Added new role for building the Docker images from scratch.

Added new role for building the CA for user and host certificates.

Added new role for building the Docker images from scratch.
ab8eb09e · Bozidar Proevski · root · cbdbff71 · ab8eb09e · ab8eb09e
Commit ab8eb09e authored 5 years ago by Bozidar Proevski Committed by root 5 years ago
--- a/roles/build/templates/etcroot/etc/yum.repos.d/CentOS-Media.repo
+++ b/roles/build/templates/etcroot/etc/yum.repos.d/CentOS-Media.repo
+# CentOS-Media.repo
+#
+#  This repo can be used with mounted DVD media, verify the mount point for
+#  CentOS-7.  You can use this repo and yum to install items directly off the
+#  DVD ISO that we release.
+#
+# To use this repo, put in your DVD and use it with the other repos too:
+#  yum --enablerepo=c7-media [command]
+#  
+# or for ONLY the media repo, do this:
+#
+#  yum --disablerepo=\* --enablerepo=c7-media [command]
+[c7-media]
+name=CentOS-$releasever - Media
+baseurl=file:///media/CentOS/
+        file:///media/cdrom/
+        file:///media/cdrecorder/
+gpgcheck=1
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
--- a/roles/build/templates/etcroot/etc/yum.repos.d/CentOS-Sources.repo
+++ b/roles/build/templates/etcroot/etc/yum.repos.d/CentOS-Sources.repo
+# CentOS-Sources.repo
+#
+# The mirror system uses the connecting IP address of the client and the
+# update status of each mirror to pick mirrors that are updated to and
+# geographically close to the client.  You should use this for CentOS updates
+# unless you are manually picking other mirrors.
+#
+# If the mirrorlist= does not work for you, as a fall back you can try the 
+# remarked out baseurl= line instead.
+#
+#
+[base-source]
+name=CentOS-$releasever - Base Sources
+baseurl=http://vault.centos.org/centos/$releasever/os/Source/
+gpgcheck=1
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+#released updates 
+[updates-source]
+name=CentOS-$releasever - Updates Sources
+baseurl=http://vault.centos.org/centos/$releasever/updates/Source/
+gpgcheck=1
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+#additional packages that may be useful
+[extras-source]
+name=CentOS-$releasever - Extras Sources
+baseurl=http://vault.centos.org/centos/$releasever/extras/Source/
+gpgcheck=1
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+#additional packages that extend functionality of existing packages
+[centosplus-source]
+name=CentOS-$releasever - Plus Sources
+baseurl=http://vault.centos.org/centos/$releasever/centosplus/Source/
+gpgcheck=1
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
--- a/roles/build/templates/etcroot/etc/yum.repos.d/CentOS-Vault.repo
+++ b/roles/build/templates/etcroot/etc/yum.repos.d/CentOS-Vault.repo
+# CentOS Vault contains rpms from older releases in the CentOS-7
+# tree.
+# C7.0.1406
+[C7.0.1406-base]
+name=CentOS-7.0.1406 - Base
+baseurl=http://vault.centos.org/7.0.1406/os/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.0.1406-updates]
+name=CentOS-7.0.1406 - Updates
+baseurl=http://vault.centos.org/7.0.1406/updates/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.0.1406-extras]
+name=CentOS-7.0.1406 - Extras
+baseurl=http://vault.centos.org/7.0.1406/extras/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.0.1406-centosplus]
+name=CentOS-7.0.1406 - CentOSPlus
+baseurl=http://vault.centos.org/7.0.1406/centosplus/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.0.1406-fasttrack]
+name=CentOS-7.0.1406 - Fasttrack
+baseurl=http://vault.centos.org/7.0.1406/fasttrack/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+# C7.1.1503
+[C7.1.1503-base]
+name=CentOS-7.1.1503 - Base
+baseurl=http://vault.centos.org/7.1.1503/os/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.1.1503-updates]
+name=CentOS-7.1.1503 - Updates
+baseurl=http://vault.centos.org/7.1.1503/updates/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.1.1503-extras]
+name=CentOS-7.1.1503 - Extras
+baseurl=http://vault.centos.org/7.1.1503/extras/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.1.1503-centosplus]
+name=CentOS-7.1.1503 - CentOSPlus
+baseurl=http://vault.centos.org/7.1.1503/centosplus/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.1.1503-fasttrack]
+name=CentOS-7.1.1503 - Fasttrack
+baseurl=http://vault.centos.org/7.1.1503/fasttrack/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+# C7.2.1511
+[C7.2.1511-base]
+name=CentOS-7.2.1511 - Base
+baseurl=http://vault.centos.org/7.2.1511/os/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.2.1511-updates]
+name=CentOS-7.2.1511 - Updates
+baseurl=http://vault.centos.org/7.2.1511/updates/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.2.1511-extras]
+name=CentOS-7.2.1511 - Extras
+baseurl=http://vault.centos.org/7.2.1511/extras/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.2.1511-centosplus]
+name=CentOS-7.2.1511 - CentOSPlus
+baseurl=http://vault.centos.org/7.2.1511/centosplus/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.2.1511-fasttrack]
+name=CentOS-7.2.1511 - Fasttrack
+baseurl=http://vault.centos.org/7.2.1511/fasttrack/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+# C7.3.1611
+[C7.3.1611-base]
+name=CentOS-7.3.1611 - Base
+baseurl=http://vault.centos.org/7.3.1611/os/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.3.1611-updates]
+name=CentOS-7.3.1611 - Updates
+baseurl=http://vault.centos.org/7.3.1611/updates/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.3.1611-extras]
+name=CentOS-7.3.1611 - Extras
+baseurl=http://vault.centos.org/7.3.1611/extras/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.3.1611-centosplus]
+name=CentOS-7.3.1611 - CentOSPlus
+baseurl=http://vault.centos.org/7.3.1611/centosplus/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.3.1611-fasttrack]
+name=CentOS-7.3.1611 - Fasttrack
+baseurl=http://vault.centos.org/7.3.1611/fasttrack/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+# C7.4.1708
+[C7.4.1708-base]
+name=CentOS-7.4.1708 - Base
+baseurl=http://vault.centos.org/7.4.1708/os/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.4.1708-updates]
+name=CentOS-7.4.1708 - Updates
+baseurl=http://vault.centos.org/7.4.1708/updates/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.4.1708-extras]
+name=CentOS-7.4.1708 - Extras
+baseurl=http://vault.centos.org/7.4.1708/extras/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.4.1708-centosplus]
+name=CentOS-7.4.1708 - CentOSPlus
+baseurl=http://vault.centos.org/7.4.1708/centosplus/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.4.1708-fasttrack]
+name=CentOS-7.4.1708 - Fasttrack
+baseurl=http://vault.centos.org/7.4.1708/fasttrack/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+# C7.5.1804
+[C7.5.1804-base]
+name=CentOS-7.5.1804 - Base
+baseurl=http://vault.centos.org/7.5.1804/os/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.5.1804-updates]
+name=CentOS-7.5.1804 - Updates
+baseurl=http://vault.centos.org/7.5.1804/updates/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.5.1804-extras]
+name=CentOS-7.5.1804 - Extras
+baseurl=http://vault.centos.org/7.5.1804/extras/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.5.1804-centosplus]
+name=CentOS-7.5.1804 - CentOSPlus
+baseurl=http://vault.centos.org/7.5.1804/centosplus/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.5.1804-fasttrack]
+name=CentOS-7.5.1804 - Fasttrack
+baseurl=http://vault.centos.org/7.5.1804/fasttrack/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+# C7.6.1810
+[C7.6.1810-base]
+name=CentOS-7.6.1810 - Base
+baseurl=http://vault.centos.org/7.6.1810/os/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.6.1810-updates]
+name=CentOS-7.6.1810 - Updates
+baseurl=http://vault.centos.org/7.6.1810/updates/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.6.1810-extras]
+name=CentOS-7.6.1810 - Extras
+baseurl=http://vault.centos.org/7.6.1810/extras/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.6.1810-centosplus]
+name=CentOS-7.6.1810 - CentOSPlus
+baseurl=http://vault.centos.org/7.6.1810/centosplus/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+[C7.6.1810-fasttrack]
+name=CentOS-7.6.1810 - Fasttrack
+baseurl=http://vault.centos.org/7.6.1810/fasttrack/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
--- a/roles/build/templates/etcroot/etc/yum.repos.d/CentOS-fasttrack.repo
+++ b/roles/build/templates/etcroot/etc/yum.repos.d/CentOS-fasttrack.repo
+#CentOS-fasttrack.repo
+[fasttrack]
+name=CentOS-7 - fasttrack
+mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=fasttrack&infra=$infra
+#baseurl=http://mirror.centos.org/centos/$releasever/fasttrack/$basearch/
+gpgcheck=1
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
--- a/roles/build/templates/etcroot/etc/yum/vars/basearch
+++ b/roles/build/templates/etcroot/etc/yum/vars/basearch
+x86_64
--- a/roles/build/templates/etcroot/etc/yum/vars/contentdir
+++ b/roles/build/templates/etcroot/etc/yum/vars/contentdir
+centos
--- a/roles/build/templates/etcroot/etc/yum/vars/infra
+++ b/roles/build/templates/etcroot/etc/yum/vars/infra
+stock
--- a/roles/build/templates/etcroot/etc/yum/vars/releasever
+++ b/roles/build/templates/etcroot/etc/yum/vars/releasever
+7
--- a/roles/build/templates/nginx/Dockerfile.j2
+++ b/roles/build/templates/nginx/Dockerfile.j2
+FROM {{repo}}/centos:{{version}}{{suffix}}
+RUN yum update -y; \
+    yum install -y wget unzip curl nginx nginx-all-modules
+RUN yum clean all
+RUN ln -sf /dev/stdout /var/log/nginx/access.log \
+        && ln -sf /dev/stderr /var/log/nginx/error.log
+EXPOSE 80 443
+STOPSIGNAL SIGTERM
+CMD ["nginx", "-g", "daemon off;"]
--- a/roles/build/templates/nifi/Dockerfile.j2
+++ b/roles/build/templates/nifi/Dockerfile.j2
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+FROM {{repo}}/openjdk:{{version}}{{suffix}} 
+#LABEL maintainer="Apache NiFi <dev@nifi.apache.org>"
+#LABEL site="https://nifi.apache.org"
+ARG UID=1000
+ARG GID=1000
+ARG NIFI_VERSION=1.9.2
+ARG BASE_URL=https://archive.apache.org/dist
+ARG MIRROR_BASE_URL=${MIRROR_BASE_URL:-${BASE_URL}}
+ARG NIFI_BINARY_PATH=${NIFI_BINARY_PATH:-/nifi/${NIFI_VERSION}/nifi-${NIFI_VERSION}-bin.zip}
+ARG NIFI_TOOLKIT_BINARY_PATH=${NIFI_TOOLKIT_BINARY_PATH:-/nifi/${NIFI_VERSION}/nifi-toolkit-${NIFI_VERSION}-bin.zip}
+ENV NIFI_BASE_DIR=/opt/nifi
+ENV NIFI_HOME ${NIFI_BASE_DIR}/nifi-current
+ENV NIFI_TOOLKIT_HOME ${NIFI_BASE_DIR}/nifi-toolkit-current
+ENV NIFI_PID_DIR=${NIFI_HOME}/run
+ENV NIFI_LOG_DIR=${NIFI_HOME}/logs
+# ADD sh/ ${NIFI_BASE_DIR}/scripts/
+# Setup NiFi user and create necessary directories
+RUN groupadd -g ${GID} nifi || groupmod -n nifi `getent group ${GID} | cut -d: -f1` \
+    && useradd --shell /bin/bash -u ${UID} -g ${GID} -m nifi \
+    && mkdir -p ${NIFI_BASE_DIR} \
+    && chown -R nifi:nifi ${NIFI_BASE_DIR} \
+    && yum -y install jq xmlstarlet procps-ng
+USER nifi
+# Download, validate, and expand Apache NiFi Toolkit binary.
+RUN curl -fSL ${MIRROR_BASE_URL}/${NIFI_TOOLKIT_BINARY_PATH} -o ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}-bin.zip \
+    && echo "$(curl ${BASE_URL}/${NIFI_TOOLKIT_BINARY_PATH}.sha256) *${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}-bin.zip" | sha256sum -c - \
+    && unzip ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}-bin.zip -d ${NIFI_BASE_DIR} \
+    && rm ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}-bin.zip \
+    && mv ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION} ${NIFI_TOOLKIT_HOME} \
+    && ln -s ${NIFI_TOOLKIT_HOME} ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}
+# Download, validate, and expand Apache NiFi binary.
+RUN curl -fSL ${MIRROR_BASE_URL}/${NIFI_BINARY_PATH} -o ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip \
+    && echo "$(curl ${BASE_URL}/${NIFI_BINARY_PATH}.sha256) *${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip" | sha256sum -c - \
+    && unzip ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip -d ${NIFI_BASE_DIR} \
+    && rm ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip \
+    && mv ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION} ${NIFI_HOME} \
+    && mkdir -p ${NIFI_HOME}/conf \
+    && mkdir -p ${NIFI_HOME}/database_repository \
+    && mkdir -p ${NIFI_HOME}/flowfile_repository \
+    && mkdir -p ${NIFI_HOME}/content_repository \
+    && mkdir -p ${NIFI_HOME}/provenance_repository \
+    && mkdir -p ${NIFI_HOME}/state \
+    && mkdir -p ${NIFI_LOG_DIR} \
+    && ln -s ${NIFI_HOME} ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}
+VOLUME ${NIFI_LOG_DIR} \
+       ${NIFI_HOME}/conf \
+       ${NIFI_HOME}/database_repository \
+       ${NIFI_HOME}/flowfile_repository \
+       ${NIFI_HOME}/content_repository \
+       ${NIFI_HOME}/provenance_repository \
+       ${NIFI_HOME}/state
+# Clear nifi-env.sh in favour of configuring all environment variables in the Dockerfile
+RUN echo "#!/bin/sh\n" > $NIFI_HOME/bin/nifi-env.sh
+# Web HTTP(s) & Socket Site-to-Site Ports
+EXPOSE 8080 8443 10000 8000
+WORKDIR ${NIFI_HOME}
+# Apply configuration and start NiFi
+#
+# We need to use the exec form to avoid running our command in a subshell and omitting signals,
+# thus being unable to shut down gracefully:
+# https://docs.docker.com/engine/reference/builder/#entrypoint
+#
+# Also we need to use relative path, because the exec form does not invoke a command shell,
+# thus normal shell processing does not happen:
+# https://docs.docker.com/engine/reference/builder/#exec-form-entrypoint-example
+ENTRYPOINT ["/bin/bash"]
--- a/roles/build/templates/openjdk/Dockerfile.j2
+++ b/roles/build/templates/openjdk/Dockerfile.j2
+FROM {{repo}}/centos:{{version}}{{suffix}}
+RUN yum update -y; \
+    yum install -y wget unzip curl java-1.8.0-openjdk-headless.x86_64
+RUN ln -svT "/usr/lib/jvm/java-1.8.0-openjdk-$(rpm -q --queryformat "%{VERSION}-%{RELEASE}.%{ARCH}\n" java-1.8.0-openjdk-headless)" /docker-java-home
+ENV JAVA_HOME /docker-java-home/jre
+RUN yum clean all
+CMD ["/bin/bash"]
--- a/roles/build/templates/zookeeper/Dockerfile.j2
+++ b/roles/build/templates/zookeeper/Dockerfile.j2
+FROM {{repo}}/openjdk:{{version}}{{suffix}}
+#LABEL maintainer="Apache NiFi <dev@nifi.apache.org>"
+#LABEL site="https://nifi.apache.org"
+#ARG UID=1000
+#ARG GID=1000
+ARG ZOOKEEPER_VERSION=3.5.5
+ARG BASE_URL=https://archive.apache.org/dist
+ARG MIRROR_BASE_URL=${MIRROR_BASE_URL:-${BASE_URL}}
+ARG ZOOKEEPER_BINARY_PATH=${ZOOKEEPER_BINARY_PATH:-/zookeeper/zookeeper-${ZOOKEEPER_VERSION}/apache-zookeeper-${ZOOKEEPER_VERSION}-bin.tar.gz}
+ENV ZOOKEEPER_BASE_DIR=/opt
+#ENV ZOOKEEPER_PID_DIR=${ZOOKEEPER_HOME}/run
+#ENV ZOOKEEPER_LOG_DIR=${ZOOKEEPER_HOME}/logs
+#  USER nifi
+# Download, validate, and expand Apache NiFi binary.
+RUN curl -fSL ${MIRROR_BASE_URL}/${ZOOKEEPER_BINARY_PATH} -o ${ZOOKEEPER_BASE_DIR}/apache-zookeeper-${ZOOKEEPER_VERSION}-bin.tar.gz \
+#    && echo "$(curl ${BASE_URL}/${ZOOKEEPER_BINARY_PATH}.sha512) *${ZOOKEEPER_BASE_DIR}/apache-zookeeper-${ZOOKEEPER_VERSION}-bin.tar.gz" | sha256sum -c - \
+    && tar -xzf ${ZOOKEEPER_BASE_DIR}/apache-zookeeper-${ZOOKEEPER_VERSION}-bin.tar.gz -C ${ZOOKEEPER_BASE_DIR} \
+    && mv ${ZOOKEEPER_BASE_DIR}/apache-zookeeper-${ZOOKEEPER_VERSION}-bin ${ZOOKEEPER_BASE_DIR}/zookeeper \
+    && rm ${ZOOKEEPER_BASE_DIR}/apache-zookeeper-${ZOOKEEPER_VERSION}-bin.tar.gz \
+    && cp ${ZOOKEEPER_BASE_DIR}/zookeeper/conf/zoo_sample.cfg ${ZOOKEEPER_BASE_DIR}/zookeeper/conf/zoo.cfg
+# Web HTTP(s) & Socket Site-to-Site Ports
+EXPOSE 2181 2888 3888
+WORKDIR ${ZOOKEEPER_BASE_DIR}/zookeeper
+ENTRYPOINT ["/opt/zookeeper/bin/zkServer.sh"]
+CMD ["start-foreground"]
--- a/roles/build/vars/main.yml
+++ b/roles/build/vars/main.yml
+---
--- a/roles/ca/defaults/main.yml
+++ b/roles/ca/defaults/main.yml
--- a/roles/ca/files/easyrsa/COPYING.md
+++ b/roles/ca/files/easyrsa/COPYING.md
+Easy-RSA -- A Shell-based CA Utility
+====================================
+Copyright (C) 2013 by the Open-Source OpenVPN development community
+Easy-RSA 3 license: GPLv2
+-------------------------
+All the Easy-RSA code contained in this project falls under a GPLv2 license with
+full text available in the Licensing/ directory. Additional components used by
+this project fall under additional licenses:
+Additional licenses for external components
+-------------------------------------------
+The following components are under different licenses; while not part of the
+Easy-RSA source code, these components are used by Easy-RSA or provided in
+platform distributions as described below:
+### OpenSSL
+  OpenSSL is not linked by Easy-RSA, nor is it currently provided in any release
+  package by Easy-RSA. However, Easy-RSA is tightly coupled with OpenSSL, so
+  effective use of this code will require your acceptance and installation of
+  OpenSSL.
+### Additional Windows Components
+  The Windows binary package includes mksh/Win32 and unxutils binary components,
+  with full licensing details available in the distro/windows/Licensing/
+  subdirectory of this project. mksh/Win32 is under a MirOS license (with some
+  additional component licenses present there) and unxutils is under a GPLv2
+  license.
--- a/roles/ca/files/easyrsa/ChangeLog
+++ b/roles/ca/files/easyrsa/ChangeLog
+Easy-RSA 3 ChangeLog
+3.0.6 (2019-02-01)
+   * Certifcates that are revoked now move to a revoked subdirectory (#63)
+   * EasyRSA no longer clobbers non-EASYRSA environment variables (#277)
+   * More sane string checking, allowingn for commas in CN (#267)
+   * Support for reasonCode in CRL (#280)
+   * Better handling for capturing passphrases (#230, others)
+   * Improved LibreSSL/MacOS support
+   * Adds support to renew certificates up to 30 days before expiration (#286)
+     - This changes previous behavior allowing for certificate creation using
+       duplicate CNs.
