posix

command
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 14, 2025 License: Apache-2.0 Imports: 30 Imported by: 0

README

POSIX static-ct server

This directory contains a static-ct server which uses Tessera's POSIX backend for storing the log.

In this document, you will find information specific to this POSIX implementation. You can find more information about TesseraCT in general in the architecture design doc, and in TesseraCT's configuration guide.

Filesystems

This binary, and the Tessera library it uses, relies on POSIX filesystem semantics, including atomic operations, in order to function correctly. As such, it expects to find a POSIX-compliant filesystem at the location provided via the --storage_dir flag.

ZFS has been tested and found to work well, other POSIX-compliant filesystems should work too, CephFS may work, but NFS will almost certainly not.

[!WARNING] Attempting to use a filesystem which does not provide POSIX filesystem semantics is overwhelmingly likely to result in a broken log!

Codelab

Generate an ECDSA key like so:

openssl ecparam -name prime256v1 -genkey -noout -out test-ecdsa-priv.pem

And then start a log with the following command:

go run ./cmd/tesseract/posix/ \
  --private_key=./test-ecdsa-priv.pem \
  --origin=example.com/test-ecdsa \
  --storage_dir=/tmp/ecdsa_log \
  --roots_pem_file=deployment/live/gcp/static-ct-staging/logs/arche2025h1/roots.pem \
  --v=1

The server should now be listening on port :6962 to handle the submission URLs from the static-ct API. The monitoring URLs are not handled via HTTP directly, and may be served from the filesystem in storage_dir.

You can try "preloading" the log with the contents of another CT log, e.g.:

go run github.com/google/certificate-transparency-go/preload/preloader@master \
  --target_log_uri=http://localhost:6962/ \
  --source_log_uri=https://ct.googleapis.com/logs/eu1/xenon2025h1/ \
  --num_workers=2 \
  --start_index=130000 \
  --parallel_fetch=2 \
  --parallel_submit=512 \
  --v=1

Note that running this command a second time may show a lot of errors with HTTP status 429 Too Many Requests; this is protection against too many duplicate entries being sent to the log. Use a larger start_index to avoid submitting duplicate entries and running into this behaviour.

Documentation

Overview

The ct_server binary runs the CT personality.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.