Allow Docker images to run with anon, without a config file.

Provide a mechanism for Docker users to run a broker that doesn't use authentication, without having to provide their own configuration file. Closes #2040.
eclipse · Feb 25, 2021 · 12ff9d5 · 12ff9d5
1 parent 9b08faf
commit 12ff9d5
Show file tree

Hide file tree

Showing 9 changed files with 115 additions and 6 deletions.
diff --git a/ChangeLog.txt b/ChangeLog.txt
@@ -16,6 +16,11 @@ Clients:
 - Fix possible loss of data in `mosquitto_pub -l` when sending multiple long
  lines. Closes #2078.
 
+Build:
+- Provide a mechanism for Docker users to run a broker that doesn't use
+ authentication, without having to provide their own configuration file.
+ Closes #2040.
+
 
 2.0.7 - 2021-02-04
 ==================

diff --git a/docker/2.0-openssl/Dockerfile b/docker/2.0-openssl/Dockerfile
@@ -106,7 +106,7 @@ RUN set -x && \
 VOLUME ["/mosquitto/data", "/mosquitto/log"]
 
 # Set up the entry point script and default command
-COPY docker-entrypoint.sh /
+COPY docker-entrypoint.sh mosquitto-no-auth.conf /
 EXPOSE 1883
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["/usr/sbin/mosquitto", "-c", "/mosquitto/config/mosquitto.conf"]
diff --git a/docker/2.0-openssl/README.md b/docker/2.0-openssl/README.md
@@ -18,13 +18,53 @@ Two docker volumes have been created in the image to be used for persistent stor
 The image runs mosquitto under the mosquitto user and group, which are created
 with a uid and gid of 1883.
 
+## Running without a configuration file
+Mosquitto 2.0 requires you to configure listeners and authentication before it
+will allow connections from anything other than the loopback interface. In the
+context of a container, this means you would normally need to provide a
+configuration file with your settings.
+
+If you wish to run mosquitto without any authentication, and without setting
+any other configuration options, you can do so by setting an environment
+variable when creating the container: `NO_AUTHENTICATION=1`. Doing this will
+ignore any configuration file you provide.
+
+```
+docker run -it -p 1883:1883 -e NO_AUTHENTICATION=1 eclipse-mosquitto:<version>
+```
+
 ## Configuration
-When creating a container from the image, the default configuration values are used.
 To use a custom configuration file, mount a **local** configuration file to `/mosquitto/config/mosquitto.conf`
+
 ```
 docker run -it -p 1883:1883 -v <absolute-path-to-configuration-file>:/mosquitto/config/mosquitto.conf eclipse-mosquitto:<version>
 ```
 
+Your configuration file must include a `listener`, and you must configure some
+form of authentication or allow unauthenticated access. If you do not do this,
+clients will be unable to connect.
+
+
+File based authentication and authorisation:
+```
+listener 1883
+password_file /mosquitto/data/mosquitto.password_file
+acl_file /mosquitto/data/mosquitto.aclfile
+```
+
+Plugin based authentication and authorisation:
+```
+listener 1883
+plugin /usr/lib/mosquitto_dynamic_security.so
+plugin_opt_config_file /mosquitto/data/mosquitto-dynsec.json
+```
+
+Unauthenticated access:
+```
+listener 1883
+allow_anonymous true
+```
+
 :boom: if the mosquitto configuration (mosquitto.conf) was modified
 to use non-default ports, the docker run command will need to be updated
 to expose the ports that have been configured, for example:

diff --git a/docker/2.0-openssl/docker-entrypoint.sh b/docker/2.0-openssl/docker-entrypoint.sh
@@ -7,4 +7,11 @@ if [ "$user" = '0' ]; then
  [ -d "/mosquitto" ] && chown -R mosquitto:mosquitto /mosquitto || true
 fi
 