+3.0.5 (2018-09-15)
+   * Fix #17 & #58: use AES256 for CA key
+   * Also, don't use read -s, use stty -echo
+   * Fix broken "nopass" option
+   * Add -r to read to stop errors reported by shellcheck (and to behave)
+   * remove overzealous quotes around $pkcs_opts (more SC errors)
+   * Support for LibreSSL
+   * EasyRSA version will be reported in certificate comments
+   * Client certificates now expire in 3 year (1080 days) by default
+3.0.4 (2018-01-21)
+    * Remove use of egrep (#154)
+    * Integrate with Travis-CI (#165)
+    * Remove "local" from variable assignment (#165)
+        * Other changes related to Travis-CI fixes
+	* Assign values to variables defined previously w/local
+    * Finally(?) fix the subjectAltName issues I presented earlier (really
+    fixes #168 
+3.0.3 (2017-08-22)
+    * Include mktemp windows binary
+    * copy CSR extensions into signed certificate
+3.0.2 (2017-08-21)
+    * add missing windows binaries
+3.0.1 (2015-10-25)
+    * correct some packaging errors
+3.0.0 (2015-09-07)
+    * cab4a07 Fix typo: Hellman
+        (ljani: Github)
+    * 171834d Fix typo: Default
+        (allo-: Github)
+    * 8b42eea Make aes256 default, replacing 3des
+        (keros: Github)
+    * f2f4ac8 Make -utf8 default
+        (roubert: Github)
+3.0.0-rc2 (2014/07/27)
+    * 1551e5f docs: fix typo
+        (Josh Cepek <josh.cepek@usa.net>)
+    * 7ae44b3 Add KNOWN_ISSUES to stage next -rc release
+        (Josh Cepek <josh.cepek@usa.net>)
+    * a0d58b2 Update documentation
+        (Josh Cepek <josh.cepek@usa.net>)
+    * 5758825 Fix vars.example with proper path to extensions.temp
+        (Josh Cepek <josh.cepek@usa.net>)
+    * 89f369c Add support to change private key passphrases
+        (Josh Cepek <josh.cepek@usa.net>)
+    * 49d7c10 Improve docs: add Upgrade-Notes; add online support refs
+        (Josh Cepek <josh.cepek@usa.net>)
+    * fcc4547 Add build-dist packaging script; update Building docs
+        (Josh Cepek <josh.cepek@usa.net>)
+    * f74d08e docs: update Hacking.md with layout & git conventions
+        (Josh Cepek <josh.cepek@usa.net>)
+    * 0754f23 Offload temp file removal to a clean_temp() function
+        (Josh Cepek <josh.cepek@usa.net>)
+    * 1c90df9 Fix incorrect handling of invalid --use-algo option
+        (Josh Cepek <josh.cepek@usa.net>)
+    * c86289b Fix batch-mode handling with changes in e75ad75
+        (Josh Cepek <josh.cepek@usa.net>)
+    * e75ad75 refine how booleans are evaluated
+        (Eric F Crist <ecrist@secure-computing.net>)
+    * cc19823 Merge PKCS#7 feature from pull req #14
+        (Author: Luiz Angelo Daros de Luca <luizluca@tre-sc.gov.br>)
+        (Modified-By: Josh Cepek <josh.cepek@usa.net>)
+    * 8b1fe01 Support OpenSSL-0.9.8 with the EXTRA_EXTS feature
+        (Josh Cepek <josh.cepek@usa.net>)
+    * d5516d5 Windows: make builds easier by using a matching dir structure
+        (Josh Cepek <josh.cepek@usa.net>)
+    * dc2e6dc Windows: improve external checks and env-var help
+        (Josh Cepek <josh.cepek@usa.net>)
+3.0.0-rc1 (2013/12/01)
+    * The 3.x release is a nearly complete re-write of the 2.x codebase
+    * Initial 3.x series code by Josh Cepek <josh.cepek@usa.net> -- continuing
+    maintenance by the OpenVPN community development team and associated
+    contributors
+    * Add ECDSA (elliptic curve) support, thanks to Steffan Karger
+    <steffan@karger.me>
--- a/roles/ca/files/easyrsa/README.md
+++ b/roles/ca/files/easyrsa/README.md
+# Overview
+easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's terms,
+this means to create a root certificate authority, and request and sign 
+certificates, including sub-CAs and certificate revocation lists (CRL).
+# Downloads
+If you are looking for release downloads, please see the releases section on
+GitHub. Releases are also available as source checkouts using named tags.
+# Documentation
+For 3.x project documentation and usage, see the [README.quickstart.md](README.quickstart.md) file or
+the more detailed docs under the doc/ directory. The .md files are in Markdown
+format and can be converted to html files as desired for release packages, or
+read as-is in plaintext.
+# Getting help using easy-rsa
+Currently, Easy-RSA development co-exists with OpenVPN even though they are
+separate projects. The following resources are good places as of this writing to
+seek help using Easy-RSA:
+The [openvpn-users mailing list](https://lists.sourceforge.net/lists/listinfo/openvpn-users)
+is a good place to post usage or help questions.
+You can also try IRC at Freenode/#openvpn for general support or Freenode/#easyrsa for development discussion.
+# Branch structure
+The easy-rsa master branch is currently tracking development for the 3.x release
+cycle. Please note that, at any given time, master may be broken.  Feel free to
+create issues against master, but have patience when using the master branch.  It
+is recommended to use a release, and priority will be given to bugs identified in
+the most recent release.
+The prior 2.x and 1.x versions are available as release branches for
+tracking and possible back-porting of relevant fixes. Branch layout is:
+    master         <- 3.x, at present
+    v3.x.x            pre-release branches, used for staging branches
+    release/2.x
+    release/1.x
+LICENSING info for 3.x is in the [COPYING.md](COPYING.md) file
+# Code style, standards
+We are attempting to adhere to the POSIX standard, which can be found here:
+http://pubs.opengroup.org/onlinepubs/9699919799/
--- a/roles/ca/files/easyrsa/README.quickstart.md
+++ b/roles/ca/files/easyrsa/README.quickstart.md
+Easy-RSA 3 Quickstart README
+============================
+This is a quickstart guide to using Easy-RSA version 3. Detailed help on usage
+and specific commands can be found by running ./easyrsa -h.  Additional
+documentation can be found in the doc/ directory.
+If you're upgrading from the Easy-RSA 2.x series, there are Upgrade-Notes
+available, also under the doc/ path.
+Setup and signing the first request
+-----------------------------------
+Here is a quick run-though of what needs to happen to start a new PKI and sign
+your first entity certificate:
+1. Choose a system to act as your CA and create a new PKI and CA:
+        ./easyrsa init-pki
+        ./easyrsa build-ca
+2. On the system that is requesting a certificate, init its own PKI and generate
+   a keypair/request. Note that init-pki is used _only_ when this is done on a
+   separate system (or at least a separate PKI dir.) This is the recommended
+   procedure. If you are not using this recommended procedure, skip the next
+   import-req step.
+        ./easyrsa init-pki
+        ./easyrsa gen-req EntityName
+3. Transport the request (.req file) to the CA system and import it. The name
+   given here is arbitrary and only used to name the request file.
+        ./easyrsa import-req /tmp/path/to/import.req EntityName
+4. Sign the request as the correct type. This example uses a client type:
+        ./easyrsa sign-req client EntityName
+5. Transport the newly signed certificate to the requesting entity. This entity
+   may also need the CA cert (ca.crt) unless it had a prior copy.
+6. The entity now has its own keypair, signed cert, and the CA.
+Signing subsequent requests
+---------------------------
+Follow steps 2-6 above to generate subsequent keypairs and have the CA return
+signed certificates.
+Revoking certs and creating CRLs
+--------------------------------
+This is a CA-specific task.
+To permanently revoke an issued certificate, provide the short name used during
+import:
+        ./easyrsa revoke EntityName
+To create an updated CRL that contains all revoked certs up to that point:
+        ./easyrsa gen-crl
+After generation, the CRL will need to be sent to systems that reference it.
+Generating Diffie-Hellman (DH) params
+-------------------------------------
+After initializing a PKI, any entity can create DH params that needs them. This
+is normally only used by a TLS server. While the CA PKI can generate this, it
+makes more sense to do it on the server itself to avoid the need to send the
+files to another system after generation.
+DH params can be generated with:
+        ./easyrsa gen-dh
+Showing details of requests or certs
+------------------------------------
+To show the details of a request or certificate by referencing the short
+EntityName, use one of the following commands. It is an error to call these
+without a matching file.
+        ./easyrsa show-req EntityName
+        ./easyrsa show-cert EntityName
+Changing private key passphrases
+--------------------------------
+RSA and EC private keys can be re-encrypted so a new passphrase can be supplied
+with one of the following commands depending on the key type:
+        ./easyrsa set-rsa-pass EntityName
+        ./easyrsa set-ec-pass EntityName
+Optionally, the passphrase can be removed completely with the 'nopass' flag.
+Consult the command help for details.
--- a/roles/ca/files/easyrsa/doc/EasyRSA-Advanced.md
+++ b/roles/ca/files/easyrsa/doc/EasyRSA-Advanced.md
+Easy-RSA Advanced Reference
+=============================
+This is a technical reference for advanced users familiar with PKI processes. If
+you need a more detailed description, see the `EasyRSA-Readme` or `Intro-To-PKI`
+docs instead.
+Configuration Reference
+-----------------------
+#### Configuration Sources
+  There are 3 possible ways to perform external configuration of Easy-RSA,
+  selected in the following order where the first defined result wins:
+  1. Commmand-line option
+  2. Environmental variable
+  3. 'vars' file, if one is present (see `vars Autodetection` below)
+  4. Built-in default
+  Note that not every possible config option can be set everywhere, although any
+  env-var can be added to the 'vars' file even if it's not shown by default.
+#### vars Autodetection
+  A 'vars' file is a file named simply `vars` (without an extension) that
+  Easy-RSA will source for configuration. This file is specifically designed
+  *not* to replace variables that have been set with a higher-priority method
+  such as CLI opts or env-vars.
+  The following locations are checked, in this order, for a vars file. Only the
+  first one found is used:
+  1. The file referenced by the --vars CLI option
+  2. The file referenced by the env-var named `EASYRSA_VARS_FILE`
+  3. The directory referenced by the `EASYRSA_PKI` env-var
+  4. The default PKI directory at $PWD/pki
+  4. The directory referenced by the `EASYRSA` env-var
+  5. The directory containing the easyrsa program
+  Defining the env-var `EASYRSA_NO_VARS` will override the sourcing of the vars
+  file in all cases, including defining it subsequently as a global option.
+#### OpenSSL Config
+  Easy-RSA is tightly coupled to the OpenSSL config file (.cnf) for the
+  flexibility the script provides. It is required that this file be available,
+  yet it is possible to use a different OpenSSL config file for a particular
+  PKI, or even change it for a particular invocation.
+  The OpenSSL config file is searched for in the following order:
+  1. The env-var `EASYRSA_SSL_CONF`
+  2. The 'vars' file (see `vars Autodetection` above)
+  3. The `EASYRSA_PKI` directory with a filename of `openssl-easyrsa.cnf`
+  4. The `EASYRSA` directory with a filename of `openssl-easyrsa.cnf`
+Advanced extension handling
+---------------------------
+Normally the cert extensions are selected by the cert type given on the CLI
+during signing; this causes the matching file in the x509-types subdirectory to
+be processed for OpenSSL extensions to add. This can be overridden in a
+particular PKI by placing another x509-types dir inside the `EASYRSA_PKI` dir
+which will be used instead.
+The file named `COMMON` in the x509-types dir is appended to every cert type;
+this is designed for CDP usage, but can be used for any extension that should
+apply to every signed cert.
+Additionally, the contents of the env-var `EASYRSA_EXTRA_EXTS` is appended with
+its raw text added to the OpenSSL extensions. The contents are appended as-is to
+the cert extensions; invalid OpenSSL configs will usually result in failure.
+Environmental Variables Reference
+---------------------------------
+A list of env-vars, any matching global option (CLI) to set/override it, and a
+possible terse description is shown below:
+ *  `EASYRSA` - should point to the Easy-RSA top-level dir, where the easyrsa script is located.
+ *  `EASYRSA_OPENSSL` - command to invoke openssl
+ *  `EASYRSA_SSL_CONF` - the openssl config file to use
+ *  `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific files, defaults to $PWD/pki.
