Added --rocksdb.encryption-keyfile option

Author: ewoutp

CHANGELOG.md

@@ -1,5 +1,6 @@
 # Changes from version 0.7.0 to master
 
+- Added `--rocksdb.encryption-keyfile` option.
 - Added pass through options. See README.
 - Changed `--data.dir` option to `--starter.data-dir`
 

main.go

@@ -60,40 +60,41 @@ var (
 		Short: "Start ArangoDB clusters & single servers with ease",
 		Run:   cmdMainRun,
 	}
-	log                  = logging.MustGetLogger(projectName)
-	id                   string
-	agencySize           int
-	arangodPath          string
-	arangodJSPath        string
-	masterPort           int
-	rrPath               string
-	startCoordinator     bool
-	startDBserver        bool
-	startLocalSlaves     bool
-	mode                 string
-	dataDir              string
-	ownAddress           string
-	masterAddress        string
-	verbose              bool
-	serverThreads        int
-	serverStorageEngine  string
-	allPortOffsetsUnique bool
-	jwtSecretFile        string
-	sslKeyFile           string
-	sslAutoKeyFile       bool
-	sslAutoServerName    string
-	sslAutoOrganization  string
-	sslCAFile            string
-	dockerEndpoint       string
-	dockerImage          string
-	dockerStarterImage   = defaultDockerStarterImage
-	dockerUser           string
-	dockerContainerName  string
-	dockerGCDelay        time.Duration
-	dockerNetHost        bool // Deprecated
-	dockerNetworkMode    string
-	dockerPrivileged     bool
-	passthroughOptions   = make(map[string]*service.PassthroughOption)
+	log                      = logging.MustGetLogger(projectName)
+	id                       string
+	agencySize               int
+	arangodPath              string
+	arangodJSPath            string
+	masterPort               int
+	rrPath                   string
+	startCoordinator         bool
+	startDBserver            bool
+	startLocalSlaves         bool
+	mode                     string
+	dataDir                  string
+	ownAddress               string
+	masterAddress            string
+	verbose                  bool
+	serverThreads            int
+	serverStorageEngine      string
+	allPortOffsetsUnique     bool
+	jwtSecretFile            string
+	sslKeyFile               string
+	sslAutoKeyFile           bool
+	sslAutoServerName        string
+	sslAutoOrganization      string
+	sslCAFile                string
+	rocksDBEncryptionKeyFile string
+	dockerEndpoint           string
+	dockerImage              string
+	dockerStarterImage       = defaultDockerStarterImage
+	dockerUser               string
+	dockerContainerName      string
+	dockerGCDelay            time.Duration
+	dockerNetHost            bool // Deprecated
+	dockerNetworkMode        string
+	dockerPrivileged         bool
+	passthroughOptions       = make(map[string]*service.PassthroughOption)
 
 	maskAny = errors.WithStack
 )
@@ -121,6 +122,7 @@ func init() {
 	f.StringVar(&rrPath, "server.rr", "", "Path of rr")
 	f.IntVar(&serverThreads, "server.threads", 0, "Adjust server.threads of each server")
 	f.StringVar(&serverStorageEngine, "server.storage-engine", "mmfiles", "Type of storage engine to use (mmfiles|rocksdb) (3.2 and up)")
+	f.StringVar(&rocksDBEncryptionKeyFile, "rocksdb.encryption-keyfile", "", "Key file used for RocksDB encryption. (Enterprise Edition 3.2 and up)")
 
 	f.StringVar(&dockerEndpoint, "docker.endpoint", "unix:///var/run/docker.sock", "Endpoint used to reach the docker daemon")
 	f.StringVar(&dockerImage, "docker.image", getEnvVar("DOCKER_IMAGE", ""), "name of the Docker image to use to launch arangod instances (leave empty to avoid using docker)")
@@ -358,6 +360,7 @@ func cmdMainRun(cmd *cobra.Command, args []string) {
 	jwtSecretFile = mustExpand(jwtSecretFile)
 	sslKeyFile = mustExpand(sslKeyFile)
 	sslCAFile = mustExpand(sslCAFile)
+	rocksDBEncryptionKeyFile = mustExpand(rocksDBEncryptionKeyFile)
 
 	// Check database executable
 	if !runningInDocker {
@@ -420,37 +423,38 @@ func cmdMainRun(cmd *cobra.Command, args []string) {
 
