..88bf15b 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -1,4 +1,4 @@ -name: ci +name: Build Docker Images on: push: @@ -12,7 +12,12 @@ on: jobs: docker-image-rp: - runs-on: ubuntu-latest + # Use a matrix to build for both AMD64 and ARM64 + strategy: + matrix: + arch: [amd64, arm64] + # Switch the runner based on the architecture + runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-latest-arm64' || 'ubuntu-latest' }} steps: - name: Checkout uses: actions/checkout@v4 @@ -37,8 +42,6 @@ jobs: org.opencontainers.image.source=https://github.com/rosenpass/rosenpass - name: Log in to registry run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build and push @@ -50,9 +53,14 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} target: rp - platforms: amd64,arm64 + platforms: linux/${{ matrix.arch }} docker-image-rosenpass: - runs-on: ubuntu-latest + # Use a matrix to build for both AMD64 and ARM64 + strategy: + matrix: + arch: [amd64, arm64] + # Switch the runner based on the architecture + runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-latest-arm64' || 'ubuntu-latest' }} steps: - name: Checkout uses: actions/checkout@v4 @@ -90,4 +98,4 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} target: rosenpass - platforms: amd64,arm64 + platforms: linux/${{ matrix.arch }} diff --git a/readme.md b/readme.md index 8975ce5..bfaf7ff 100644 --- a/readme.md +++ b/readme.md @@ -78,6 +78,15 @@ Rosenpass is packaged for more and more distributions, maybe also for the distri [![Packaging status](https://repology.org/badge/vertical-allrepos/rosenpass.svg)](https://repology.org/project/rosenpass/versions) +## Docker Images + +Rosenpass is also available as prebuilt Docker images: + +- [`ghcr.io/rosenpass/rosenpass`](https://github.com/rosenpass/rosenpass/pkgs/container/rosenpass) +- [`ghcr.io/rosenpass/rp`](https://github.com/rosenpass/rosenpass/pkgs/container/rp) + +For details on how to use these images, refer to the [Docker usage guide](.docker/USAGE.md). + # Mirrors Don't want to use GitHub or only have an IPv6 connection? Rosenpass has set up two mirrors for this: