From 12ff9d5e1491b805605d698c198b681db5c1dcbb Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Thu, 25 Feb 2021 13:51:27 +0000
Subject: [PATCH] Allow Docker images to run with anon, without a config file.

Provide a mechanism for Docker users to run a broker that doesn't use
authentication, without having to provide their own configuration file.

Closes #2040.
---
 ChangeLog.txt                             |  5 +++
 docker/2.0-openssl/Dockerfile             |  2 +-
 docker/2.0-openssl/README.md              | 42 ++++++++++++++++++++++-
 docker/2.0-openssl/docker-entrypoint.sh   |  9 ++++-
 docker/2.0-openssl/mosquitto-no-auth.conf |  5 +++
 docker/2.0/Dockerfile                     |  2 +-
 docker/2.0/README.md                      | 42 ++++++++++++++++++++++-
 docker/2.0/docker-entrypoint.sh           |  9 ++++-
 docker/2.0/mosquitto-no-auth.conf         |  5 +++
 9 files changed, 115 insertions(+), 6 deletions(-)
 create mode 100644 docker/2.0-openssl/mosquitto-no-auth.conf
 create mode 100644 docker/2.0/mosquitto-no-auth.conf

diff --git a/ChangeLog.txt b/ChangeLog.txt
index 33457bbd..9ef5b707 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -16,6 +16,11 @@ Clients:
 - Fix possible loss of data in `mosquitto_pub -l` when sending multiple long
   lines. Closes #2078.
 
+Build:
+- Provide a mechanism for Docker users to run a broker that doesn't use
+  authentication, without having to provide their own configuration file.
+  Closes #2040.
+
 
 2.0.7 - 2021-02-04
 ==================
diff --git a/docker/2.0-openssl/Dockerfile b/docker/2.0-openssl/Dockerfile
index 6147ba55..ff7892d0 100644
--- a/docker/2.0-openssl/Dockerfile
+++ b/docker/2.0-openssl/Dockerfile
@@ -106,7 +106,7 @@ RUN set -x && \
 VOLUME ["/mosquitto/data", "/mosquitto/log"]
 
 # Set up the entry point script and default command
-COPY docker-entrypoint.sh /
+COPY docker-entrypoint.sh mosquitto-no-auth.conf /
 EXPOSE 1883
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["/usr/sbin/mosquitto", "-c", "/mosquitto/config/mosquitto.conf"]
diff --git a/docker/2.0-openssl/README.md b/docker/2.0-openssl/README.md
index 8a54a86b..cb112131 100644
--- a/docker/2.0-openssl/README.md
+++ b/docker/2.0-openssl/README.md
@@ -18,13 +18,53 @@ Two docker volumes have been created in the image to be used for persistent stor
 The image runs mosquitto under the mosquitto user and group, which are created
 with a uid and gid of 1883.
 
+## Running without a configuration file
+Mosquitto 2.0 requires you to configure listeners and authentication before it
+will allow connections from anything other than the loopback interface. In the
+context of a container, this means you would normally need to provide a
+configuration file with your settings.
+
+If you wish to run mosquitto without any authentication, and without setting
+any other configuration options, you can do so by setting an environment
+variable when creating the container: `NO_AUTHENTICATION=1`. Doing this will
+ignore any configuration file you provide.
+
+```
+docker run -it -p 1883:1883 -e NO_AUTHENTICATION=1 eclipse-mosquitto:<version>
+```
+
 ## Configuration
-When creating a container from the image, the default configuration values are used.
 To use a custom configuration file, mount a **local** configuration file to `/mosquitto/config/mosquitto.conf`
+
 ```
 docker run -it -p 1883:1883 -v <absolute-path-to-configuration-file>:/mosquitto/config/mosquitto.conf eclipse-mosquitto:<version>
 ```
 
+Your configuration file must include a `listener`, and you must configure some
+form of authentication or allow unauthenticated access. If you do not do this,
+clients will be unable to connect.
+
+
+File based authentication and authorisation:
+```
+listener 1883
+password_file /mosquitto/data/mosquitto.password_file
+acl_file /mosquitto/data/mosquitto.aclfile
+```
+
+Plugin based authentication and authorisation:
+```
+listener 1883
+plugin /usr/lib/mosquitto_dynamic_security.so
+plugin_opt_config_file /mosquitto/data/mosquitto-dynsec.json
+```
+
+Unauthenticated access:
+```
+listener 1883
+allow_anonymous true
+```
+
 :boom: if the mosquitto configuration (mosquitto.conf) was modified
 to use non-default ports, the docker run command will need to be updated
 to expose the ports that have been configured, for example:
diff --git a/docker/2.0-openssl/docker-entrypoint.sh b/docker/2.0-openssl/docker-entrypoint.sh
index 583f67c9..4177b451 100755
--- a/docker/2.0-openssl/docker-entrypoint.sh
+++ b/docker/2.0-openssl/docker-entrypoint.sh
@@ -7,4 +7,11 @@ if [ "$user" = '0' ]; then
 	[ -d "/mosquitto" ] && chown -R mosquitto:mosquitto /mosquitto || true
 fi
 
-exec "$@"
+if [ "$NO_AUTHENTICATION" = "1" ] && [ "$*" = '/usr/sbin/mosquitto -c /mosquitto/config/mosquitto.conf' ]; then
+	# The user wants to run Mosquitto with no authentication, but without
+	# providing a configuration file. Use the pre-provided file for this.
+	exec /usr/sbin/mosquitto -c /mosquitto-no-auth.conf
+else
+	# Execute whatever command is requested
+	exec "$@"
+fi
diff --git a/docker/2.0-openssl/mosquitto-no-auth.conf b/docker/2.0-openssl/mosquitto-no-auth.conf
new file mode 100644
index 00000000..40dd92b9
--- /dev/null
+++ b/docker/2.0-openssl/mosquitto-no-auth.conf
@@ -0,0 +1,5 @@
+# This is a Mosquitto configuration file that creates a listener on port 1883
+# that allows unauthenticated access.
+
+listener 1883
+allow_anonymous true
diff --git a/docker/2.0/Dockerfile b/docker/2.0/Dockerfile
index 56723a17..df43d3b2 100644
--- a/docker/2.0/Dockerfile
+++ b/docker/2.0/Dockerfile
@@ -108,7 +108,7 @@ RUN set -x && \
 VOLUME ["/mosquitto/data", "/mosquitto/log"]
 
 # Set up the entry point script and default command
-COPY docker-entrypoint.sh /
+COPY docker-entrypoint.sh mosquitto-no-auth.conf /
 EXPOSE 1883
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["/usr/sbin/mosquitto", "-c", "/mosquitto/config/mosquitto.conf"]
diff --git a/docker/2.0/README.md b/docker/2.0/README.md
index 8a54a86b..cb112131 100644
--- a/docker/2.0/README.md
+++ b/docker/2.0/README.md
@@ -18,13 +18,53 @@ Two docker volumes have been created in the image to be used for persistent stor
 The image runs mosquitto under the mosquitto user and group, which are created
 with a uid and gid of 1883.
 
+## Running without a configuration file
+Mosquitto 2.0 requires you to configure listeners and authentication before it
+will allow connections from anything other than the loopback interface. In the
+context of a container, this means you would normally need to provide a
+configuration file with your settings.
+
+If you wish to run mosquitto without any authentication, and without setting
+any other configuration options, you can do so by setting an environment
+variable when creating the container: `NO_AUTHENTICATION=1`. Doing this will
+ignore any configuration file you provide.
+
+```
+docker run -it -p 1883:1883 -e NO_AUTHENTICATION=1 eclipse-mosquitto:<version>
+```
+
 ## Configuration
-When creating a container from the image, the default configuration values are used.
 To use a custom configuration file, mount a **local** configuration file to `/mosquitto/config/mosquitto.conf`
+
 ```
 docker run -it -p 1883:1883 -v <absolute-path-to-configuration-file>:/mosquitto/config/mosquitto.conf eclipse-mosquitto:<version>
 ```
 
+Your configuration file must include a `listener`, and you must configure some
+form of authentication or allow unauthenticated access. If you do not do this,
+clients will be unable to connect.
+
+
+File based authentication and authorisation:
+```
+listener 1883
+password_file /mosquitto/data/mosquitto.password_file
+acl_file /mosquitto/data/mosquitto.aclfile
+```
+
+Plugin based authentication and authorisation:
+```
+listener 1883
+plugin /usr/lib/mosquitto_dynamic_security.so
+plugin_opt_config_file /mosquitto/data/mosquitto-dynsec.json
+```
+
+Unauthenticated access:
+```
+listener 1883
+allow_anonymous true
+```
+
 :boom: if the mosquitto configuration (mosquitto.conf) was modified
 to use non-default ports, the docker run command will need to be updated
 to expose the ports that have been configured, for example:
diff --git a/docker/2.0/docker-entrypoint.sh b/docker/2.0/docker-entrypoint.sh
index 583f67c9..4177b451 100755
--- a/docker/2.0/docker-entrypoint.sh
+++ b/docker/2.0/docker-entrypoint.sh
@@ -7,4 +7,11 @@ if [ "$user" = '0' ]; then
 	[ -d "/mosquitto" ] && chown -R mosquitto:mosquitto /mosquitto || true
 fi
 
-exec "$@"
+if [ "$NO_AUTHENTICATION" = "1" ] && [ "$*" = '/usr/sbin/mosquitto -c /mosquitto/config/mosquitto.conf' ]; then
+	# The user wants to run Mosquitto with no authentication, but without
+	# providing a configuration file. Use the pre-provided file for this.
+	exec /usr/sbin/mosquitto -c /mosquitto-no-auth.conf
+else
+	# Execute whatever command is requested
+	exec "$@"
+fi
diff --git a/docker/2.0/mosquitto-no-auth.conf b/docker/2.0/mosquitto-no-auth.conf
new file mode 100644
index 00000000..40dd92b9
--- /dev/null
+++ b/docker/2.0/mosquitto-no-auth.conf
@@ -0,0 +1,5 @@
+# This is a Mosquitto configuration file that creates a listener on port 1883
+# that allows unauthenticated access.
+
+listener 1883
+allow_anonymous true