From c6a807d717ed5bcd50c50e0f481a9b56a8fef6d8 Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Mon, 31 Oct 2022 08:26:25 +0100 Subject: [PATCH 01/93] Added Report Hub for EXLIQUID --- ccp/exliquid-compose.yml | 38 ++++++++++++++++++++++++++++++++++++++ ccp/exliquid-setup.sh | 8 ++++++++ ccp/vars | 2 ++ 3 files changed, 48 insertions(+) create mode 100644 ccp/exliquid-compose.yml create mode 100644 ccp/exliquid-setup.sh diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml new file mode 100644 index 0000000..0967ead --- /dev/null +++ b/ccp/exliquid-compose.yml @@ -0,0 +1,38 @@ +version: "3.7" + +services: + task-store: + image: "samply/blaze:0.18" + container_name: bridgehead-task-store + environment: + BASE_URL: "http://localhost:8083" + JAVA_TOOL_OPTIONS: "-Xmx1g" + LOG_LEVEL: "debug" + volumes: + - "task-store-data:/app/data" + labels: + - "traefik.enable=false" + + report-hub: + image: "samply/report-hub:latest" + container_name: bridgehead-report-hub + environment: + BASE_URL: "http://ccp-task-store:8080" + JAVA_TOOL_OPTIONS: "-Xmx1g" + LOG_LEVEL: "debug" + PROXY_ID: "report-hub.${PROXY_ID}" + SECRET: ${REPORTHUB_BEAM_SECRET_SHORT} + TASK_STORE: "http://bridgehead-task-store:8080/fhir" + LDM_URL: http://bridgehead-ccp-blaze:8080/fhir + BEAM_PROXY: "http://beam-proxy:8081" + restart: always + labels: + - "traefik.enable=true" + - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/ccp-report-hub`)" + - "traefik.http.middlewares.ccp_t_strip.stripprefix.prefixes=/ccp-report-hub" + - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080" + - "traefik.http.routers.blaze_ccp.middlewares=ccp_t_strip,ccp-auth" + - "traefik.http.routers.blaze_ccp.tls=true" + +volumes: + task-store-data: \ No newline at end of file diff --git a/ccp/exliquid-setup.sh b/ccp/exliquid-setup.sh new file mode 100644 index 0000000..59d8877 --- /dev/null +++ b/ccp/exliquid-setup.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +function exliquidSetup() { + if [ -n "$EXLIQUID" ]; then + log INFO "EXLIQUID setup detected -- will start Reporthub." + OVERRIDE+="-f ./$PROJECT/exliquid-compose.yml" + fi +} \ No newline at end of file diff --git a/ccp/vars b/ccp/vars index f5f734e..63def80 100644 --- a/ccp/vars +++ b/ccp/vars @@ -11,3 +11,5 @@ PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem # This will load nngm setup. Effective only if nngm configuration is defined. source $PROJECT/nngm-setup.sh nngmSetup +source $PROJECT/exliquid-setup.sh +exliquidSetup From 3f5463318d9c4d0920223f22ef1c9ac1f343eac7 Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Mon, 31 Oct 2022 11:26:00 +0100 Subject: [PATCH 02/93] Fixed labels --- ccp/exliquid-compose.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml index 0967ead..60aeb1b 100644 --- a/ccp/exliquid-compose.yml +++ b/ccp/exliquid-compose.yml @@ -28,11 +28,11 @@ services: restart: always labels: - "traefik.enable=true" - - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/ccp-report-hub`)" + - "traefik.http.routers.report-ccp.rule=PathPrefix(`/ccp-report-hub`)" - "traefik.http.middlewares.ccp_t_strip.stripprefix.prefixes=/ccp-report-hub" - - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080" - - "traefik.http.routers.blaze_ccp.middlewares=ccp_t_strip,ccp-auth" - - "traefik.http.routers.blaze_ccp.tls=true" + - "traefik.http.services.report-ccp.loadbalancer.server.port=8080" + - "traefik.http.routers.report-ccp.middlewares=ccp_t_strip" + - "traefik.http.routers.report-ccp.tls=true" volumes: task-store-data: \ No newline at end of file From fc3198d22c848d1d381ad8eeda9aabe0a4ee2873 Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Mon, 31 Oct 2022 15:30:32 +0100 Subject: [PATCH 03/93] Fixed task store base url --- ccp/exliquid-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml index 60aeb1b..2c97b83 100644 --- a/ccp/exliquid-compose.yml +++ b/ccp/exliquid-compose.yml @@ -5,7 +5,7 @@ services: image: "samply/blaze:0.18" container_name: bridgehead-task-store environment: - BASE_URL: "http://localhost:8083" + BASE_URL: "http://bridgehead-task-store:8080" JAVA_TOOL_OPTIONS: "-Xmx1g" LOG_LEVEL: "debug" volumes: @@ -17,7 +17,7 @@ services: image: "samply/report-hub:latest" container_name: bridgehead-report-hub environment: - BASE_URL: "http://ccp-task-store:8080" + BASE_URL: "http://bridgehead-report-hub:8080" JAVA_TOOL_OPTIONS: "-Xmx1g" LOG_LEVEL: "debug" PROXY_ID: "report-hub.${PROXY_ID}" From 23aa8f8274704220ac729574ef843ccdfeaa3bf0 Mon Sep 17 00:00:00 2001 From: Martin Lablans <6804500+lablans@users.noreply.github.com> Date: Tue, 8 Nov 2022 10:54:51 +0100 Subject: [PATCH 04/93] Extra space for nngm compose --- ccp/nngm-setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh index 501d8ce..d5b80eb 100644 --- a/ccp/nngm-setup.sh +++ b/ccp/nngm-setup.sh @@ -3,7 +3,7 @@ function nngmSetup() { if [ -n "$NNGM_CTS_APIKEY" ]; then log INFO "nNGM setup detected -- will start nNGM Connector." - OVERRIDE+="-f ./$PROJECT/nngm-compose.yml" + OVERRIDE+=" -f ./$PROJECT/nngm-compose.yml" fi CONNECTOR_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" } From cb57aad9494f86d796f787870b18dad3209d6c3c Mon Sep 17 00:00:00 2001 From: Croft Date: Mon, 14 Nov 2022 11:51:29 +0100 Subject: [PATCH 05/93] Updated Documentation * Removed sections that are no longer relevant * Added some additional information, particularly regarding registration with Beam and monitoring * Moved some sections around to get a better structure --- README.md | 383 ++++++++++++++++++------------------------------------ 1 file changed, 124 insertions(+), 259 deletions(-) diff --git a/README.md b/README.md index 0e4c762..d93cd0e 100644 --- a/README.md +++ b/README.md @@ -1,142 +1,74 @@ # Bridgehead -This repository contains all information and tools to deploy a bridgehead. If you have any questions about deploying a bridgehead, please [contact us](mailto:verbis-support@dkfz-heidelberg.de). +A Bridgehead is a set of components that must be installed locally, in order to connect your clinic or research centre to a federated search system. This repository contains the information and tools that you will need to deploy a Bridgehead. If you have questions, please [contact us](mailto:verbis-support@dkfz-heidelberg.de). TOC -1. [About](#about) - - [Projects](#projects) - - [GBA/BBMRI-ERIC](#gbabbmri-eric) - - [CCP(DKTK/C4)](#ccpdktkc4) - - [NNGM](#nngm) - - [Bridgehead Components](#bridgehead-components) - - [Blaze Server](#blaze-serverhttpsgithubcomsamplyblaze) - - [Connector](#connector) 1. [Requirements](#requirements) - [Hardware](#hardware) - - [System](#system-requirements) - - [git](#git) - - [docker](#dockerhttpsdocsdockercomget-docker) - - [systemd](#systemd) -2. [Getting Started](#getting-started) - - [Quick Start](#quick-start) - - [DKTK](#dktkc4) - - [C4](#c4) - - [GBA/BBMRI-ERIC](#gbabbmri-eric) -3. [Configuration](#configuration) -4. [Managing your Bridgehead](#managing-your-bridgehead) - - [Systemd](#on-a-server) - - [Without Systemd](#on-developers-machine) -4. [Pitfalls](#pitfalls) -5. [Migration-guide](#migration-guide) -7. [License](#license) - - -## About - -TODO: Insert comprehensive feature list of the bridgehead? Why would anyone install it? - -## Projects - -### GBA/BBMRI-ERIC - -The **Sample Locator** is a tool that allows researchers to make searches for samples over a large number of geographically distributed biobanks. Each biobank runs a so-called **Bridgehead** at its site, which makes it visible to the Sample Locator. The Bridgehead is designed to give a high degree of protection to patient data. Additionally, a tool called the [Negotiator][negotiator] puts you in complete control over which samples and which data are delivered to which researcher. - -You will most likely want to make your biobanks visible via the [publicly accessible Sample Locator][sl], but the possibility also exists to install your own Sample Locator for your site or organization, see the GitHub pages for [the server][sl-server-src] and [the GUI][sl-ui-src]. - -The Bridgehead has two primary components: -* The **Blaze Store**. This is a highly responsive FHIR data store, which you will need to fill with your data via an ETL chain. -* The **Connector**. This is the communication portal to the Sample Locator, with specially designed features that make it possible to run it behind a corporate firewall without making any compromises on security. - -### CCP(DKTK/C4) - -TODO: - -### nNGM - -TODO: - -### Bridgehead Components - -#### [Blaze Server](https://github.com/samply/blaze) - -This holds the actual data being searched. This store must be filled by you, generally by running an ETL on your locally stored data to turn it into the standardized FHIR format that we require. - -#### [Connector] - -TODO: + - [System](#system) + - [Git](#git) + - [Docker](#docker) +2. [Deployment](#deployment) + - [Installation](#installation) + - [Register with Beam](#register-with-beam) + - [Starting and stopping your Bridgehead](#starting-and-stopping-your-bridgehead) + - [Auto-starting your Bridgehead when the server starts](#auto-starting-your-bridgehead-when-the-server-starts) +3. [Additional Services](#additional-Services) + - [Monitoring](#monitoring) + - [Register with a Directory](#register-with-a-Directory) +4. [Site-specific configuration](#site-specific-configuration) + - [HTTPS Access](#https-access) + - [Locally Managed Secrets](#locally-managed-secrets) + - [Git Proxy Configuration](#git-proxy-configuration) + - [Docker Daemon Proxy Configuration](#docker-daemon-proxy-configuration) + - [Non-Linux OS](#non-linux-os) +5. [License](#license) ## Requirements ### Hardware -For running your bridgehead we recommend the follwing Hardware: +To get the most out of your Bridgehead, we recommend the follwing Hardware: - 4 CPU cores - At least 8 GB Ram - 100GB Hard Drive, SSD recommended +### System -### System Requirements +You are strongly recommended to install the Bridgehead under a Linux operating system (but see the section [Non-Linux OS](#non-linux-os)). You will need root (administrator) priveleges on this machine in order to perform the deployment. -Before starting the installation process, please ensure that following software is available on your system: +The following software should be installed: #### Git -Check if you have at leat git 2.0 installed on the system with: +Check if you have at least git 2.0 installed on the system with: ``` shell git --version ``` -#### [Docker](https://docs.docker.com/get-docker/) +#### Docker -To check your docker installation, you should execute the docker with --version: +Check the installed Docker version: ``` shell docker --version ``` - -The Version should be higher than "20.10.1". Otherwise you will have problems starting the bridgehead. The next step is to check ``` docker-compose``` with: +The version should ideally be higher than "20.10.1". The next step is to check ``` docker-compose``` with: ``` shell docker-compose --version ``` +The recomended version is "2.XX" and higher. -The recomended version is "2.XX" and higher. If docker-compose was not installed with docker follow these [instructions](https://docs.docker.com/compose/install/#install-compose-as-standalone-binary-on-linux-systems). To futher check your docker and docker-compose installation, please run the following command. +If docker or docker-compose are not installed, please refer to the [Docker website](https://docs.docker.com). -``` shell -docker-compose -f - up < NOTE: If the download of the image fails (e.g with "connection timed out" message), ensure that you have correctly set the proxy for the docker daemon. Refer to ["Docker Daemon Proxy Configuration" in the "Pitfalls" section](#docker-daemon-proxy-configuration) - -#### [systemd](https://systemd.io/) - -You shouldn't need to install it yourself, If systemd is not available on your system you should get another system. -To check if systemd is available on your system, please execute - -``` shell -systemctl --version -``` - -If systemd is not installed, you can start the bridgehead. However, for productive use we recomend using systemd. - ---- - -## Getting Started - -### Quick Start - - -If your system passed all checks from ["Requirements" section], you are now ready to download the bridgehead. +### Installation First, clone the repository to the directory "/srv/docker/bridgehead": @@ -144,17 +76,15 @@ First, clone the repository to the directory "/srv/docker/bridgehead": sudo mkdir -p /srv/docker/; sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead; ``` - -It is recomended to create a user for the bridgehead service. This should be done after clone the repository. Since not all linux distros support ```adduser```, we provide an action for the systemcall ```useradd```. You should try the first one, when the systm can't create the user you should try the second one. +Now create a user for the Bridgehead service: ``` shell -useradd -M -g docker -N -s /sbin/nologin bridgehead +sudo useradd -M -g docker -N -s /sbin/nologin bridgehead ``` - -After adding the User you need to change the ownership of the directory to the bridgehead user. +After adding the user you will need to change the ownership of the directory to the Bridgehead user. ``` shell -chown bridgehead /srv/docker/bridgehead/ -R +sudo chown bridgehead /srv/docker/bridgehead/ -R ``` Download the configuration repository: @@ -163,78 +93,120 @@ sudo git clone https://github.com/samply/bridgehead-config.git -b fix/bbmri-conf ``` Change ownership: ``` shell -chown bridgehead /etc/bridgehead/ -R +sudo chown bridgehead /etc/bridgehead/ -R ``` -Modify SITE_ID and SITE_NAME in bbmri.conf -RUN: - - -```shell -sudo /etc/bridgehead/bridgehead enroll bbmri +Edit /etc/bridgehead/bbmri.conf and modify SITE_ID and SITE_NAME to be relevant to your biobank. SITE_ID should not contains spaces. By convention, it is lower-case. E.g.: ``` +SITE_ID="toulouse-prod" +SITE_NAME="Toulouse" +``` + +### Register with Beam + +You will need to register with Beam in order to be able to start your Bridgehead. Please send an email to: bridgehead@helpdesk.bbmri-eric.eu, mentioning the SITE_ID that you chose above. + +The response will contain your private key for Beam. + +Create a file for this private key: + +``` shell +/etc/bridgehead/pki/$SITE_ID.priv.pem +``` + +### Starting and stopping your Bridgehead + +To start your new Bridgehead, type: ```shell sudo /srv/docker/bridgehead/bridgehead start bbmri ``` +The script may break, because Spot tries to connect to Blaze, but Blaze is not yet ready, causing Spot to terminate. Try to start and stop the script a few times. -### Configuration - -> NOTE: If you are part of the CCP-IT we will provide you another link for the configuration. - -Next, you need to configure a set of variables, specific for your site with not so high security concerns. You can clone the configuration template at [GitHub](https://github.com/samply/bridgehead-config). The confiugration of the bridgehead should be located in /etc/bridghead. - -``` shell -sudo git clone https://github.com/samply/bridgehead-config.git /etc/bridgehead; +To shut down the Bridgehead, type: +```shell +sudo /srv/docker/bridgehead/bridgehead stop bbmri ``` -After cloning or forking the repository you need to add value to the template. If you are a part of the CCP-IT you will get an already filled out config repo. +### Auto-starting your Bridgehead when the server starts -### Testing your bridgehead +Using this feature is optional. -We recomend to run first with the start and stop script. If you have trouble starting the bridghead have a look at the troubleshooting section. +Many Linux distributions support the "systemctl" command, which enables you to autostart processes whenever your server is booted. -Now you ready to run a bridgehead instance. The bridgehead scripts checks if your configuration is correct. To check if everything works, execute the following: +In this repository you will find tools that allow you to take advantage of "systemctl" to automatically start the Bridgehead whenever your server gets restarted. You can set this up by executing the [bridgehead](./bridgehead) script: ``` shell -/srv/docker/bridgehead/bridgehead start +sudo /srv/docker/bridgehead/bridgehead install bbmri ``` -You should now be able to access the landing page on your system, e.g "https:///". +This will install the systemd units to run and update the Bridgehead. + +If your site operates with a proxy, you will need to set it up with ```systemctl edit``` as follows: -To shutdown the bridgehead just run. ``` shell -/srv/docker/bridgehead/bridgehead stop +sudo systemctl edit bridgehead@bbmri.service; ``` -### Local Datamanagement Security +This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor and define your machines secrets. -For a server, we highly recommend that you install the system units for managing the bridgehead, provided by us. You can do this by executing the [bridgehead](./bridgehead) script: -``` shell -sudo /srv/docker/bridgehead/bridgehead install +``` conf +[Service] +Environment=HOSTIP= +Environment=HOST= +Environment=HTTP_PROXY_USER= +Environment=HTTP_PROXY_PASSWORD= +Environment=HTTPS_PROXY_USER= +Environment=HTTPS_PROXY_PASSWORD= +Environment=CONNECTOR_POSTGRES_PASS= ``` -This will install the systemd units to run and update the bridghead. Also, this will generate a user and password for accessing the LDM. This will be shown only the first time you install the bridgehead. +To make the configuration active, you need to tell systemd to reload the configuration and restart the docker service: -### Basic Auth +``` shell +sudo systemctl daemon-reload; +sudo systemctl bridgehead@bbmri.service; +``` -For Data protection we use basic authentification for some services. To access those services you need an username and password combination. -Caution: If you start the bridgehead without the authentification, then those services are not accessible. -We generate such a combination at the first install (`/etc/bridgehead/.local.conf`). +## Additional Services -## Configuration +### Monitoring -#### systemd +We provide a central monitoring service, which checks the health of your Bridgehead 24/7. Using this service is optional but recommended. +You can register for it by sending a request to: bridgehead@helpdesk.bbmri-eric.eu. +The confirmation of your registration will contain a monitoring API key. + +You need to add the key to the "/etc/bridgehead/bbmri.conf" file, e.g.: +``` conf +MONITOR_APIKEY=1b9e5e21-8b34-5382-8590-7eae98a4f6d3 +``` +(your key will be different to the one shown above, obviously). + +Your site should now show up in the monitoring with grey (updates) and green (query) messages at the next full hour. + +### Register with a Directory + +The [Directory](https://directory.bbmri-eric.eu/) is a BBMRI project that aims to catalog all biobanks in Europe and beyond. Each biobank is given its own unique ID and the Directory maintains counts of the number of donors and the number of samples held at each biobank. You are strongly encouraged to register with the Directory, because this opens the door to further services, such as the [Negotiator](https://negotiator.bbmri-eric.eu/login.xhtml). + +Generally, you should register with the BBMRI national node for the country where your biobank is based. You can find a list of contacts for the national nodes [here](http://www.bbmri-eric.eu/national-nodes/). If your country is not in this list, or you have any questions, please contact the [BBMRI helpdesk](mailto:directory@helpdesk.bbmri-eric.eu). If your biobank is for COVID samples, you can also take advantage of an accelerated registration process [here](https://docs.google.com/forms/d/e/1FAIpQLSdIFfxADikGUf1GA0M16J0HQfc2NHJ55M_E47TXahju5BlFIQ). + +Your national node will give you detailed instructions for registering, but for your information, here are the basic steps: + +* Log in to the Directory for your country. +* Add your biobank and enter its details, including contact information for a person involved in running the biobank. +* You will need to create at least one collection. + +## Site-specific configuration ### HTTPS Access -We advise to use https for all service of your bridgehead. HTTPS is enabled on default. For starting the bridghead you need a ssl certificate. You can either create it yourself or get a signed one. You need to drop the certificates in /certs. +We recommend https for all services of your Bridgehead. HTTPS is enabled by default. For starting the Bridgehead you need an ssl certificate. You can either create it yourself or get a signed one. You need to drop the certificates in /certs. -The bridgehead create one autotmatic on the first start. However, it will be unsigned and we recomend to get a signed one. +The Bridgehead creates one autotmatically on the first start. However, it will be unsigned and we recomend getting a signed one. ### Locally Managed Secrets -This section describes the secrets you need to configure locally through the configuration +This section describes the secrets you may need to configure locally through the configuration | Name | Recommended Value | Description | |--------------------------------------|---------------------------------------------------------------------------------------------------| ----------- | @@ -255,77 +227,7 @@ This section describes the secrets you need to configure locally through the con | MAGICPL_OIDC_CLIENT_ID || The client id used for your machine, to connect with the central authentication service | | MAGICPL_OIDC_CLIENT_SECRET || The client secret used for your machine, to connect with the central authentication service | -### Cooperatively Managed Secrets - -> TODO: Describe secrets from site-config - -## Managing your Bridgehead - -> TODO: Rewrite this section (restart, stop, uninstall, manual updates) - -### On a Server - -#### Start - -This will start a not running bridgehead system unit: -``` shell -sudo systemctl start bridgehead@ -``` - -#### Stop - -This will stop a running bridgehead system unit: -``` shell -sudo systemctl stop bridgehead@ -``` - -#### Update - -This will update bridgehead system unit: -``` shell -sudo systemctl start bridgehead-update@ -``` - -#### Remove the Bridgehead System Units - -If, for some reason you want to remove the installed bridgehead units, we added a command to [bridgehead](./bridgehead): -``` shell -sudo /srv/docker/bridgehead/bridgehead uninstall -``` - -### On Developers Machine - -For developers, we provide additional scripts for starting and stopping the specif bridgehead: - -#### Start or stop - -This command starts a specified bridgehead. Choose between "dktk", "c4" and "gbn". -``` shell -/srv/docker/bridgehead/bridgehead start -``` - -#### Stop - -This command stops a specified bridgehead. Choose between "dktk", "c4" and "gbn". -``` shell -/srv/docker/bridgehead/bridgehead stop -``` - -#### Update - -This shell script updates the configuration for all bridgeheads installed on your system. -``` shell -/srv/docker/bridgehead/bridgehead update -``` -> NOTE: If you want to regularly update your developing instance, you can create a CRON job that executes this script. - -## Migration Guide - -> TODO: How to transfer from windows/gbn - -## Pitfalls - -### [Git Proxy Configuration](https://gist.github.com/evantoli/f8c23a37eb3558ab8765) +### Git Proxy Configuration Unlike most other tools, git doesn't use the default proxy variables "http_proxy" and "https_proxy". To make git use a proxy, you will need to adjust the global git configuration: @@ -372,59 +274,22 @@ sudo systemctl daemon-reload; sudo systemctl restart docker; ``` -## After the Installtion +### Non-Linux OS -After starting your bridgehead, visit the landing page under the hostname. If you singed your own ssl certificate, there is probable an error message. However, you can accept it as exception. +The installation procedures described above have only been tested under Linux. -On this page, there are all important links to each component, central and local. +Below are some suggestions for getting the installation to work on other operating systems. Note that we are not able to provide support for these routes! -### Connector Administration +We believe that it is likely that installation would also work with FreeBSD and MacOS. -The Connector administration panel allows you to set many of the parameters regulating your Bridgehead. Most especially, it is the place where you can register your site with the Sample Locator. To access this page, proceed as follows: +Under Windows, you have 2 options: -* Open the Connector page: https:///-connector/ -* In the "Local components" box, click the "Samply Share" button. -* A new page will be opened, where you will need to log in using the administrator credentials (admin/adminpass by default). -* After log in, you will be taken to the administration dashboard, allowing you to configure the Connector. -* If this is the first time you have logged in as an administrator, you are strongly recommended to set a more secure password! You can use the "Users" button on the dashboard to do this. +- Virtual machine +- WSL -### GBA/BBMRI-ERIC - -#### Register with a Directory - -The [Directory][directory] is a BBMRI project that aims to catalog all biobanks in Europe and beyond. Each biobank is given its own unique ID and the Directory maintains counts of the number of donors and the number of samples held at each biobank. You are strongly encouraged to register with the Directory, because this opens the door to further services, such as the [Negotiator][negotiator]. - -Generally, you should register with the BBMRI national node for the country where your biobank is based. You can find a list of contacts for the national nodes [here](http://www.bbmri-eric.eu/national-nodes/). If your country is not in this list, or you have any questions, please contact the [BBMRI helpdesk](mailto:directory@helpdesk.bbmri-eric.eu). If your biobank is for COVID samples, you can also take advantage of an accelerated registration process [here](https://docs.google.com/forms/d/e/1FAIpQLSdIFfxADikGUf1GA0M16J0HQfc2NHJ55M_E47TXahju5BlFIQ). - -Your national node will give you detailed instructions for registering, but for your information, here are the basic steps: - -* Log in to the Directory for your country. -* Add your biobank and enter its details, including contact information for a person involved in running the biobank. -* You will need to create at least one collection. -* Note the biobank ID and the collection ID that you have created - these will be needed when you register with the Locator (see below). - -#### Register with a Locator - -* Go to the registration page http://localhost:8082/admin/broker_list.xhtml. -* To register with a Locator, enter the following values in the three fields under "Join new Searchbroker": - * "Address": Depends on which Locator you want to register with: - * `https://locator.bbmri-eric.eu/broker/`: BBMRI Locator production service (European). - * `http://147.251.124.125:8088/broker/`: BBMRI Locator test service (European). - * `https://samplelocator.bbmri.de/broker/`: GBA Sample Locator production service (German). - * `https://samplelocator.test.bbmri.de/broker/`: GBA Sample Locator test service (German). - * "Your email address": this is the email to which the registration token will be returned. - * "Automatic reply": Set this to be `Total Size` -* Click "Join" to start the registration process. -* You should now have a list containing exactly one broker. You will notice that the "Status" box is empty. -* Send an email to `feedback@germanbiobanknode.de` and let us know which of our Sample Locators you would like to register to. Please include the biobank ID and the collection ID from your Directory registration, if you have these available. -* We will send you a registration token per email. -* You will then re-open the Connector and enter the token into the "Status" box. -* You should send us an email to let us know that you have done this. -* We will then complete the registration process -* We will email you to let you know that your biobank is now visible in the Sample Locator. - -If you are a Sample Locator administrator, you will need to understand the [registration process](./SampleLocatorRegistration.md). Normal bridgehead admins do not need to worry about this. +We have tested the installation procedure with an Ubuntu 22.04 guest system running on a VMware virtual machine. That worked flawlessly. +Installation under WSL ought to work, but we have not tested this. ## License From b175c55f5ce9970308e8a25b7293153a9f57325b Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Tue, 17 May 2022 18:04:15 +0200 Subject: [PATCH 06/93] Shorten installation by including some installation steps into a shell script --- bridgehead | 52 +++++++------- lib/functions.sh | 12 ++-- ...dgehead-units.sh => install-bridgehead.sh} | 20 +++--- lib/log.sh | 4 +- lib/monitoring.sh | 9 ++- lib/prepare-system.sh | 67 +++++++++++++++++++ lib/prerequisites.sh | 26 ++++--- ...ehead-units.sh => uninstall-bridgehead.sh} | 5 -- 8 files changed, 138 insertions(+), 57 deletions(-) rename lib/{setup-bridgehead-units.sh => install-bridgehead.sh} (72%) mode change 100755 => 100644 lib/log.sh create mode 100755 lib/prepare-system.sh rename lib/{remove-bridgehead-units.sh => uninstall-bridgehead.sh} (81%) diff --git a/bridgehead b/bridgehead index 3054ebd..ecf4ec0 100755 --- a/bridgehead +++ b/bridgehead @@ -29,9 +29,6 @@ case "$PROJECT" in ccp) #nothing extra to do ;; - nngm) - #nothing extra to do - ;; bbmri) #nothing extra to do ;; @@ -41,28 +38,30 @@ case "$PROJECT" in ;; esac -# Load variables from /etc/bridgehead and /srv/docker/bridgehead -set -a -source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found" -if [ -e /etc/bridgehead/$PROJECT.local.conf ]; then - log INFO "Applying /etc/bridgehead/$PROJECT.local.conf" - source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import" -fi -fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile" -[ -e ./$PROJECT/vars ] && source ./$PROJECT/vars -set +a +loadVars() { + # Load variables from /etc/bridgehead and /srv/docker/bridgehead + set -a + source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found" + if [ -e /etc/bridgehead/$PROJECT.local.conf ]; then + log INFO "Applying /etc/bridgehead/$PROJECT.local.conf" + source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import" + fi + fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile" + [ -e ./$PROJECT/vars ] && source ./$PROJECT/vars + set +a -OVERRIDE=${OVERRIDE:=""} -if [ -f "$PROJECT/docker-compose.override.yml" ]; then - log INFO "Applying $PROJECT/docker-compose.override.yml" - OVERRIDE+=" -f ./$PROJECT/docker-compose.override.yml" -fi - -detectCompose -setHostname + OVERRIDE=${OVERRIDE:=""} + if [ -f "$PROJECT/docker-compose.override.yml" ]; then + log INFO "Applying $PROJECT/docker-compose.override.yml" + OVERRIDE+=" -f ./$PROJECT/docker-compose.override.yml" + fi + detectCompose + setHostname +} case "$ACTION" in start) + loadVars hc_send log "Bridgehead $PROJECT startup: Checking requirements ..." checkRequirements hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..." @@ -70,20 +69,25 @@ case "$ACTION" in exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit ;; stop) + loadVars exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE down ;; update) + loadVars exec ./lib/update-bridgehead.sh $PROJECT ;; install) - exec ./lib/setup-bridgehead-units.sh $PROJECT + source ./lib/prepare-system.sh + loadVars + exec ./lib/install-bridgehead.sh $PROJECT ;; uninstall) - exec ./lib/remove-bridgehead-units.sh $PROJECT + exec ./lib/uninstall-bridgehead.sh $PROJECT ;; enroll) + loadVars if [ -e $PRIVATEKEYFILENAME ]; then - echo "Private key already exists at $PRIVATEKEYFILENAME. Please delete first to proceed." + log ERROR "Private key already exists at $PRIVATEKEYFILENAME. Please delete first to proceed." exit 1 fi docker run --rm -ti -v /etc/bridgehead/pki:/etc/bridgehead/pki samply/beam-enroll:latest --output-file $PRIVATEKEYFILENAME --proxy-id $PROXY_ID --admin-email $SUPPORT_EMAIL diff --git a/lib/functions.sh b/lib/functions.sh index 9296414..a539e0d 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -1,7 +1,5 @@ #!/bin/bash -e -source lib/log.sh - detectCompose() { if [[ "$(docker compose version 2>/dev/null)" == *"Docker Compose version"* ]]; then COMPOSE="docker compose" @@ -37,11 +35,11 @@ checkOwner(){ printUsage() { echo "Usage: bridgehead start|stop|update|install|uninstall|enroll PROJECTNAME" - echo "PROJECTNAME should be one of ccp|nngm|bbmri" + echo "PROJECTNAME should be one of ccp|bbmri" } checkRequirements() { - if ! lib/prerequisites.sh; then + if ! lib/prerequisites.sh $@; then log "ERROR" "Validating Prerequisites failed, please fix the error(s) above this line." fail_and_report 1 "Validating prerequisites failed." else @@ -120,8 +118,10 @@ fixPermissions() { source lib/monitoring.sh report_error() { - log ERROR "$2" - hc_send $1 "$2" + CODE=$1 + shift + log ERROR "$@" + hc_send $CODE "$@" } fail_and_report() { diff --git a/lib/setup-bridgehead-units.sh b/lib/install-bridgehead.sh similarity index 72% rename from lib/setup-bridgehead-units.sh rename to lib/install-bridgehead.sh index d258c0b..5e3add3 100755 --- a/lib/setup-bridgehead-units.sh +++ b/lib/install-bridgehead.sh @@ -9,14 +9,9 @@ if [ $# -eq 0 ]; then exit 1 fi -if [ $1 != "ccp" ] && [ $1 != "nngm" ] && [ $1 != "bbmri" ]; then - log "ERROR" "Please provide a supported project like ccp, bbmri or nngm" - exit 1 -fi - export PROJECT=$1 -checkRequirements +checkRequirements noprivkey log "INFO" "Allowing the bridgehead user to start/stop the bridgehead." @@ -33,7 +28,7 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\ bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^} EOF -# TODO: Determine wether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour) +# TODO: Determine whether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour) if [ -z "$LDM_PASSWORD" ]; then log "INFO" "Now generating a password for the local data management. Please save the password for your ETL process!" generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)" @@ -42,7 +37,7 @@ if [ -z "$LDM_PASSWORD" ]; then echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf; fi -log "INFO" "Register system units for bridgehead and bridgehead-update" +log "INFO" "Registering system units for bridgehead and bridgehead-update" cp -v \ lib/systemd/bridgehead\@.service \ lib/systemd/bridgehead-update\@.service \ @@ -61,4 +56,11 @@ systemctl enable bridgehead@"${PROJECT}".service log "INFO" "Enabling auto-updates for bridgehead@${PROJECT}.service ..." systemctl enable --now bridgehead-update@"${PROJECT}".timer -log "INFO" "\nSuccess - now start your bridgehead by running\n systemctl start bridgehead@${PROJECT}.service\n or by rebooting your machine." +STR="\n\n systemctl start bridgehead@${PROJECT}.service\n\nor by rebooting your machine." +if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then + STR="Success. Next, start your bridgehead by running$STR" +else + STR="Success. Next, enroll into the $PROJECT broker by creating a cryptographic certificate. To do so, run\n\n /srv/docker/bridgehead/bridgehead enroll $PROJECT\n\nThen, you may start the bridgehead by running$STR" +fi + +log "INFO" "$STR" \ No newline at end of file diff --git a/lib/log.sh b/lib/log.sh old mode 100755 new mode 100644 index e05eee7..c00333d --- a/lib/log.sh +++ b/lib/log.sh @@ -1,5 +1,7 @@ #!/bin/bash log() { - echo -e "$(date +'%Y-%m-%d %T')" "$1:" "$2" + SEVERITY="$1" + shift + echo -e "$(date +'%Y-%m-%d %T')" "$SEVERITY:" "$@" } diff --git a/lib/monitoring.sh b/lib/monitoring.sh index daa388f..0f609f6 100755 --- a/lib/monitoring.sh +++ b/lib/monitoring.sh @@ -34,8 +34,13 @@ function hc_send(){ fi if [ -z "$USER_AGENT" ]; then - COMMIT_ETC=$(git -C /etc/bridgehead rev-parse HEAD | cut -c -8) - COMMIT_SRV=$(git -C /srv/docker/bridgehead rev-parse HEAD | cut -c -8) + if [ "$USER" != "root" ]; then + COMMIT_ETC=$(git -C /etc/bridgehead rev-parse HEAD | cut -c -8) + COMMIT_SRV=$(git -C /srv/docker/bridgehead rev-parse HEAD | cut -c -8) + else + COMMIT_ETC=$(su -c 'git -C /etc/bridgehead rev-parse HEAD' bridgehead | cut -c -8) + COMMIT_SRV=$(su -c 'git -C /srv/docker/bridgehead rev-parse HEAD' bridgehead | cut -c -8) + fi USER_AGENT="srv:$COMMIT_SRV etc:$COMMIT_ETC" fi diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh new file mode 100755 index 0000000..20285f1 --- /dev/null +++ b/lib/prepare-system.sh @@ -0,0 +1,67 @@ +#!/bin/bash -e + +source lib/log.sh +source lib/functions.sh + +log "INFO" "Preparing your system for bridgehead installation ..." + +# Create the bridgehead user +if id bridgehead &>/dev/null; then + log "INFO" "Existing user with id $(id -u bridgehead) will be used by the bridgehead system units." +else + log "INFO" "Now creating a system user to own the bridgehead's files." + useradd -M -g docker -N bridgehead || fail_and_report "" +fi + +# Clone the OpenSource repository of bridgehead +bridgehead_repository_url="https://github.com/samply/bridgehead.git" +if [ -d "/srv/docker/bridgehead" ]; then + current_owner=$(stat -c '%U' /srv/docker/bridgehead) + if [ "$(su -c 'git -C /srv/docker/bridgehead remote get-url origin' $current_owner)" == "$bridgehead_repository_url" ]; then + log "INFO" "Bridgehead's open-source repository has been found at /srv/docker/bridgehead" + else + log "ERROR" "The directory /srv/docker/bridgehead seems to exist, but doesn't contain a clone of $bridgehead_repository_url\nPlease delete the directory and try again." + exit 1 + fi +else + log "INFO" "Cloning $bridgehead_repository_url to /srv/docker/bridgehead" + mkdir -p /srv/docker/ + git clone bridgehead_repository_url /srv/docker/bridgehead -b feature/samplyBeam +fi + +case "$PROJECT" in + ccp) + site_configuration_repository_middle="git.verbis.dkfz.de/bridgehead-configurations/bridgehead-config-" + ;; + bbmri) + site_configuration_repository_middle="git.verbis.dkfz.de/bbmri-bridgehead-configs/" + ;; + *) + log ERROR "Internal error, this should not happen." + exit 1 + ;; +esac + +# Clone the site-configuration +if [ -d /etc/bridgehead ]; then + current_owner=$(stat -c '%U' /etc/bridgehead) + if [ "$(su -c 'git -C /etc/bridgehead remote get-url origin' $current_owner | grep $site_configuration_repository_middle)" ]; then + log "INFO" "Your site config repository in /etc/bridgehead seems to be installed correctly." + else + log "WARN" "Your site configuration repository in /etc/bridgehead seems to have another origin than git.verbis.dkfz.de. Please check if the repository is correctly cloned!" + fi +else + log "INFO" "Now cloning your site configuration repository for you." + read -p "Please enter your site: " site + read -s -p "Please enter the bridgehead's access token for your site configuration repository (will not be echoed): " access_token + site_configuration_repository_url="https://bytoken:${access_token}@${site_configuration_repository_middle}$(echo $site | tr '[:upper:]' '[:lower:]').git" + git clone $site_configuration_repository_url /etc/bridgehead + if [ $? -gt 0 ]; then + log "ERROR" "Unable to clone your configuration repository. Please obtain correct access data and try again." + fi +fi + +chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead + +log INFO "System preparation is completed and private key is present." + diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh index 859b690..8ce7051 100755 --- a/lib/prerequisites.sh +++ b/lib/prerequisites.sh @@ -5,11 +5,11 @@ source lib/functions.sh detectCompose if ! id "bridgehead" &>/dev/null; then - log ERROR "User bridgehead does not exist. Please consult readme for installation." + log ERROR "User bridgehead does not exist. Please run bridgehead install $PROJECT" exit 1 fi -checkOwner . bridgehead || exit 1 +checkOwner /srv/docker/bridgehead bridgehead || exit 1 checkOwner /etc/bridgehead bridgehead || exit 1 ## Check if user is a su @@ -62,16 +62,22 @@ if [ -e /etc/bridgehead/vault.conf ]; then fi fi -log INFO "Checking your beam proxy private key" +checkPrivKey() { + if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then + log INFO "Success - private key found." + else + log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run\n bridgehead enroll ${PROJECT}\nand follow the instructions." + return 1 + fi + log INFO "Success - all prerequisites are met!" + hc_send log "Success - all prerequisites are met!" + return 0 +} -if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then - log INFO "Success - private key found." +if [[ "$@" =~ "noprivkey" ]]; then + log INFO "Skipping check for private key for now." else - log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run bridgehead enroll ${PROJECT} and follow the instructions". - exit 1 + checkPrivKey || exit 1 fi -log INFO "Success - all prerequisites are met!" -hc_send log "Success - all prerequisites are met!" - exit 0 diff --git a/lib/remove-bridgehead-units.sh b/lib/uninstall-bridgehead.sh similarity index 81% rename from lib/remove-bridgehead-units.sh rename to lib/uninstall-bridgehead.sh index fa63ef4..ab1108e 100755 --- a/lib/remove-bridgehead-units.sh +++ b/lib/uninstall-bridgehead.sh @@ -7,11 +7,6 @@ if [ $# -eq 0 ]; then exit 1 fi -if [ $1 != "ccp" ] && [ $1 != "nngm" ] && [ $1 != "bbmri" ]; then - log "ERROR" "Please provide a supported project like ccp, bbmri or nngm" - exit 1 -fi - export PROJECT=$1 #checkRequirements // not needed when uninstalling From a6b7afce40b93994c7efabcaea3f5f2cddb9c0ab Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Fri, 18 Nov 2022 19:02:13 +0100 Subject: [PATCH 07/93] Documentation --- README.md | 263 +++++++++++------------------------------------------- 1 file changed, 51 insertions(+), 212 deletions(-) diff --git a/README.md b/README.md index d93cd0e..715c124 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,8 @@ # Bridgehead -A Bridgehead is a set of components that must be installed locally, in order to connect your clinic or research centre to a federated search system. This repository contains the information and tools that you will need to deploy a Bridgehead. If you have questions, please [contact us](mailto:verbis-support@dkfz-heidelberg.de). +The Bridgehead is a secure, low-effort solution to connect your research institution to a federated research network. It bundles interoperable, open-source software components into a turnkey package for installation on one of your secure servers. The Bridgehead is pre-configured with sane defaults, centrally monitored and with an absolute minimum of "moving parts" on your side, making it an extremely low-maintenance gateway to data sharing. - -TOC +This repository is the starting point for any information and tools you will need to deploy a Bridgehead. If you have questions, please [contact us](mailto:verbis-support@dkfz-heidelberg.de). 1. [Requirements](#requirements) - [Hardware](#hardware) @@ -12,7 +11,7 @@ TOC - [Docker](#docker) 2. [Deployment](#deployment) - [Installation](#installation) - - [Register with Beam](#register-with-beam) + - [Register with Samply.Beam](#register-with-samplybeam) - [Starting and stopping your Bridgehead](#starting-and-stopping-your-bridgehead) - [Auto-starting your Bridgehead when the server starts](#auto-starting-your-bridgehead-when-the-server-starts) 3. [Additional Services](#additional-Services) @@ -30,249 +29,89 @@ TOC ### Hardware -To get the most out of your Bridgehead, we recommend the follwing Hardware: +Hardware requirements strongly depend on the specific use-cases of your network as well as on the data it is going to serve. Most use-cases are well-served with the following configuration: - 4 CPU cores -- At least 8 GB Ram -- 100GB Hard Drive, SSD recommended +- 32 GB RAM +- 160GB Hard Drive, SSD recommended -### System +### Software -You are strongly recommended to install the Bridgehead under a Linux operating system (but see the section [Non-Linux OS](#non-linux-os)). You will need root (administrator) priveleges on this machine in order to perform the deployment. +You are strongly recommended to install the Bridgehead under a Linux operating system (but see the section [Non-Linux OS](#non-linux-os)). You will need root (administrator) priveleges on this machine in order to perform the deployment. We recommend the newest Ubuntu LTS server release. -The following software should be installed: +Ensure the following software (or newer) is installed: -#### Git +- git >= 2.0 +- docker >= 20.10.1 +- docker-compose >= 2.xx (`docker-compose` and `docker compose` are both supported). +- systemd -Check if you have at least git 2.0 installed on the system with: - -``` shell -git --version -``` - -#### Docker - -Check the installed Docker version: - -``` shell -docker --version -``` -The version should ideally be higher than "20.10.1". The next step is to check ``` docker-compose``` with: - -``` shell -docker-compose --version -``` -The recomended version is "2.XX" and higher. - -If docker or docker-compose are not installed, please refer to the [Docker website](https://docs.docker.com). +We recommend to install Docker(-compose) from its official sources as described on the [Docker website](https://docs.docker.com). Note for Ubuntu: Please note that snap versions of Docker are not supported. ## Deployment -### Installation +### Base Installation -First, clone the repository to the directory "/srv/docker/bridgehead": +First, clone the repository to the directory `/srv/docker/bridgehead`: + +```shell +sudo mkdir -p /srv/docker/ +sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead +``` + +Then, run the installation script: + +```shell +cd /srv/docker/bridgehead +sudo ./bridgehead install +``` + +... and follow the instructions on the screen. You should then be prompted to do the next step: + +### Register with Samply.Beam + +Many Bridgehead services rely on the secure, performant and flexible messaging middleware called [Samply.Beam](https://github.com/samply/beam). You will need to register ("enroll") with Samply.Beam by creating a cryptographic key pair for your bridgehead: ``` shell -sudo mkdir -p /srv/docker/; -sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead; -``` -Now create a user for the Bridgehead service: - -``` shell -sudo useradd -M -g docker -N -s /sbin/nologin bridgehead -``` -After adding the user you will need to change the ownership of the directory to the Bridgehead user. - -``` shell -sudo chown bridgehead /srv/docker/bridgehead/ -R -``` -Download the configuration repository: - -``` shell -sudo git clone https://github.com/samply/bridgehead-config.git -b fix/bbmri-config /etc/bridgehead; -``` -Change ownership: -``` shell -sudo chown bridgehead /etc/bridgehead/ -R -``` -Edit /etc/bridgehead/bbmri.conf and modify SITE_ID and SITE_NAME to be relevant to your biobank. SITE_ID should not contains spaces. By convention, it is lower-case. E.g.: -``` -SITE_ID="toulouse-prod" -SITE_NAME="Toulouse" +cd /srv/docker/bridgehead +sudo ./bridgehead enroll ``` -### Register with Beam - -You will need to register with Beam in order to be able to start your Bridgehead. Please send an email to: bridgehead@helpdesk.bbmri-eric.eu, mentioning the SITE_ID that you chose above. - -The response will contain your private key for Beam. - -Create a file for this private key: - -``` shell -/etc/bridgehead/pki/$SITE_ID.priv.pem -``` +... and follow the instructions on the screen. You should then be prompted to do the next step: ### Starting and stopping your Bridgehead -To start your new Bridgehead, type: +If you followed the above steps, your Bridgehead should already be configured to autostart (via systemd). If you would like to start/stop manually: + +To start, run + ```shell -sudo /srv/docker/bridgehead/bridgehead start bbmri +sudo systemctl start bridgehead@.service ``` -The script may break, because Spot tries to connect to Blaze, but Blaze is not yet ready, causing Spot to terminate. Try to start and stop the script a few times. -To shut down the Bridgehead, type: +To stop, run + ```shell -sudo /srv/docker/bridgehead/bridgehead stop bbmri +sudo systemctl stop bridgehead@.service ``` -### Auto-starting your Bridgehead when the server starts +To enable/disable autostart, run -Using this feature is optional. - -Many Linux distributions support the "systemctl" command, which enables you to autostart processes whenever your server is booted. - -In this repository you will find tools that allow you to take advantage of "systemctl" to automatically start the Bridgehead whenever your server gets restarted. You can set this up by executing the [bridgehead](./bridgehead) script: -``` shell -sudo /srv/docker/bridgehead/bridgehead install bbmri +```shell +sudo systemctl [enable|disable] bridgehead@.service ``` -This will install the systemd units to run and update the Bridgehead. - -If your site operates with a proxy, you will need to set it up with ```systemctl edit``` as follows: - -``` shell -sudo systemctl edit bridgehead@bbmri.service; -``` - -This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor and define your machines secrets. - -``` conf -[Service] -Environment=HOSTIP= -Environment=HOST= -Environment=HTTP_PROXY_USER= -Environment=HTTP_PROXY_PASSWORD= -Environment=HTTPS_PROXY_USER= -Environment=HTTPS_PROXY_PASSWORD= -Environment=CONNECTOR_POSTGRES_PASS= -``` - -To make the configuration active, you need to tell systemd to reload the configuration and restart the docker service: - -``` shell -sudo systemctl daemon-reload; -sudo systemctl bridgehead@bbmri.service; -``` - -## Additional Services - -### Monitoring - -We provide a central monitoring service, which checks the health of your Bridgehead 24/7. Using this service is optional but recommended. - -You can register for it by sending a request to: bridgehead@helpdesk.bbmri-eric.eu. - -The confirmation of your registration will contain a monitoring API key. - -You need to add the key to the "/etc/bridgehead/bbmri.conf" file, e.g.: -``` conf -MONITOR_APIKEY=1b9e5e21-8b34-5382-8590-7eae98a4f6d3 -``` -(your key will be different to the one shown above, obviously). - -Your site should now show up in the monitoring with grey (updates) and green (query) messages at the next full hour. - -### Register with a Directory - -The [Directory](https://directory.bbmri-eric.eu/) is a BBMRI project that aims to catalog all biobanks in Europe and beyond. Each biobank is given its own unique ID and the Directory maintains counts of the number of donors and the number of samples held at each biobank. You are strongly encouraged to register with the Directory, because this opens the door to further services, such as the [Negotiator](https://negotiator.bbmri-eric.eu/login.xhtml). - -Generally, you should register with the BBMRI national node for the country where your biobank is based. You can find a list of contacts for the national nodes [here](http://www.bbmri-eric.eu/national-nodes/). If your country is not in this list, or you have any questions, please contact the [BBMRI helpdesk](mailto:directory@helpdesk.bbmri-eric.eu). If your biobank is for COVID samples, you can also take advantage of an accelerated registration process [here](https://docs.google.com/forms/d/e/1FAIpQLSdIFfxADikGUf1GA0M16J0HQfc2NHJ55M_E47TXahju5BlFIQ). - -Your national node will give you detailed instructions for registering, but for your information, here are the basic steps: - -* Log in to the Directory for your country. -* Add your biobank and enter its details, including contact information for a person involved in running the biobank. -* You will need to create at least one collection. - ## Site-specific configuration ### HTTPS Access -We recommend https for all services of your Bridgehead. HTTPS is enabled by default. For starting the Bridgehead you need an ssl certificate. You can either create it yourself or get a signed one. You need to drop the certificates in /certs. +Even within your internal network, the Bridgehead enforces HTTPS for all services. During the installation, a self-signed, long-lived certificate was created for you. To increase security, you can simply replace the files under `/etc/bridgehead/traefik-tls` with ones from established certification authorities such as [Let's Encrypt](https://letsencrypt.org) or [DFN-AAI](https://www.aai.dfn.de). -The Bridgehead creates one autotmatically on the first start. However, it will be unsigned and we recomend getting a signed one. - - -### Locally Managed Secrets - -This section describes the secrets you may need to configure locally through the configuration - -| Name | Recommended Value | Description | -|--------------------------------------|---------------------------------------------------------------------------------------------------| ----------- | -| HTTP_PROXY_USER | | Your local http proxy user | -| HOSTIP | Compute with: `docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}'` | The ip from which docker containers can reach your host system. | -| HOST | Compute with: `hostname` |The hostname from which all components will eventually be available| -| HTTP_PROXY_PASSWORD | |Your local http proxy user's password| -| HTTPS_PROXY_USER | |Your local https proxy user| -| HTTPS_PROXY_PASSWORD || Your local https proxy user's password | -| CONNECTOR_POSTGRES_PASS | Random String |The password for your project specific connector.| -| STORE_POSTGRES_PASS | Random String |The password for your local datamanagements database (only relevant in c4)| -| ML_DB_PASS | Random String |The password for your local patientlist database| -| MAGICPL_API_KEY | Random String |The apiKey used by the local datamanagement to create pseudonymes.| -| MAGICPL_MAINZELLISTE_API_KEY | Random String |The apiKey used by the local id-manager to communicate with the local patientlist| -| MAGICPL_API_KEY_CONNECTOR | Random String |The apiKey used by the connector to communicate with the local patientlist| -| MAGICPL_MAINZELLISTE_CENTRAL_API_KEY | You need to ask the central patientlists admin for this. |The apiKey for your machine to communicate with the central patientlist| -| MAGICPL_CENTRAL_API_KEY | You need to ask the central controlnumbergenerator admin for this. |The apiKey for your machine to communicate with the central controlnumbergenerator| -| MAGICPL_OIDC_CLIENT_ID || The client id used for your machine, to connect with the central authentication service | -| MAGICPL_OIDC_CLIENT_SECRET || The client secret used for your machine, to connect with the central authentication service | - -### Git Proxy Configuration - -Unlike most other tools, git doesn't use the default proxy variables "http_proxy" and "https_proxy". To make git use a proxy, you will need to adjust the global git configuration: - -``` shell -sudo git config --global http.proxy http://:; -sudo git config --global https.proxy http://:; -``` -> NOTE: Some proxies may require user and password authentication. You can adjust the settings like this: "http://:@:". -> NOTE: It is also possible that a proxy requires https protocol, so you can replace this to. - -You can check that the updated configuration with - -``` shell -sudo git config --global --list; -``` +## Troubleshooting ### Docker Daemon Proxy Configuration -Docker has a background daemon, responsible for downloading images and starting them. To configure the proxy for this daemon, use the systemctl command: - -``` shell -sudo systemctl edit docker -``` - -This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor, replace and with the corresponding values for your machine and save the file: -``` conf -[Service] -Environment=HTTP_PROXY=http://: -Environment=HTTPS_PROXY=http://: -Environment=FTP_PROXY=http://: -``` -> NOTE: Some proxies may require user and password authentication. You can adjust the settings like this: "http://:@:". -> NOTE: It is also possible that a proxy requires https protocol, so you can replace this to. - -The file should now be at the location "/etc/systemd/system/docker.service.d/override.conf". You can proof check with -``` shell -cat /etc/systemd/system/docker.service.d/override.conf; -``` - -To make the configuration effective, you need to tell systemd to reload the configuration and restart the docker service: - -``` shell -sudo systemctl daemon-reload; -sudo systemctl restart docker; -``` +Docker has a background daemon, responsible for downloading images and starting them. Sometimes, proxy configuration from your system won't carry over and it will fail to download images. In that case, configure the proxy for this daemon as described in the [official documentation](https://docs.docker.com). ### Non-Linux OS From 21f90efe968c2bde9575a5542c56932a66db2341 Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Mon, 21 Nov 2022 09:27:14 +0100 Subject: [PATCH 08/93] Document network, file structure, monitoring, auto-updates --- README.md | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/README.md b/README.md index 715c124..82010d6 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,10 @@ Ensure the following software (or newer) is installed: We recommend to install Docker(-compose) from its official sources as described on the [Docker website](https://docs.docker.com). Note for Ubuntu: Please note that snap versions of Docker are not supported. +### Network + +Since it needs to carry sensitive patient data, Bridgeheads are intended to be deployed within your institution's secure network and behave well even in networks in strict security settings, e.g. firewall rules. The only connectivity required is an outgoing HTTPS proxy. TLS termination is supported, too (see [below](#tls-terminating-proxies)) + ## Deployment ### Base Installation @@ -107,6 +111,39 @@ sudo systemctl [enable|disable] bridgehead@.service Even within your internal network, the Bridgehead enforces HTTPS for all services. During the installation, a self-signed, long-lived certificate was created for you. To increase security, you can simply replace the files under `/etc/bridgehead/traefik-tls` with ones from established certification authorities such as [Let's Encrypt](https://letsencrypt.org) or [DFN-AAI](https://www.aai.dfn.de). +### TLS terminating proxies + +All of the Bridgehead's outgoing connections are secured by transport encryption (TLS) and a Bridgehead will refuse to connect if certificate verification fails. If your local forward proxy server performs TLS termination, please place its CA certificate in `/etc/bridgehead/trusted-ca-certs` as a `.pem` file, e.g. `/etc/bridgehead/trusted-ca-certs/mylocalca.pem`. Then, all Bridgehead components will pick up this certificate and trust it for outgoing connections. + +### File structure + +- `/srv/docker/bridgehead` contains this git repository with the shell scripts and *project-specific configuration*. In here, all files are identical for all sites. You should not make any changes here. +- `/etc/bridgehead` contains your *site-specific configuration* synchronized from your site-specific git repository as part of the [base installation](#base-installation). To change anything here, please consult your git repository (find out its URL via `git -C /etc/bridgehead remote -v`). + - `/etc/bridgehead/.conf` is your main site-specific configuration, all bundled into one concise config file. Do not change it here but via the central git repository. + - `/etc/bridgehead/.local.conf` contains site-specific parameters to be known to your Bridgehead only, e.g. local access credentials. The file is ignored via git, and you may edit it here via a text editor. + - `/etc/bridgehead/traefik-tls` contains your Bridgehead's reverse proxies TLS certificates for [HTTPS access](#https-access). + - `/etc/bridgehead/pki` contains your Bridgehead's private key (e.g., but not limited to Samply.Beam), generated as part of the [Samply.Beam enrollment](#register-with-samplybeam). + - `/etc/bridgehead/trusted-ca-certs` contains third-party certificates to be trusted by the Bridgehead. For example, you want to place the certificates of your [TLS-terminating proxy](#network) here. + +Your Bridgehead's actual data is not stored in the above directories, but in named docker volumes, see `docker volume ls` and `docker volume inspect `. + +## Things you should know + +### Auto-Updates + +Your Bridgehead will automatically and regularly check for updates. Whenever something has been updates (e.g., one of the git repositories or one of the docker images), your Bridgehead is automatically restarted. This should happen automatically and does not need any configuration. + +If you would like to understand what happens exactly and when, please check the systemd units deployed during the [installation](#base-installation) via `systemctl cat bridgehead-update@.service` and `systemctl cat bridgehead-update@ Date: Mon, 21 Nov 2022 18:06:30 +0100 Subject: [PATCH 09/93] Migrate monitoring to self-hosted instance --- lib/monitoring.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/monitoring.sh b/lib/monitoring.sh index daa388f..4d28371 100755 --- a/lib/monitoring.sh +++ b/lib/monitoring.sh @@ -14,15 +14,16 @@ UPTIME= USER_AGENT= function hc_send(){ + BASEURL="https://healthchecks.verbis.dkfz.de/ping" if [ -n "$MONITOR_APIKEY" ]; then hc_set_uuid $MONITOR_APIKEY fi if [ -n "$HCSERVICE" ]; then - HCURL="https://hc-ping.com/$PING_KEY/$HCSERVICE" + HCURL="$BASEURL/$PING_KEY/$HCSERVICE" fi if [ -n "$HCUUID" ]; then - HCURL="https://hc-ping.com/$HCUUID" + HCURL="$BASEURL/$HCUUID" fi if [ ! -n "$HCURL" ]; then log WARN "Did not report Healthcheck: Neither Healthcheck UUID nor service set. Please define MONITOR_APIKEY in /etc/bridgehead." From bfb84666af02fff50531ce0bf4ea06578fee7f0b Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Mon, 21 Nov 2022 18:13:40 +0100 Subject: [PATCH 10/93] Warn about ufw --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 82010d6..b57c10e 100644 --- a/README.md +++ b/README.md @@ -46,12 +46,16 @@ Ensure the following software (or newer) is installed: - docker-compose >= 2.xx (`docker-compose` and `docker compose` are both supported). - systemd -We recommend to install Docker(-compose) from its official sources as described on the [Docker website](https://docs.docker.com). Note for Ubuntu: Please note that snap versions of Docker are not supported. +We recommend to install Docker(-compose) from its official sources as described on the [Docker website](https://docs.docker.com). + +Note for Ubuntu: Please note that snap versions of Docker are not supported. ### Network Since it needs to carry sensitive patient data, Bridgeheads are intended to be deployed within your institution's secure network and behave well even in networks in strict security settings, e.g. firewall rules. The only connectivity required is an outgoing HTTPS proxy. TLS termination is supported, too (see [below](#tls-terminating-proxies)) +Note for Ubuntu: Please note that the uncomplicated firewall (ufw) is known to conflict with Docker [here](https://github.com/chaifeng/ufw-docker). + ## Deployment ### Base Installation From f359e06875147cdc7121622799f4ba5742c8544d Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Tue, 22 Nov 2022 14:24:56 +0100 Subject: [PATCH 11/93] Encryption: Add root certs for CCP, BBMRI --- bbmri/docker-compose.yml | 3 ++- bbmri/root.crt.pem | 20 ++++++++++++++++++++ ccp/docker-compose.yml | 2 ++ ccp/root.crt.pem | 20 ++++++++++++++++++++ 4 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 bbmri/root.crt.pem create mode 100644 ccp/root.crt.pem diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml index b1a47b5..9a97d3a 100644 --- a/bbmri/docker-compose.yml +++ b/bbmri/docker-compose.yml @@ -96,13 +96,14 @@ services: RUST_LOG: debug ALL_PROXY: http://forward_proxy:3128 TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs + ROOTCERT_FILE: /conf/root.crt.pem secrets: - proxy.pem depends_on: - "forward_proxy" volumes: - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro - + - ./root.crt.pem:/conf/root.crt.pem:ro volumes: blaze-data: diff --git a/bbmri/root.crt.pem b/bbmri/root.crt.pem new file mode 100644 index 0000000..eae0d4d --- /dev/null +++ b/bbmri/root.crt.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIUMy/n0zFRihhVR3aAD54LumzeYdwwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjIxMDI1MDczNTA4WhcNMzIx +MDIyMDczNTM3WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAL3qWliHIlIT1Qlsyq/NKJ1uj6/AF0STNg5NTNpb +Xqe5rmUqs6jmQepputGStBVe5TthFw56whISv9FqD5s1PZUGyFikW1pJUnF7ZYRf +MfrJHRi1vUnD3Gw36FCot+i6BAxfw/rdp9hoqFZ6erRkULLaYZ5S2cDHN0DWc18V +3VgZ66ah8QXSx7ERRNa/eWRkHrPIYhyVSoKuyZfvbVgsYZADSlviCgIHPrGLerLr +ylNUyuTxJ5RKStOwPn7A+Jp7nRT+MRh9BphA7s6NuK9h+eVe1DiLbIETWyCEfN3Y +INpunatn3QDhqOIfNcuBArjsAj7mg8l5KNba8nUP4v0EJYECAwEAAaN7MHkwDgYD +VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMvc5Fizz1vO +MEG3MIsy7UY69ZNIMB8GA1UdIwQYMBaAFMvc5Fizz1vOMEG3MIsy7UY69ZNIMBYG +A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQBb8a5su820 +h8JStJC+KpvXmDrGkwx9bHlEZMgQQejIrwPLEbA32KBvNxdoUxF9q1Y773MKdqbc +cCJwzQXE/NPZ13hCGrEIXs8DgH52GhEB5592k5/bRNcAvUwbZSXPPiT0rgq/eUOt +BYhgN0ov7h1MC5L6CYB/rQwqck7JPlmrXTkh2gix4/dEdBRzsHsn/xlo8ay5QYHG +rx2Adit76eZu/MJoJNzl1r8MPxLqyAie3KcIU54A+UMozLrWEQP/TyOyWZdjUjJt +cBYgkKJTjwdRhc+ehI3kFo7b/a/Z/jl9szKsAPHozMixSi8lGnsYwN80oqeRvT7h +wcMUK+igv3/K +-----END CERTIFICATE----- diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index 989cc84..4f417ab 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -98,12 +98,14 @@ services: RUST_LOG: debug ALL_PROXY: http://forward_proxy:3128 TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs + ROOTCERT_FILE: /conf/root.crt.pem secrets: - proxy.pem depends_on: - "forward_proxy" volumes: - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro + - ./root.crt.pem:/conf/root.crt.pem:ro volumes: diff --git a/ccp/root.crt.pem b/ccp/root.crt.pem new file mode 100644 index 0000000..b561218 --- /dev/null +++ b/ccp/root.crt.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIUMeGRSrNPhRdQ1tU7uK5+lUa4f38wDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjIwOTI5MTQxMjU1WhcNMzIw +OTI2MTQxMzI1WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAMYyroOUeb27mYzClOrjCmgIceLalsFA0aVCh5mZ +KtP8+1U3oq/7exP30gXiJojxW7xoerfyQY9s0Sz5YYbxYbuskFOYEtyAILB/pxgd ++k+J3tlZKolpfmo7WT5tZiHxH/zjrtAYGnuB2xPHRMCWh/tHYrELgXQuilNol24y +GBa1plTlARy0aKEDUHp87WLhD2qH7B8sFlLgo0+gunE1UtR2HMSPF45w3VXszyG6 +fJNrAj0yPnKy3Dm1BMO3jDO2e0A9lCQ71a4j4TeKePfCk1xCArSu6PpiwiacKplF +c6CRR6KrWVm2g+8Y2hFcOBG/Py2xusm3PWbpylGq6vtFRkkCAwEAAaN7MHkwDgYD +VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEFxD6BQwQO5 +xsJ+3cvZypsnh6dDMB8GA1UdIwQYMBaAFEFxD6BQwQO5xsJ+3cvZypsnh6dDMBYG +A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQB5zTeIhV/3 +3Am6O144EFtnIeaZ2w0D6aEHqHAZp50vJv3+uQfOliCOzgw7VDxI4Zz2JALjlR/i +uOYHsu3YIRMIOmPOjqrdDJa6auB0ufL4oUPfCRln7Fh0f3JVlz3BUoHsSDt949p4 +g0nnsciL2JHuzlqjn7Jyt3L7dAHrlFKulCcuidG5D3cqXrRCbF83f+k3TC/HRiNd +25oMi7I4MP/SOCdfQGUGIsHIf/0hSm3pNjDOrC/XuI/8gh2f5io+Y8V+hMwMBcm4 +JbH8bdyBB+EIhsNbTwf2MWntD5bmg47sf7hh23aNvKXI67Li1pTI2t1CqiGnFR0U +fCEpeaEAHs0k +-----END CERTIFICATE----- From 31f4ec9a1db43d8099ac16d4fa4836ccefc294a7 Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Wed, 23 Nov 2022 13:37:25 +0100 Subject: [PATCH 12/93] Removed feature branch in install script --- lib/prepare-system.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh index 20285f1..2cba2e2 100755 --- a/lib/prepare-system.sh +++ b/lib/prepare-system.sh @@ -26,7 +26,7 @@ if [ -d "/srv/docker/bridgehead" ]; then else log "INFO" "Cloning $bridgehead_repository_url to /srv/docker/bridgehead" mkdir -p /srv/docker/ - git clone bridgehead_repository_url /srv/docker/bridgehead -b feature/samplyBeam + git clone bridgehead_repository_url /srv/docker/bridgehead fi case "$PROJECT" in From 6297373ed0c1a435235b65ef5d91f9c0fecb6523 Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Fri, 25 Nov 2022 09:22:17 +0100 Subject: [PATCH 13/93] refactor: Removed Debug Logging from Beam Proxy --- bbmri/docker-compose.yml | 1 - ccp/docker-compose.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml index 9a97d3a..2433234 100644 --- a/bbmri/docker-compose.yml +++ b/bbmri/docker-compose.yml @@ -93,7 +93,6 @@ services: APP_0_ID: spot APP_0_KEY: ${SPOT_BEAM_SECRET_SHORT} PRIVKEY_FILE: /run/secrets/proxy.pem - RUST_LOG: debug ALL_PROXY: http://forward_proxy:3128 TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs ROOTCERT_FILE: /conf/root.crt.pem diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index 4f417ab..54b2daa 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -95,7 +95,6 @@ services: APP_1_ID: report-hub APP_1_KEY: ${REPORTHUB_BEAM_SECRET_SHORT} PRIVKEY_FILE: /run/secrets/proxy.pem - RUST_LOG: debug ALL_PROXY: http://forward_proxy:3128 TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs ROOTCERT_FILE: /conf/root.crt.pem From 5593ae38bb969288372c4975f2c70aecbef256e4 Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Tue, 29 Nov 2022 07:36:05 +0000 Subject: [PATCH 14/93] Retry git fetch/pull to make it more resilient to e.g. network outages --- lib/functions.sh | 22 ++++++++++++++++++++++ lib/update-bridgehead.sh | 4 ++-- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/lib/functions.sh b/lib/functions.sh index a539e0d..4f40fd0 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -136,6 +136,28 @@ setHostname() { fi } +# from: https://gist.github.com/sj26/88e1c6584397bb7c13bd11108a579746 +# ex. use: retry 5 /bin/false +function retry { + local retries=$1 + shift + + local count=0 + until "$@"; do + exit=$? + wait=$((2 ** $count)) + count=$(($count + 1)) + if [ $count -lt $retries ]; then + echo "Retry $count/$retries exited with code $exit, retrying in $wait seconds..." + sleep $wait + else + echo "Retry $count/$retries exited with code $exit, giving up." + return $exit + fi + done + return 0 +} + ##Setting Network properties # currently not needed #export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}'); diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 3201fc5..fd4806b 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -48,10 +48,10 @@ for DIR in /etc/bridgehead $(pwd); do old_git_hash="$(git -C $DIR rev-parse --verify HEAD)" if [ -z "$HTTP_PROXY_URL" ]; then log "INFO" "Git is using no proxy!" - OUT=$(git -C $DIR fetch 2>&1 && git -C $DIR pull 2>&1) + OUT=$(retry 5 git -C $DIR fetch 2>&1 && retry 5 git -C $DIR pull 2>&1) else log "INFO" "Git is using proxy ${HTTP_PROXY_URL} from ${CONFFILE}" - OUT=$(git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR fetch 2>&1 && git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1) + OUT=$(retry 5 git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR fetch 2>&1 && retry 5 git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1) fi if [ $? -ne 0 ]; then report_error log "Unable to update git $DIR: $OUT" From eea0c665a2142dccc090d03b9f65eed617df7372 Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Tue, 29 Nov 2022 08:20:51 +0000 Subject: [PATCH 15/93] Don't warn about modified git dir twice --- lib/update-bridgehead.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 3201fc5..cc8d56f 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -38,7 +38,6 @@ for DIR in /etc/bridgehead $(pwd); do log "INFO" "Checking for updates to git repo $DIR ..." OUT="$(git -C $DIR status --porcelain)" if [ -n "$OUT" ]; then - log WARN "The working directory $DIR is modified. Changed files: $OUT" report_error log "The working directory $DIR is modified. Changed files: $OUT" fi if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then From b061bf635039803736066367c154aad8be6c862e Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Mon, 5 Dec 2022 13:18:14 +0100 Subject: [PATCH 16/93] Fixed compose file for exliquid --- ccp/exliquid-compose.yml | 8 +++----- ccp/exliquid-setup.sh | 2 +- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml index 2c97b83..95bcbea 100644 --- a/ccp/exliquid-compose.yml +++ b/ccp/exliquid-compose.yml @@ -17,21 +17,19 @@ services: image: "samply/report-hub:latest" container_name: bridgehead-report-hub environment: - BASE_URL: "http://bridgehead-report-hub:8080" + SPRING_WEBFLUX_BASE_PATH: "/ccp-report-hub" JAVA_TOOL_OPTIONS: "-Xmx1g" LOG_LEVEL: "debug" PROXY_ID: "report-hub.${PROXY_ID}" SECRET: ${REPORTHUB_BEAM_SECRET_SHORT} - TASK_STORE: "http://bridgehead-task-store:8080/fhir" - LDM_URL: http://bridgehead-ccp-blaze:8080/fhir + APP_TASKSTORE_BASEURL: "http://bridgehead-task-store:8080/fhir" + APP_DATASTORE_BASEURL: http://bridgehead-ccp-blaze:8080/fhir BEAM_PROXY: "http://beam-proxy:8081" restart: always labels: - "traefik.enable=true" - "traefik.http.routers.report-ccp.rule=PathPrefix(`/ccp-report-hub`)" - - "traefik.http.middlewares.ccp_t_strip.stripprefix.prefixes=/ccp-report-hub" - "traefik.http.services.report-ccp.loadbalancer.server.port=8080" - - "traefik.http.routers.report-ccp.middlewares=ccp_t_strip" - "traefik.http.routers.report-ccp.tls=true" volumes: diff --git a/ccp/exliquid-setup.sh b/ccp/exliquid-setup.sh index 59d8877..e1daa11 100644 --- a/ccp/exliquid-setup.sh +++ b/ccp/exliquid-setup.sh @@ -2,7 +2,7 @@ function exliquidSetup() { if [ -n "$EXLIQUID" ]; then - log INFO "EXLIQUID setup detected -- will start Reporthub." + log INFO "EXLIQUID setup detected -- will start Report-Hub." OVERRIDE+="-f ./$PROJECT/exliquid-compose.yml" fi } \ No newline at end of file From ece0dec9c9c044b64f77ccf9801d17dc10644007 Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Tue, 6 Dec 2022 11:33:45 +0100 Subject: [PATCH 17/93] Rename exliquid docker containers --- ccp/exliquid-compose.yml | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml index 95bcbea..9f05977 100644 --- a/ccp/exliquid-compose.yml +++ b/ccp/exliquid-compose.yml @@ -1,36 +1,34 @@ version: "3.7" services: - task-store: + exliquid-task-store: image: "samply/blaze:0.18" - container_name: bridgehead-task-store + container_name: bridgehead-exliquid-task-store environment: - BASE_URL: "http://bridgehead-task-store:8080" + BASE_URL: "http://bridgehead-exliquid-task-store:8080" JAVA_TOOL_OPTIONS: "-Xmx1g" - LOG_LEVEL: "debug" volumes: - - "task-store-data:/app/data" + - "exliquid-task-store-data:/app/data" labels: - "traefik.enable=false" - report-hub: + exliquid-report-hub: image: "samply/report-hub:latest" - container_name: bridgehead-report-hub + container_name: bridgehead-exliquid-report-hub environment: - SPRING_WEBFLUX_BASE_PATH: "/ccp-report-hub" + SPRING_WEBFLUX_BASE_PATH: "/exliquid" JAVA_TOOL_OPTIONS: "-Xmx1g" - LOG_LEVEL: "debug" PROXY_ID: "report-hub.${PROXY_ID}" SECRET: ${REPORTHUB_BEAM_SECRET_SHORT} - APP_TASKSTORE_BASEURL: "http://bridgehead-task-store:8080/fhir" + APP_TASKSTORE_BASEURL: "http://bridgehead-exliquid-task-store:8080/fhir" APP_DATASTORE_BASEURL: http://bridgehead-ccp-blaze:8080/fhir BEAM_PROXY: "http://beam-proxy:8081" restart: always labels: - "traefik.enable=true" - - "traefik.http.routers.report-ccp.rule=PathPrefix(`/ccp-report-hub`)" + - "traefik.http.routers.report-ccp.rule=PathPrefix(`/exliquid`)" - "traefik.http.services.report-ccp.loadbalancer.server.port=8080" - "traefik.http.routers.report-ccp.tls=true" volumes: - task-store-data: \ No newline at end of file + exliquid-task-store-data: \ No newline at end of file From af54f0ca04ef8efad53fc72975f7599e8fb615d8 Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Tue, 6 Dec 2022 11:42:18 +0100 Subject: [PATCH 18/93] Define exliquid sites right inside the common bridgehead scripts --- ccp/exliquid-setup.sh | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/ccp/exliquid-setup.sh b/ccp/exliquid-setup.sh index e1daa11..8102fcb 100644 --- a/ccp/exliquid-setup.sh +++ b/ccp/exliquid-setup.sh @@ -1,7 +1,18 @@ #!/bin/bash function exliquidSetup() { - if [ -n "$EXLIQUID" ]; then + case ${SITE_ID} in + berlin|dresden|essen|frankfurt|freiburg|luebeck|mainz|muenchen-lmu|muenchen-tu|mannheim|tuebingen) + EXLIQUID=1 + ;; + dktk-test) + EXLIQUID=1 + ;; + *) + EXLIQUID=0 + ;; + esac + if [[ $EXLIQUID -eq 1 ]]; then log INFO "EXLIQUID setup detected -- will start Report-Hub." OVERRIDE+="-f ./$PROJECT/exliquid-compose.yml" fi From 66999178bfd804297416ec24d2e6601270daba74 Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Mon, 12 Dec 2022 09:22:20 +0100 Subject: [PATCH 19/93] Added space to Override --- ccp/exliquid-setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/exliquid-setup.sh b/ccp/exliquid-setup.sh index 8102fcb..83daa45 100644 --- a/ccp/exliquid-setup.sh +++ b/ccp/exliquid-setup.sh @@ -14,6 +14,6 @@ function exliquidSetup() { esac if [[ $EXLIQUID -eq 1 ]]; then log INFO "EXLIQUID setup detected -- will start Report-Hub." - OVERRIDE+="-f ./$PROJECT/exliquid-compose.yml" + OVERRIDE+=" -f ./$PROJECT/exliquid-compose.yml" fi } \ No newline at end of file From 54fbb58f0d8fc8363a9120a6f205923b9b1919ba Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Mon, 12 Dec 2022 09:27:50 +0100 Subject: [PATCH 20/93] Added proxy base url --- ccp/exliquid-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml index 9f05977..e629de9 100644 --- a/ccp/exliquid-compose.yml +++ b/ccp/exliquid-compose.yml @@ -20,6 +20,7 @@ services: JAVA_TOOL_OPTIONS: "-Xmx1g" PROXY_ID: "report-hub.