 	// Create service
 	serviceConfig := service.Config{
-		ID:                   id,
-		Mode:                 mode,
-		AgencySize:           agencySize,
-		ArangodPath:          arangodPath,
-		ArangodJSPath:        arangodJSPath,
-		MasterPort:           masterPort,
-		RrPath:               rrPath,
-		StartCoordinator:     startCoordinator,
-		StartDBserver:        startDBserver,
-		StartLocalSlaves:     startLocalSlaves,
-		DataDir:              dataDir,
-		OwnAddress:           ownAddress,
-		MasterAddress:        masterAddress,
-		Verbose:              verbose,
-		ServerThreads:        serverThreads,
-		ServerStorageEngine:  serverStorageEngine,
-		AllPortOffsetsUnique: allPortOffsetsUnique,
-		JwtSecret:            jwtSecret,
-		SslKeyFile:           sslKeyFile,
-		SslCAFile:            sslCAFile,
-		RunningInDocker:      isRunningInDocker(),
-		DockerContainerName:  dockerContainerName,
-		DockerEndpoint:       dockerEndpoint,
-		DockerImage:          dockerImage,
-		DockerStarterImage:   dockerStarterImage,
-		DockerUser:           dockerUser,
-		DockerGCDelay:        dockerGCDelay,
-		DockerNetworkMode:    dockerNetworkMode,
-		DockerPrivileged:     dockerPrivileged,
-		ProjectVersion:       projectVersion,
-		ProjectBuild:         projectBuild,
+		ID:                       id,
+		Mode:                     mode,
+		AgencySize:               agencySize,
+		ArangodPath:              arangodPath,
+		ArangodJSPath:            arangodJSPath,
+		MasterPort:               masterPort,
+		RrPath:                   rrPath,
+		StartCoordinator:         startCoordinator,
+		StartDBserver:            startDBserver,
+		StartLocalSlaves:         startLocalSlaves,
+		DataDir:                  dataDir,
+		OwnAddress:               ownAddress,
+		MasterAddress:            masterAddress,
+		Verbose:                  verbose,
+		ServerThreads:            serverThreads,
+		ServerStorageEngine:      serverStorageEngine,
+		AllPortOffsetsUnique:     allPortOffsetsUnique,
+		JwtSecret:                jwtSecret,
+		SslKeyFile:               sslKeyFile,
+		SslCAFile:                sslCAFile,
+		RocksDBEncryptionKeyFile: rocksDBEncryptionKeyFile,
+		RunningInDocker:          isRunningInDocker(),
+		DockerContainerName:      dockerContainerName,
+		DockerEndpoint:           dockerEndpoint,
+		DockerImage:              dockerImage,
+		DockerStarterImage:       dockerStarterImage,
+		DockerUser:               dockerUser,
+		DockerGCDelay:            dockerGCDelay,
+		DockerNetworkMode:        dockerNetworkMode,
+		DockerPrivileged:         dockerPrivileged,
+		ProjectVersion:           projectVersion,
+		ProjectBuild:             projectBuild,
 	}
 	for _, ptOpt := range passthroughOptions {
 		serviceConfig.PassthroughOptions = append(serviceConfig.PassthroughOptions, *ptOpt)

service/arangodb.go

@@ -50,27 +50,28 @@ const (
 
 // Config holds all configuration for a single service.
 type Config struct {
-	ID                   string // Unique identifier of this peer
-	Mode                 string // Service mode cluster|single
-	AgencySize           int
-	ArangodPath          string
-	ArangodJSPath        string
-	MasterPort           int
-	RrPath               string
-	StartCoordinator     bool
-	StartDBserver        bool
-	StartLocalSlaves     bool // If set, start sufficient slave (Service's) locally.
-	DataDir              string
-	OwnAddress           string // IP address of used to reach this process
-	MasterAddress        string
-	Verbose              bool
-	ServerThreads        int    // If set to something other than 0, this will be added to the commandline of each server with `--server.threads`...
-	ServerStorageEngine  string // mmfiles | rocksdb
-	AllPortOffsetsUnique bool   // If set, all peers will get a unique port offset. If false (default) only portOffset+peerAddress pairs will be unique.
-	JwtSecret            string
-	SslKeyFile           string // Path containing an x509 certificate + private key to be used by the servers.
-	SslCAFile            string // Path containing an x509 CA certificate used to authenticate clients.
-	PassthroughOptions   []PassthroughOption
+	ID                       string // Unique identifier of this peer
+	Mode                     string // Service mode cluster|single
+	AgencySize               int
+	ArangodPath              string
+	ArangodJSPath            string
+	MasterPort               int
+	RrPath                   string
+	StartCoordinator         bool
+	StartDBserver            bool
+	StartLocalSlaves         bool // If set, start sufficient slave (Service's) locally.
+	DataDir                  string
+	OwnAddress               string // IP address of used to reach this process
+	MasterAddress            string
+	Verbose                  bool
+	ServerThreads            int    // If set to something other than 0, this will be added to the commandline of each server with `--server.threads`...
+	ServerStorageEngine      string // mmfiles | rocksdb
+	AllPortOffsetsUnique     bool   // If set, all peers will get a unique port offset. If false (default) only portOffset+peerAddress pairs will be unique.
+	JwtSecret                string
+	SslKeyFile               string // Path containing an x509 certificate + private key to be used by the servers.
+	SslCAFile                string // Path containing an x509 CA certificate used to authenticate clients.
+	RocksDBEncryptionKeyFile string // Path containing encryption key for RocksDB encryption.
+	PassthroughOptions       []PassthroughOption
 