+ *  `EASYRSA_DN` (CLI: `--dn-mode`) - set to the string `cn_only` or `org` to
+    alter the fields to include in the req DN
+ *  `EASYRSA_REQ_COUNTRY` (CLI: `--req-c`) - set the DN country with org mode
+ *  `EASYRSA_REQ_PROVINCE` (CLI: `--req-st`) - set the DN state/province with
+    org mode
+ *  `EASYRSA_REQ_CITY` (CLI: `--req-city`) - set the DN city/locality with org
+    mode
+ *  `EASYRSA_REQ_ORG` (CLI: `--req-org`) - set the DN organization with org mode
+ *  `EASYRSA_REQ_EMAIL` (CLI: `--req-email`) - set the DN email with org mode
+ *  `EASYRSA_REQ_OU` (CLI: `--req-ou`) - set the DN organizational unit with org
+    mode
+ *  `EASYRSA_KEY_SIZE` (CLI: `--key-size`) - set the keysize in bits to generate
+ *  `EASYRSA_ALGO` (CLI: `--use-algo`) - set the crypto alg to use: rsa or ec
+ *  `EASYRSA_CURVE` (CLI: `--curve`) - define the named EC curve to use
+ *  `EASYRSA_EC_DIR` - dir to store generated ecparams
+ *  `EASYRSA_CA_EXPIRE` (CLI: `--days`) - set the CA expiration time in days
+ *  `EASYRSA_CERT_EXPIRE` (CLI: `--days`) - set the issued cert expiration time
+    in days
+ *  `EASYRSA_CRL_DAYS` (CLI: `--days`) - set the CRL 'next publish' time in days
+ *  `EASYRSA_NS_SUPPORT` (CLI: `--ns-cert`) - string 'yes' or 'no' fields to
+    include the deprecated Netscape extensions
+ *  `EASYRSA_NS_COMMENT` (CLI: `--ns-comment`) - string comment to include when
+    using the deprecated Netscape extensions
+ *  `EASYRSA_TEMP_FILE` - a temp file to use when dynamically creating req/cert
+    extensions
+ *  `EASYRSA_REQ_CN` (CLI: `--req-cn`) - default CN, necessary to set in BATCH
+    mode
+ *  `EASYRSA_DIGEST` (CLI: `--digest`) - set a hash digest to use for req/cert
+    signing
+ *  `EASYRSA_BATCH` (CLI: `--batch`) - enable batch (no-prompt) mode; set
+    env-var to non-zero string to enable (CLI takes no options)
--- a/roles/ca/files/easyrsa/doc/EasyRSA-Readme.md
+++ b/roles/ca/files/easyrsa/doc/EasyRSA-Readme.md
+Easy-RSA 3 Documentation Readme
+===============================
+This document explains how Easy-RSA 3 and each of its assorted features work.
+If you are looking for a quickstart with less background or detail, an
+implementation-specific Howto or Readme may be available in this (the `doc/`)
+directory.
+Easy-RSA Overview
+-----------------
+Easy-RSA is a utility for managing X.509 PKI, or Public Key Infrastructure. A
+PKI is based on the notion of trusting a particular authority to authenticate a
+remote peer; for more background on how PKI works, see the `Intro-To-PKI`
+document.
+The code is written in platform-neutral POSIX shell, allowing use on a wide
+range of host systems. The official Windows release also comes bundled with the
+programs necessary to use Easy-RSA. The shell code attempts to limit the number
+of external programs it depends on. Crypto-related tasks use openssl as the
+functional backend.
+Feature Highlights
+------------------
+Here's a non-exhaustive list of the more notable Easy-RSA features:
+ *  Easy-RSA is able to manage multiple PKIs, each with their own independent
+    configuration, storage directory, and X.509 extension handling.
+ *  Multiple Subject Name (X.509 DN field) formatting options are supported. For
+    VPNs, this means a cleaner commonName only setup can be used.
+ *  A single backend is used across all supported platforms, ensuring that no
+    platform is 'left out' of the rich features. Unix-alikes (BSD, Linux, etc)
+    and Windows are all supported.
+ *  Easy-RSA's X.509 support includes CRL, CDP, keyUsage/eKu attributes, and
+    additional features. The included support can be changed or extended as an
+    advanced feature.
+ *  Interactive and automated (batch) modes of operation
+ *  Flexible configuration: features can be enabled through command-line
+    options, environment variables, a config file, or a combination of these.
+ *  Built-in defaults allow Easy-RSA to be used without first editing a config
+    file.
+Obtaining and Using Easy-RSA
+----------------------------
+#### Download and extraction (installation)
+  Easy-RSA's main program is a script, supported by a couple of config files. As
+  such, there is no formal "installation" required. Preparing to use Easy-RSA is
+  as simple as downloading the compressed package (.tar.gz for Linux/Unix or
+  .zip for Windows) and extract it to a location of your choosing. There is no
+  compiling or OS-dependent setup required.
+  You should install and run Easy-RSA as a non-root (non-Administrator) account
+  as root access is not required.
+#### Running Easy-RSA
+  Invoking Easy-RSA is done through your preferred shell. Under Windows, you
+  will use the `EasyRSA Start.bat` program to provide a POSIX-shell environment
+  suitable for using Easy-RSA.
+  The basic format for running commands is:
+    ./easyrsa command [ cmd-opts ]
+  where `command` is the name of a command to run, and `cmd-opts` are any
+  options to supply to the command. Some commands have mandatory or optional
+  cmd-opts. Note the leading `./` component of the command: this is required in
+  Unix-like environments and may be a new concept to some Windows users.