${PROXY_ID}" SECRET: ${REPORTHUB_BEAM_SECRET_SHORT} + APP_PROXY_BASEURL: http://beam-proxy:8081 APP_TASKSTORE_BASEURL: "http://bridgehead-exliquid-task-store:8080/fhir" APP_DATASTORE_BASEURL: http://bridgehead-ccp-blaze:8080/fhir BEAM_PROXY: "http://beam-proxy:8081" From 813dbcc76a95b98c52e7c12f7d6055e48d7caf8d Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Mon, 12 Dec 2022 10:41:18 +0100 Subject: [PATCH 21/93] Fixed beam proxy var url --- ccp/exliquid-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml index e629de9..6ada73a 100644 --- a/ccp/exliquid-compose.yml +++ b/ccp/exliquid-compose.yml @@ -20,7 +20,7 @@ services: JAVA_TOOL_OPTIONS: "-Xmx1g" PROXY_ID: "report-hub.${PROXY_ID}" SECRET: ${REPORTHUB_BEAM_SECRET_SHORT} - APP_PROXY_BASEURL: http://beam-proxy:8081 + APP_BEAM_PROXY_BASEURL: http://beam-proxy:8081 APP_TASKSTORE_BASEURL: "http://bridgehead-exliquid-task-store:8080/fhir" APP_DATASTORE_BASEURL: http://bridgehead-ccp-blaze:8080/fhir BEAM_PROXY: "http://beam-proxy:8081" From 99c0e7f28354bcb6ae49f30556df78d1a9e1da07 Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Wed, 7 Dec 2022 15:46:19 +0100 Subject: [PATCH 22/93] Added Configuration for Local ID-Management --- ccp/modules/id-management-compose.yml | 75 +++++++++++++++++++++++++++ ccp/modules/id-management-setup.sh | 17 ++++++ ccp/vars | 3 ++ lib/functions.sh | 2 +- 4 files changed, 96 insertions(+), 1 deletion(-) create mode 100644 ccp/modules/id-management-compose.yml create mode 100644 ccp/modules/id-management-setup.sh diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml new file mode 100644 index 0000000..0968048 --- /dev/null +++ b/ccp/modules/id-management-compose.yml @@ -0,0 +1,75 @@ +version: "3.7" +services: + id-manager: + image: docker.verbis.dkfz.de/bridgehead/magicpl + environment: + TOMCAT_REVERSEPROXY_FQDN: ${HOST} + MAGICPL_SITE: ${SITE_ID} + MAGICPL_ALLOWED_ORIGINS: https://${HOST} + MAGICPL_LOCAL_PATIENTLIST_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} + MAGICPL_CENTRAXX_APIKEY: ${IDMANAGER_CENTRAXX_APIKEY} + MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_CONNECTOR_APIKEY} + MAGICPL_CENTRAL_PATIENTLIST_APIKEY: ${IDMANAGER_CENTRAL_PATIENTLIST_APIKEY} + MAGICPL_CONTROLNUMBERGENERATOR_APIKEY: ${IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY} + MAGICPL_OIDC_CLIENT_ID: ${IDMANAGER_AUTH_CLIENT_ID} + MAGICPL_OIDC_CLIENT_SECRET: ${IDMANAGER_AUTH_CLIENT_SECRET} + depends_on: + - patientlist + labels: + - "traefik.enable=true" + - "traefik.http.routers.id-manager.rule=PathPrefix(`/id-manager`)" + - "traefik.http.services.id-manager.loadbalancer.server.port=8080" + - "traefik.http.routers.id-manager.tls=true" + + patientlist: + image: docker.verbis.dkfz.de/bridgehead/mainzelliste + environment: + - TOMCAT_REVERSEPROXY_FQDN=${HOST} + - ML_SITE=${SITE_ID} + - ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD} + - ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} + # Add Variables from /etc/patientlist-id-generators.env + - ML_BK_IDGENERATOR_RANDOM_1 + - ML_BK_IDGENERATOR_RANDOM_2 + - ML_BK_IDGENERATOR_RANDOM_3 + - ML_MDS_IDGENERATOR_RANDOM_1 + - ML_MDS_IDGENERATOR_RANDOM_2 + - ML_MDS_IDGENERATOR_RANDOM_3 + - ML_DKTK000001985_IDGENERATOR_RANDOM_1 + - ML_DKTK000001985_IDGENERATOR_RANDOM_2 + - ML_DKTK000001985_IDGENERATOR_RANDOM_3 + - ML_DKTK000001986_IDGENERATOR_RANDOM_1 + - ML_DKTK000001986_IDGENERATOR_RANDOM_2 + - ML_DKTK000001986_IDGENERATOR_RANDOM_3 + - ML_DKTK000001950_IDGENERATOR_RANDOM_1 + - ML_DKTK000001950_IDGENERATOR_RANDOM_2 + - ML_DKTK000001950_IDGENERATOR_RANDOM_3 + - ML_DKTK000001951_IDGENERATOR_RANDOM_1 + - ML_DKTK000001951_IDGENERATOR_RANDOM_2 + - ML_DKTK000001951_IDGENERATOR_RANDOM_3 + - ML_DKTK999999999_IDGENERATOR_RANDOM_1 + - ML_DKTK999999999_IDGENERATOR_RANDOM_2 + - ML_DKTK999999999_IDGENERATOR_RANDOM_3 + - ML_DKTK000002089_IDGENERATOR_RANDOM_1 + - ML_DKTK000002089_IDGENERATOR_RANDOM_2 + - ML_DKTK000002089_IDGENERATOR_RANDOM_3 + labels: + - "traefik.enable=true" + - "traefik.http.routers.patientlist.rule=PathPrefix(`/patientlist`)" + - "traefik.http.services.patientlist.loadbalancer.server.port=8080" + - "traefik.http.routers.patientlist.tls=true" + depends_on: + - patientlist-db + + patientlist-db: + image: postgres:14-alpine + environment: + POSTGRES_USER: "mainzelliste" + POSTGRES_DB: "mainzelliste" + POSTGRES_PASSWORD: ${PATIENTLIST_POSTGRES_PASSWORD} + volumes: + - "patientlist-db-data:/var/lib/postgresql/data" + +volumes: + patientlist-db-data: + diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh new file mode 100644 index 0000000..ca939fb --- /dev/null +++ b/ccp/modules/id-management-setup.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +function idManagementSetup() { + if [ -n "$ENABLE_ID_MANAGEMENT" ]; then + log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)." + OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml" + + # Auto Generate local Passwords + PATIENTLIST_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + IDMANAGER_LOCAL_PATIENTLIST_APIKEY="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" + + # Source the ID Generators Configuration + source /etc/bridgehead/patientlist-id-generators.env + log INFO "ID-Management Generator 1: ${ML_BK_IDGENERATOR_RANDOM_1}" + fi + +} diff --git a/ccp/vars b/ccp/vars index 63def80..89deae0 100644 --- a/ccp/vars +++ b/ccp/vars @@ -8,6 +8,9 @@ REPORTHUB_BEAM_SECRET_LONG="ApiKey report-hub.${PROXY_ID} ${REPORTHUB_BEAM_SECRE SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem +# This will load id-management setup. Effective only if id-management configuration is defined. +source $PROJECT/modules/id-management-setup.sh +idManagementSetup # This will load nngm setup. Effective only if nngm configuration is defined. source $PROJECT/nngm-setup.sh nngmSetup diff --git a/lib/functions.sh b/lib/functions.sh index 4f40fd0..355ebaa 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -131,7 +131,7 @@ fail_and_report() { setHostname() { if [ -z "$HOST" ]; then - export HOST=$(hostname -f) + export HOST=$(hostname -f | tr "[:upper:]" "[:lower:]") log DEBUG "Using auto-detected hostname $HOST." fi } From 5e063003ace490b3835e30fcebbafd6465ed4586 Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Tue, 13 Dec 2022 16:51:32 +0100 Subject: [PATCH 23/93] feature: Added automated Backups for PostgreSQL --- README.md | 9 +++++++ ccp/modules/id-management-compose.yml | 11 ++++---- lib/functions.sh | 11 ++++++++ lib/install-bridgehead.sh | 10 ++++--- lib/update-bridgehead.sh | 39 +++++++++++++++++++++++++++ 5 files changed, 72 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index b57c10e..24ebdf2 100644 --- a/README.md +++ b/README.md @@ -128,6 +128,8 @@ All of the Bridgehead's outgoing connections are secured by transport encryption - `/etc/bridgehead/traefik-tls` contains your Bridgehead's reverse proxies TLS certificates for [HTTPS access](#https-access). - `/etc/bridgehead/pki` contains your Bridgehead's private key (e.g., but not limited to Samply.Beam), generated as part of the [Samply.Beam enrollment](#register-with-samplybeam). - `/etc/bridgehead/trusted-ca-certs` contains third-party certificates to be trusted by the Bridgehead. For example, you want to place the certificates of your [TLS-terminating proxy](#network) here. +- `/var/data/bridgehead` contains persistent data of the bridgehead + - `/var/data/bridgehead/backups` contains automatically created backups of the databases. Your Bridgehead's actual data is not stored in the above directories, but in named docker volumes, see `docker volume ls` and `docker volume inspect `. @@ -139,6 +141,13 @@ Your Bridgehead will automatically and regularly check for updates. Whenever som If you would like to understand what happens exactly and when, please check the systemd units deployed during the [installation](#base-installation) via `systemctl cat bridgehead-update@.service` and `systemctl cat bridgehead-update@ \ + "$1/$2/$(date +%Y-KW%V).sql" +} + + # from: https://gist.github.com/sj26/88e1c6584397bb7c13bd11108a579746 # ex. use: retry 5 /bin/false function retry { diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh index 5e3add3..7cbd8ef 100755 --- a/lib/install-bridgehead.sh +++ b/lib/install-bridgehead.sh @@ -22,8 +22,8 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\ /bin/systemctl stop bridgehead@${PROJECT}.service, \\ /bin/systemctl restart bridgehead@${PROJECT}.service, \\ /bin/systemctl restart bridgehead@*.service, \\ - /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead, \\ - /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead + /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/data/bridgehead, \\ + /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/data/bridgehead bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^} EOF @@ -37,6 +37,10 @@ if [ -z "$LDM_PASSWORD" ]; then echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf; fi +log "INFO" "Creating directory /var/data/bridgehead for storage of persistent data." +mkdir -p /var/data/bridgehead +chown -R bridgehead /var/data/bridgehead + log "INFO" "Registering system units for bridgehead and bridgehead-update" cp -v \ lib/systemd/bridgehead\@.service \ @@ -63,4 +67,4 @@ else STR="Success. Next, enroll into the $PROJECT broker by creating a cryptographic certificate. To do so, run\n\n /srv/docker/bridgehead/bridgehead enroll $PROJECT\n\nThen, you may start the bridgehead by running$STR" fi -log "INFO" "$STR" \ No newline at end of file +log "INFO" "$STR" diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 897c8a2..cc1d55f 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -1,6 +1,45 @@ #!/bin/bash source lib/functions.sh +AUTO_BACKUP=${AUTO_BACKUP:-true} + +if [ "$AUTO_BACKUP" == "true" ]; then + BACKUP_DIRECTORY="/var/data/bridgehead/backups" + if [ ! -d /var/data ]; then + log DEBUG "Created /var/data" + mkdir /var/data + fi + if [ ! -d /var/data/bridgehead ]; then + log DEBUG "Created /var/data/bridgehead" + mkdir /var/data/bridgehead + fi + if [ ! -d $BACKUP_DIRECTORY ]; then + message="Performing automatic maintenance: Creating Backup directory $BACKUP_DIRECTORY." + hc_send log "$message" + log INFO "$message" + mkdir -p $BACKUP_DIRECTORY + fi + BACKUP_SERVICES="$(docker ps --filter ancestor=postgres:14-alpine --format "{{.Names}}" | tr "\n" "\ ")" + log INFO "Performing automatic maintenance: Creating Backups for $BACKUP_SERVICES"; + for service in $BACKUP_SERVICES; do + if [ ! -d $BACKUP_DIRECTORY/$service ]; then + message="Performing automatic maintenance: Creating Backup directory for $service in $BACKUP_DIRECTORY." + hc_send log "$message" + log INFO "$message" + mkdir -p $BACKUP_DIRECTORY/$service + fi + if createEncryptedPostgresBackup "$BACKUP_DIRECTORY" "$service"; then + message="Performing automatic maintenance: Stored encrypted Backup for $service in $BACKUP_DIRECTORY." + hc_send log "$message" + log INFO "$message" + else + fail_and_report 5 "Failed to create encrypted update for $service" + fi + done +else + log WARN "Automated backups are disabled (variable AUTO_BACKUPS != \"true\")" +fi + AUTO_HOUSEKEEPING=${AUTO_HOUSEKEEPING:-true} if [ "$AUTO_HOUSEKEEPING" == "true" ]; then From 125bb5e26232be6f5279d1fb771a99710d8fe012 Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Thu, 15 Dec 2022 16:39:03 +0100 Subject: [PATCH 24/93] refactor: Changed Trigger of the IDM Module --- ccp/modules/id-management-setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh index ca939fb..790f846 100644 --- a/ccp/modules/id-management-setup.sh +++ b/ccp/modules/id-management-setup.sh @@ -1,7 +1,7 @@ #!