 	DockerContainerName string // Name of the container running this process
 	DockerEndpoint      string // Where to reach the docker daemon
@@ -417,6 +418,10 @@ func (s *Service) makeBaseArgs(myHostDir, myContainerDir string, myAddress strin
 		options = append(options,
 			optionPair{"--server.threads", strconv.Itoa(s.ServerThreads)})
 	}
+	if s.RocksDBEncryptionKeyFile != "" {
+		options = append(options,
+			optionPair{"--rocksdb.encryption-keyfile", s.RocksDBEncryptionKeyFile})
+	}
 	myTCPURL := scheme + "://" + net.JoinHostPort(myAddress, myPort)
 	switch serverType {
 	case ServerTypeAgent:
@@ -555,7 +560,7 @@ func (s *Service) startArangod(runner Runner, myHostAddress string, serverType S
 	}
 
 	s.log.Infof("Starting %s on port %d", serverType, myPort)
-	myContainerDir := runner.GetContainerDir(myHostDir)
+	myContainerDir := runner.GetContainerDir(myHostDir, dockerDataDir)
 	args, vols := s.makeBaseArgs(myHostDir, myContainerDir, myHostAddress, strconv.Itoa(myPort), serverType)
 	vols = addDataVolumes(vols, myHostDir, myContainerDir)
 	s.writeCommand(filepath.Join(myHostDir, "arangod_command.txt"), s.serverExecutable(), args)

service/passthrough.go

@@ -49,6 +49,7 @@ var (
 		"database.directory",
 		"javascript.startup-directory",
 		"javascript.app-path",
+		"rocksdb.encryption-keyfile",
 		"server.endpoint",
 		"server.authentication",
 		"server.jwt-secret",

service/runner.go

@@ -30,7 +30,7 @@ type Volume struct {
 
 type Runner interface {
 	// Map the given host directory to a container directory
-	GetContainerDir(hostDir string) string
+	GetContainerDir(hostDir, defaultContainerDir string) string
 
 	// GetRunningServer checks if there is already a server process running in the given server directory.
 	// If that is the case, its process is returned.

service/runner_docker.go

@@ -43,6 +43,7 @@ const (
 	containerFileName    = "CONTAINER"
 	createdByKey         = "created-by"
 	createdByValue       = "arangodb-starter"
+	dockerDataDir        = "/data"
 )
 
 // NewDockerRunner creates a runner that starts processes in a docker container.
@@ -84,11 +85,11 @@ type dockerContainer struct {
 	container *docker.Container
 }
 
-func (r *dockerRunner) GetContainerDir(hostDir string) string {
+func (r *dockerRunner) GetContainerDir(hostDir, defaultContainerDir string) string {
 	if r.volumesFrom != "" {
 		return hostDir
 	}
-	return "/data"
+	return defaultContainerDir
 }
 
 // GetRunningServer checks if there is already a server process running in the given server directory.
@@ -283,7 +284,7 @@ func (r *dockerRunner) CreateStartArangodbCommand(myDataDir string, index int, m
 	}
 	lines := []string{
 		fmt.Sprintf("docker volume create arangodb%d &&", index),
-		fmt.Sprintf("docker run -it --name=adb%d --rm %s -v arangodb%d:/data", index, netArgs, index),
+		fmt.Sprintf("docker run -it --name=adb%d --rm %s -v arangodb%d:%s", index, netArgs, index, dockerDataDir),
 		fmt.Sprintf("-v /var/run/docker.sock:/var/run/docker.sock %s", starterImageName),
 		fmt.Sprintf("--starter.address=%s --starter.join=%s", masterIP, addr),
 	}

service/runner_process.go

@@ -55,7 +55,7 @@ type process struct {
 	isChild bool
 }
 
-func (r *processRunner) GetContainerDir(hostDir string) string {
+func (r *processRunner) GetContainerDir(hostDir, defaultContainerDir string) string {
 	return hostDir
 }