[docker] reduce image sz with keygen script. (#94)

* add script to generate tessera keys using openssl.
* no longer need to install java and tessera in container image.
* check if the env has the tessera jar setup, e.g. local dev, and
  use tessera to generate keys if they do.
* image size 1.71GB -> 1.33GB.

Co-authored-by: Nicolae Leonte <[email protected]>

.dockerignore

@@ -7,3 +7,4 @@ qubernetes.yaml
 nodes.yaml
 docs
 scratch
+monitor

Dockerfile

@@ -7,15 +7,15 @@ ARG BUILD_DATE=""
 # Label according to  https://github.com/opencontainers/image-spec
 LABEL org.opencontainers.image.created=${BUILD_DATE}
 LABEL org.opencontainers.image.revision=${COMMIT}
-LABEL org.opencontainers.image.source="https://github.com/jpmorganchase/qubernetes.git"
+LABEL org.opencontainers.image.source="https://github.com/ConsenSys/qubernetes.git"
 LABEL org.opencontainers.image.title="qubernetes"
 LABEL org.opencontainers.image.version=${QUBES_VERSION}
 
 RUN apt-get update
 
 # set tzdata non-interactive https://serverfault.com/questions/949991/how-to-install-tzdata-on-a-ubuntu-docker-image
 # for now need musl-dev for geneating account key from the private key
-RUN DEBIAN_FRONTEND="noninteractive" TZ="America/New_York" apt-get install -y ruby-full golang-go git make musl-dev
+RUN DEBIAN_FRONTEND="noninteractive" TZ="America/New_York" apt-get install -y ruby-full golang-go git make musl-dev xxd
 RUN gem install colorize
 
 RUN go get github.com/getamis/istanbul-tools/cmd/istanbul
@@ -28,12 +28,6 @@ RUN go get github.com/getamis/istanbul-tools/cmd/istanbul && git clone https://g
     cp /root/go/bin/* /usr/local/bin && \
     rm -r /root/go
 
-RUN apt-get --no-install-recommends install -y default-jre wget
-RUN echo 'alias tessera="java -jar /usr/bin/tessera-app-0.10.5-app.jar"' >> ~/.bashrc
-ENV TESSERA_JAR=/usr/bin/tessera-app-0.10.5-app.jar
-
-# echo | tessera keygen --keyout tm
-RUN cd /usr/bin && wget https://oss.sonatype.org/service/local/repositories/releases/content/com/jpmorgan/quorum/tessera-app/0.10.5/tessera-app-0.10.5-app.jar
 RUN apt-get remove -y git golang-go wget make
 # uninstall rake
 RUN gem uninstall --no-executables -i /usr/share/rubygems-integration/all rake && rm /usr/bin/rake

templates/quorum/gen-keys.sh.erb

@@ -1,8 +1,5 @@
 #!/bin/bash
 
-
-
-
 <% @Node_Dirs = "" %>
 
 <%- @nodes.each do |node|
@@ -19,10 +16,18 @@ BASE_DIR=<%= @Key_Dir_Base %>
 <%- else %>
 BASE_DIR=$(pwd)/<%= @Key_Dir_Base %>
 <%- end %>
-TESSERA_KEY_GEN_CMD="java -jar ${TESSERA_JAR} keygen --keyout tm"
+
+# try to use openSSL to generate tessera keys, used in docker container.
+TESSERA_KEY_GEN_CMD="$(pwd)/templates/quorum/tessera-keygen.sh --keyName tm"
+# however, if TESSERA_JAR env var is set, then use tessera to generate the key, e.g. on mac or other local env.
+if [[ -n  "$TESSERA_JAR" ]]; then
+  TESSERA_KEY_GEN_CMD="java -jar ${TESSERA_JAR} keygen --keyout tm"
+fi
+
 mkdir -p $BASE_DIR
 IFS=', ' read -r -a array <<< "$NODE_DIRS"
 
+
 for node_key_dir in "${array[@]}"; do
   KEY_DIR=$BASE_DIR/$node_key_dir
   echo "KEY DIR IS $KEY_DIR"
@@ -33,9 +38,11 @@ for node_key_dir in "${array[@]}"; do
     shopt -s expand_aliases
     mkdir -p $KEY_DIR
     cd $KEY_DIR
-    #echo | constellation-node --generatekeys=tm
-    #echo | tessera --keyout tm
-    echo | $TESSERA_KEY_GEN_CMD
+    if [[ -n  TESSERA_JAR ]]; then
+      echo | $TESSERA_KEY_GEN_CMD
+    else
+      $TESSERA_KEY_GEN_CMD
+    fi
     touch password.txt
     #geth account new --keystore $KEY_DIR --password password.txt
     ethkey generate $KEY_DIR/acctkeyfile.json --passwordfile password.txt

templates/quorum/tessera-keygen.sh

@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+
+function usage() {
+  echo ""
+  echo "Usage:"
+  echo "    $0 [--keyName fileNamePrefix] [--keepOpenSSLFiles]"
+  echo ""
+  echo "Where:"
+  echo "    --keyName specifies the prefix to the generated public(.pub)/private(.key) key files"
+  echo "    --keepOpenSSLFiles doesn't delete the intermediary openssl public/private keys"
+  echo ""
+  exit -1
+}
+
+keepOpenSSLFiles=false
+
+while (("$#")); do
+  case "$1" in
+  --keyName)
+    keyName=$2
+    shift 2
+    ;;
+  --keepOpenSSLFiles)
+    keepOpenSSLFiles=true
+    shift 1
+    ;;
+  --help)
+    shift
+    usage
+    ;;
+  *)
+    echo "Error: Unsupported command line parameter $1"
+    usage
+    ;;
+  esac
+done
+
+if [ "$keyName" == "" ]; then
+  echo "Error: Please specify a key name prefix."
+  exit -1
+fi
+
+#TODO - check whether any files may be overwritten by the script
+#TODO - check that all the utilities are available and have the necessary versions
+
+echo "Key name prefix:" $keyName
+echo "keepOpenSSLFiles:" $keepOpenSSLFiles
+
+openSSLPrivateKeyFile="$keyName-ossl.key"
+
+openssl genpkey -algorithm x25519 -out $openSSLPrivateKeyFile
+
+openSSLHexOut="$keyName-ossl.text"
+
+openssl pkey -in $openSSLPrivateKeyFile -text >$openSSLHexOut
+
+cat $openSSLHexOut
+#sed picks up the relevant lines from the output (6-8 for the public key and 10-12 for the private key)
+#tr removes any spaces/:/EOL characters and leaves just the alphanumeric ones
+#xxd converts the hex input to binary output
+#base64 converts the binary input to based64 encoded output
+privateKey=$(sed -n '6,8 p' $openSSLHexOut | tr -cd '[:alnum:]' | xxd -r -p | base64)
+publicKey=$(sed -n '10,12 p' $openSSLHexOut | tr -cd '[:alnum:]' | xxd -r -p | base64)
+
+publicKeyFile="$keyName.pub"
+privateKeyFile="$keyName.key"
+
+#using printf in order to avoid the newline that echo adds
+printf "$publicKey" >$publicKeyFile
+printf "{\"data\":{\"bytes\":\"$privateKey\"},\"type\":\"unlocked\"}" >$privateKeyFile
+
+if [ "${keepOpenSSLFiles}" == "false" ]; then
+  rm $openSSLPrivateKeyFile $openSSLHexOut
+fi