+  General usage and command help can be shown with:
+    ./easyrsa help [ command ]
+  When run without any command, general usage and a list of available commands
+  are shown; when a command is supplied, detailed help output for that command
+  is shown.
+Configuring Easy-RSA
+--------------------
+Easy-RSA 3 no longer needs any configuration file prior to operation, unlike
+earlier versions. However, the `vars.example` file contains many commented
+options that can be used to control non-default behavior as required. Reading
+this file will provide an idea of the basic configuration available. Note that
+a vars file must be named just `vars` (without an extension) to actively use it.
+Additionally, some options can be defined at runtime with options on the
+command-line. A full list can be shown with:
+    ./easyrsa help options
+Any of these options can appear before the command as required as shown below:
+    ./easyrsa [options] command [ cmd-opts ]
+For experts, additional configuration flexibility is available by way of
+env-vars and custom X.509 extensions. Consult the `EasyRSA-Advanced`
+documentation for details
+Getting Started: The Basics
+---------------------------
+Some of the terms used here will be common to those familiar with how PKI works.
+Instead of describing PKI basics, please consult the document `Intro-To-PKI` if
+you need a more basic description of how a PKI works.
+#### Creating an Easy-RSA PKI
+  In order to do something useful, Easy-RSA needs to first initialize a
+  directory for the PKI. Multiple PKIs can be managed with a single installation
+  of Easy-RSA, but the default directory is called simply "pki" unless otherwise
+  specified.
+  To create or clear out (re-initialize) a new PKI, use the command:
+    ./easyrsa init-pki
+  which will create a new, blank PKI structure ready to be used. Once created,
+  this PKI can be used to make a new CA or generate keypairs.
+#### The PKI Directory Structure
+  An Easy-RSA PKI contains the following directory structure:
+  * private/ - dir with private keys generated on this host
+  * reqs/ - dir with locally generated certificate requests (for a CA imported
+    requests are stored here)
+  In a clean PKI no files will exist until, just the bare directories. Commands
+  called later will create the necessary files depending on the operation.
+  When building a CA, a number of new files are created by a combination of
+  Easy-RSA and (indirectly) openssl. The important CA files are:
+  * `ca.crt` - This is the CA certificate
+  * `index.txt` - This is the "master database" of all issued certs
+  * `serial` - Stores the next serial number (serial numbers increment)
+  * `private/ca.key` - This is the CA private key (security-critical)
+  * `certs_by_serial/` - dir with all CA-signed certs by serial number
+  * `issued/` - dir with issued certs by commonName
+#### After Creating a PKI
+  Once you have created a PKI, the next useful step will be to either create a
+  CA, or generate keypairs for a system that needs them. Continue with the
+  relevant section below.
+Using Easy-RSA as a CA
+----------------------
+#### Building the CA
+  In order to sign requests to produce certificates, you need a CA. To create a
+  new CA in a PKI you have created, run:
+    ./easyrsa build-ca
+  Be sure to use a strong passphrase to protect the CA private key. Note that
+  you must supply this passphrase in the future when performing signing
+  operations with your CA, so be sure to remember it.
+  During the creation process, you will also select a name for the CA called the
+  Common Name (CN.) This name is purely for display purposes and can be set as
+  you like.
+#### Importing requests to the CA
+  Once a CA is built, the PKI is intended to be used to import requests from
+  external systems that are requesting a signed certificate from this CA. In
+  order to sign the request, it must first be imported so Easy-RSA knows about
+  it. This request file must be a standard CSR in PKCS#10 format.
+  Regardless of the file name to import, Easy-RSA uses a "short name" defined
+  during import to refer to this request. Importing works like this:
+    ./easyrsa import-req /path/to/request.req nameOfRequest
+  The nameOfRequest should normally refer to the system or person making the
+  request.
+#### Signing a request
+  Once Easy-RSA has imported a request, it can be reviewed and signed. Every
+  certificate needs a "type" which controls what extensions the certificate gets
+  Easy-RSA ships with 3 possible types: `client`, `server`, and `ca`, described
+  below:
+  * client - A TLS client, suitable for a VPN user or web browser (web client)
+  * server - A TLS server, suitable for a VPN or web server
+  * ca - A subordinate CA, used when chaining multiple CAs together
+  Additional types of certs may be defined by local sites as needed; see the
+  advanced documentation for details.
+#### Revoking and publishing CRLs
+  If an issue certificate needs to be revoked, this can be done as follows:
+    ./easyrsa revoke nameOfRequest
+  To generate a CRL suitable for publishing to systems that use it, run:
+    ./easyrsa gen-crl
+  Note that this will need to be published or sent to systems that rely on an
+  up-to-date CRL as the certificate is still otherwise valid.
+Using Easy-RSA to generate keypairs & requests
+----------------------------------------------
+Easy-RSA can generate a keypair and certificate request in PKCS#10 format. This
+request is what a CA needs in order to generate and return a signed certificate.
+Ideally you should never generate entity keypairs for a client or server in a
+PKI you are using for your CA. It is best to separate this process and generate
+keypairs only on the systems you plan to use them.
+Easy-RSA can generate a keypair and request with the following command:
+    ./easyrsa gen-req nameOfRequest
+You will then be given a chance to modify the Subject details of your request.
+Easy-RSA uses the short name supplied on the command-line by default, though you
+are free to change it if necessary. After providing a passphrase and Subject
+details, the keypair and request files will be shown.
+In order to obtain a signed certificate, the request file must be sent to the
+CA for signing; this step is obviously not required if a single PKI is used as
+both the CA and keypair/request generation as the generated request is already
+"imported."