-exec "$@"
+if [ "$NO_AUTHENTICATION" = "1" ] && [ "$*" = '/usr/sbin/mosquitto -c /mosquitto/config/mosquitto.conf' ]; then
+ # The user wants to run Mosquitto with no authentication, but without
+ # providing a configuration file. Use the pre-provided file for this.
+ exec /usr/sbin/mosquitto -c /mosquitto-no-auth.conf
+else
+ # Execute whatever command is requested
+ exec "$@"
+fi
diff --git a/docker/2.0-openssl/mosquitto-no-auth.conf b/docker/2.0-openssl/mosquitto-no-auth.conf
@@ -0,0 +1,5 @@
+# This is a Mosquitto configuration file that creates a listener on port 1883
+# that allows unauthenticated access.
+
+listener 1883
+allow_anonymous true
diff --git a/docker/2.0/Dockerfile b/docker/2.0/Dockerfile
@@ -108,7 +108,7 @@ RUN set -x && \
 VOLUME ["/mosquitto/data", "/mosquitto/log"]
 
 # Set up the entry point script and default command
-COPY docker-entrypoint.sh /
+COPY docker-entrypoint.sh mosquitto-no-auth.conf /
 EXPOSE 1883
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["/usr/sbin/mosquitto", "-c", "/mosquitto/config/mosquitto.conf"]
diff --git a/docker/2.0/README.md b/docker/2.0/README.md
@@ -18,13 +18,53 @@ Two docker volumes have been created in the image to be used for persistent stor
 The image runs mosquitto under the mosquitto user and group, which are created
 with a uid and gid of 1883.
 
+## Running without a configuration file
+Mosquitto 2.0 requires you to configure listeners and authentication before it
+will allow connections from anything other than the loopback interface. In the
+context of a container, this means you would normally need to provide a
+configuration file with your settings.
+
+If you wish to run mosquitto without any authentication, and without setting
+any other configuration options, you can do so by setting an environment
+variable when creating the container: `NO_AUTHENTICATION=1`. Doing this will
+ignore any configuration file you provide.
+
+```
+docker run -it -p 1883:1883 -e NO_AUTHENTICATION=1 eclipse-mosquitto:<version>
+```
+
 ## Configuration
-When creating a container from the image, the default configuration values are used.
 To use a custom configuration file, mount a **local** configuration file to `/mosquitto/config/mosquitto.conf`
+
 ```
 docker run -it -p 1883:1883 -v <absolute-path-to-configuration-file>:/mosquitto/config/mosquitto.conf eclipse-mosquitto:<version>
 ```
 
+Your configuration file must include a `listener`, and you must configure some
+form of authentication or allow unauthenticated access. If you do not do this,
+clients will be unable to connect.
+
+
+File based authentication and authorisation:
+```
+listener 1883
+password_file /mosquitto/data/mosquitto.password_file
+acl_file /mosquitto/data/mosquitto.aclfile
+```
+
+Plugin based authentication and authorisation:
+```
+listener 1883
+plugin /usr/lib/mosquitto_dynamic_security.so
+plugin_opt_config_file /mosquitto/data/mosquitto-dynsec.json
+```
+
+Unauthenticated access:
+```
+listener 1883
+allow_anonymous true
+```
+
 :boom: if the mosquitto configuration (mosquitto.conf) was modified
 to use non-default ports, the docker run command will need to be updated
 to expose the ports that have been configured, for example:

diff --git a/docker/2.0/docker-entrypoint.sh b/docker/2.0/docker-entrypoint.sh
@@ -7,4 +7,11 @@ if [ "$user" = '0' ]; then
  [ -d "/mosquitto" ] && chown -R mosquitto:mosquitto /mosquitto || true
 fi
 
-exec "$@"
+if [ "$NO_AUTHENTICATION" = "1" ] && [ "$*" = '/usr/sbin/mosquitto -c /mosquitto/config/mosquitto.conf' ]; then
+ # The user wants to run Mosquitto with no authentication, but without
+ # providing a configuration file. Use the pre-provided file for this.
+ exec /usr/sbin/mosquitto -c /mosquitto-no-auth.conf
+else
+ # Execute whatever command is requested
+ exec "$@"
+fi
diff --git a/docker/2.0/mosquitto-no-auth.conf b/docker/2.0/mosquitto-no-auth.conf
@@ -0,0 +1,5 @@
+# This is a Mosquitto configuration file that creates a listener on port 1883
+# that allows unauthenticated access.
+
+listener 1883
+allow_anonymous true