/bin/bash function idManagementSetup() { - if [ -n "$ENABLE_ID_MANAGEMENT" ]; then + if [ -n "$IDMANAGER_CENTRAXX_APIKEY" ]; then log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)." OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml" From bc72093be9c42db534d12a4d418106cf7e21409d Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Thu, 15 Dec 2022 16:39:23 +0100 Subject: [PATCH 25/93] docs: Added Documentation for the IDM Module --- ccp/modules/id-management.md | 58 ++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 ccp/modules/id-management.md diff --git a/ccp/modules/id-management.md b/ccp/modules/id-management.md new file mode 100644 index 0000000..8de2f5a --- /dev/null +++ b/ccp/modules/id-management.md @@ -0,0 +1,58 @@ +# Module: Id-Management +This module provides integration with the CCP-Pseudonymiziation Service. To learn more on the backgrounds of this service, you can refer to the [CCP-DSK](https://dktk.dkfz.de/application/files/5016/2030/2474/20_11_23_Datenschutzkonzept_CCP-IT_inkl_Anlagen.pdf). + +## Getting Started +You must add following configuration variables to your sites-configuration repository: + +``` +IDMANAGER_CENTRAXX_APIKEY="" +IDMANAGER_CONNECTOR_APIKEY="" +IDMANAGER_CENTRAL_PATIENTLIST_APIKEY="" +IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY="" +IDMANAGER_AUTH_CLIENT_ID="" +IDMANAGER_AUTH_CLIENT_SECRET="" +``` + +Additionally, the ccp-it needs to add a new file "patientlist-id-generators.env" to your site configuration. This file will hold the seeds for the different id-generators used in all projects. + +After adding the configuration, you simply need to update your bridgehead and 3 new services will run on your server: + +- `bridgehead-id-manager`, accessible by "https:///id-manager". This component adds a common interface for creating pseudonymes in the bridgehead. +- `bridgehead-patientlist`, accessible by "https:// NOTE: Please create the postgres dump with the options "--no-owner" and "--no-privileges". Additionally ensure the dump is created in the plain format (SQL). + +After this, you can restart your bridgehead and the dump will be imported: +``` +systemctl start bridgehead@ccp +``` + +### How to connect your local data-management +Typically, the sites connect their local data-management for the pseudonym creation with the id-management in the bridgehead. In the following two sections, you can read where you can change the configuration: +#### Sites using CentraXX +On your CentraXX Server, you need to change following settings in the "centraxx-dev.properties" file. +``` +dktk.idmanagement.url=https:///id-manager/translator/getId +dktk.idmanagement.apiKey= +``` +They typically already exist, but need to be changed to the new values! +#### Sites using ADT2FHIR +@Pierre + + +### How to connect the legacy windows bridgehead +You need to change the configuration file "..." of your Windows Bridgehead. TODO... From 276be28db1792c4f276191e24bbb3b7cbd8f852c Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Fri, 16 Dec 2022 12:02:49 +0100 Subject: [PATCH 26/93] fix: Included Legacy ID-Mapping (Please Complete) --- ccp/modules/id-management-compose.yml | 6 +++--- ccp/modules/id-management-setup.sh | 24 ++++++++++++++++++++++-- ccp/modules/id-management.md | 6 +++--- 3 files changed, 28 insertions(+), 8 deletions(-) diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml index d1639af..4baaba7 100644 --- a/ccp/modules/id-management-compose.yml +++ b/ccp/modules/id-management-compose.yml @@ -5,11 +5,11 @@ services: container_name: bridgehead-id-manager environment: TOMCAT_REVERSEPROXY_FQDN: ${HOST} - MAGICPL_SITE: ${SITE_ID} + MAGICPL_SITE: ${IDMANAGEMENT_FRIENDLY_ID} MAGICPL_ALLOWED_ORIGINS: https://${HOST} MAGICPL_LOCAL_PATIENTLIST_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} - MAGICPL_CENTRAXX_APIKEY: ${IDMANAGER_CENTRAXX_APIKEY} - MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_CONNECTOR_APIKEY} + MAGICPL_CENTRAXX_APIKEY: ${IDMANAGER_UPLOAD_APIKEY} + MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_READ_APIKEY} MAGICPL_CENTRAL_PATIENTLIST_APIKEY: ${IDMANAGER_CENTRAL_PATIENTLIST_APIKEY} MAGICPL_CONTROLNUMBERGENERATOR_APIKEY: ${IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY} MAGICPL_OIDC_CLIENT_ID: ${IDMANAGER_AUTH_CLIENT_ID} diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh index 790f846..d2449c7 100644 --- a/ccp/modules/id-management-setup.sh +++ b/ccp/modules/id-management-setup.sh @@ -1,7 +1,7 @@ #!/bin/bash function idManagementSetup() { - if [ -n "$IDMANAGER_CENTRAXX_APIKEY" ]; then + if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)." OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml" @@ -11,7 +11,27 @@ function idManagementSetup() { # Source the ID Generators Configuration source /etc/bridgehead/patientlist-id-generators.env - log INFO "ID-Management Generator 1: ${ML_BK_IDGENERATOR_RANDOM_1}" + + # Ensure old ids are working !!! + legacyIdMapping fi } + +# TODO: Map all old site ids to the new ones +function legacyIdMapping() { + case ${SITE_ID} in + "berlin") + export IDMANAGEMENT_FRIENDLY_ID=Berlin + ;; + "dresden") + export IDMANAGEMENT_FRIENDLY_ID=Dresden + ;; + "frankfurt") + export IDMANAGEMENT_FRIENDLY_ID=Frankfurt + ;; + *) + export IDMANAGEMENT_FRIENDLY_ID=$SITE_ID + ;; + esac +} diff --git a/ccp/modules/id-management.md b/ccp/modules/id-management.md index 8de2f5a..89ff65c 100644 --- a/ccp/modules/id-management.md +++ b/ccp/modules/id-management.md @@ -5,8 +5,8 @@ This module provides integration with the CCP-Pseudonymiziation Service. To lear You must add following configuration variables to your sites-configuration repository: ``` -IDMANAGER_CENTRAXX_APIKEY="" -IDMANAGER_CONNECTOR_APIKEY="" +IDMANAGER_UPLOAD_APIKEY="" +IDMANAGER_READ_APIKEY="" IDMANAGER_CENTRAL_PATIENTLIST_APIKEY="" IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY="" IDMANAGER_AUTH_CLIENT_ID="" @@ -47,7 +47,7 @@ Typically, the sites connect their local data-management for the pseudonym creat On your CentraXX Server, you need to change following settings in the "centraxx-dev.properties" file. ``` dktk.idmanagement.url=https:///id-manager/translator/getId -dktk.idmanagement.apiKey= +dktk.idmanagement.apiKey= ``` They typically already exist, but need to be changed to the new values! #### Sites using ADT2FHIR From 828312e04510315dd9ee87c3d5b9f53a4099852d Mon Sep 17 00:00:00 2001 From: "p.delpy@dkfz-heidelberg.de" Date: Fri, 2 Dec 2022 15:38:33 +0100 Subject: [PATCH 27/93] Added MTBA Module --- ccp/mtba-compose.yml | 33 +++++++++++++++++++++++++++++++++ ccp/nngm-setup.sh | 12 ++++++++++++ ccp/vars | 1 + 3 files changed, 46 insertions(+) create mode 100644 ccp/mtba-compose.yml diff --git a/ccp/mtba-compose.yml b/ccp/mtba-compose.yml new file mode 100644 index 0000000..53fd327 --- /dev/null +++ b/ccp/mtba-compose.yml @@ -0,0 +1,33 @@ +version: "3.7" + +services: + mtba: + image: samply/mtba:develop + container_name: bridgehead-mtba + environment: + BLAZE_STORE_URL: http://bridgehead-ccp-blaze:8080/fhir + # NOTE: Aktuell Berechtigungen wie MagicPL!!! + # TODO: Add separate ApiKey to Patientlist only for MTBA! + ID_MANAGER_API_KEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} + ID_MANAGER_PSEUDONYM_ID_TYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID + ID_MANAGER_URL: http://bridgehead-id-manager:8080 + PATIENT_CSV_FIRST_NAME_HEADER: ${PATIENT_CSV_FIRST_NAME_HEADER:-"FIRST_NAME"} + PATIENT_CSV_LAST_NAME_HEADER: ${PATIENT_CSV_LAST_NAME_HEADER:-"LAST_NAME"} + PATIENT_CSV_GENDER_HEADER: ${PATIENT_CSV_GENDER_HEADER:-"GENDER"} + PATIENT_CSV_BIRTHDAY_HEADER: ${PATIENT_CSV_BIRTHDAY_HEADER:-"BIRTHDAY"} + CBIOPORTAL_URL: http://bridgehead-ccp-cbioportal:8080 + MUTATIONS_CSV_SCRIPT_INTERPRETER: "python3" + labels: + - "traefik.enable=true" + - "traefik.http.routers.mtba.rule=PathPrefix(`/`)" + - "traefik.http.services.mtba.loadbalancer.server.port=80" + - "traefik.http.routers.mtba.tls=true" + volumes: + # This directory persists the FHIR Resources that are needed to import data into blaze. + - /var/data/bridgehead/mtba:/app/mtba-files/persist + # Place new import files in this directory + - /tmp/bridgehead/mtba/:/app/mtba-files/input + + # TODO: Include CBioPortal in Deployment ... + # NOTE: CBioPortal can't load data while the system is running. So after import of data bridgehead needs to be restarted! + # TODO: Find a trigger to let mtba signal a restart for CBioPortal diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh index d5b80eb..b55d48e 100644 --- a/ccp/nngm-setup.sh +++ b/ccp/nngm-setup.sh @@ -7,3 +7,15 @@ function nngmSetup() { fi CONNECTOR_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" } + +function mtbaSetup() { + # TODO: Check if ID-Management Module is activated! + if [ -n "$ENABLE_MTBA" ];then + log INFO "MTBA setup detected -- will start MTBA Service and CBioPortal." + if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then + log ERROR "Detected MTBA Module configuration but ID-Management Module seems not to be configured!" + exit 1; + fi + OVERRIDE+=" -f ./$PROJECT/mtba-compose.yml" + fi +} diff --git a/ccp/vars b/ccp/vars index 89deae0..5172d24 100644 --- a/ccp/vars +++ b/ccp/vars @@ -16,3 +16,4 @@ source $PROJECT/nngm-setup.sh nngmSetup source $PROJECT/exliquid-setup.sh exliquidSetup +mtbaSetup \ No newline at end of file From e1e7ffece8899a57ce6c22b1e5f55ebdf083225c Mon Sep 17 00:00:00 2001 From: "p.delpy@dkfz-heidelberg.de" Date: Fri, 16 Dec 2022 15:01:04 +0100 Subject: [PATCH 28/93] set magicpl instead of patientlist --- ccp/mtba-compose.yml | 4 ++-- ccp/nngm-setup.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ccp/mtba-compose.yml b/ccp/mtba-compose.yml index 53fd327..d492ae0 100644 --- a/ccp/mtba-compose.yml +++ b/ccp/mtba-compose.yml @@ -7,8 +7,8 @@ services: environment: BLAZE_STORE_URL: http://bridgehead-ccp-blaze:8080/fhir # NOTE: Aktuell Berechtigungen wie MagicPL!!! - # TODO: Add separate ApiKey to Patientlist only for MTBA! - ID_MANAGER_API_KEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} + # TODO: Add separate ApiKey to MagicPL only for MTBA! + ID_MANAGER_API_KEY: ${IDMANAGER_UPLOAD_APIKEY} ID_MANAGER_PSEUDONYM_ID_TYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID ID_MANAGER_URL: http://bridgehead-id-manager:8080 PATIENT_CSV_FIRST_NAME_HEADER: ${PATIENT_CSV_FIRST_NAME_HEADER:-"FIRST_NAME"} diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh index b55d48e..ba2e77f 100644 --- a/ccp/nngm-setup.sh +++ b/ccp/nngm-setup.sh @@ -12,7 +12,7 @@ function mtbaSetup() { # TODO: Check if ID-Management Module is activated! if [ -n "$ENABLE_MTBA" ];then log INFO "MTBA setup detected -- will start MTBA Service and CBioPortal." - if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then + if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then log ERROR "Detected MTBA Module configuration but ID-Management Module seems not to be configured!" exit 1; fi From c9bb317cd2d79e3a226510a956593c0053ceaa28 Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Wed, 4 Jan 2023 14:00:08 +0100 Subject: [PATCH 29/93] Fixed vars in exliquid compose --- ccp/exliquid-compose.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml index 6ada73a..e21617a 100644 --- a/ccp/exliquid-compose.yml +++ b/ccp/exliquid-compose.yml @@ -18,12 +18,11 @@ services: environment: SPRING_WEBFLUX_BASE_PATH: "/exliquid" JAVA_TOOL_OPTIONS: "-Xmx1g" - PROXY_ID: "report-hub.${PROXY_ID}" - SECRET: ${REPORTHUB_BEAM_SECRET_SHORT} + APP_BEAM_APPID: "report-hub.${PROXY_ID}" + APP_BEAM_SECRET: ${REPORTHUB_BEAM_SECRET_SHORT} APP_BEAM_PROXY_BASEURL: http://beam-proxy:8081 APP_TASKSTORE_BASEURL: "http://bridgehead-exliquid-task-store:8080/fhir" APP_DATASTORE_BASEURL: http://bridgehead-ccp-blaze:8080/fhir - BEAM_PROXY: "http://beam-proxy:8081" restart: always labels: - "traefik.enable=true" From 6d24dbce7f9710dc4050ec62fc6016273bd38cd4 Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Wed, 7 Dec 2022 15:46:19 +0100 Subject: [PATCH 30/93] Added Configuration for Local ID-Management --- ccp/modules/id-management-compose.yml | 75 +++++++++++++++++++++++++++ ccp/modules/id-management-setup.sh | 17 ++++++ ccp/vars | 3 ++ lib/functions.sh | 2 +- 4 files changed, 96 insertions(+), 1 deletion(-) create mode 100644 ccp/modules/id-management-compose.yml create mode 100644 ccp/modules/id-management-setup.sh diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml new file mode 100644 index 0000000..0968048 --- /dev/null +++ b/ccp/modules/id-management-compose.yml @@ -0,0 +1,75 @@ +version: "3.7" +services: + id-manager: + image: docker.verbis.dkfz.de/bridgehead/magicpl + environment: + TOMCAT_REVERSEPROXY_FQDN: ${HOST} + MAGICPL_SITE: ${SITE_ID} + MAGICPL_ALLOWED_ORIGINS: https://${HOST} + MAGICPL_LOCAL_PATIENTLIST_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} + MAGICPL_CENTRAXX_APIKEY: ${IDMANAGER_CENTRAXX_APIKEY} + MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_CONNECTOR_APIKEY} + MAGICPL_CENTRAL_PATIENTLIST_APIKEY: ${IDMANAGER_CENTRAL_PATIENTLIST_APIKEY} + MAGICPL_CONTROLNUMBERGENERATOR_APIKEY: ${IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY} + MAGICPL_OIDC_CLIENT_ID: ${IDMANAGER_AUTH_CLIENT_ID} + MAGICPL_OIDC_CLIENT_SECRET: ${IDMANAGER_AUTH_CLIENT_SECRET} + depends_on: + - patientlist + labels: + - "traefik.enable=true" + - "traefik.http.routers.id-manager.rule=PathPrefix(`/id-manager`)" + - "traefik.http.services.id-manager.loadbalancer.server.port=8080" + - "traefik.http.routers.id-manager.tls=true" + + patientlist: + image: docker.verbis.dkfz.de/bridgehead/mainzelliste + environment: + - TOMCAT_REVERSEPROXY_FQDN=${HOST} + - ML_SITE=${SITE_ID} + - ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD} + - ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} + # Add Variables from /etc/patientlist-id-generators.env + - ML_BK_IDGENERATOR_RANDOM_1 + - ML_BK_IDGENERATOR_RANDOM_2 + - ML_BK_IDGENERATOR_RANDOM_3 + - ML_MDS_IDGENERATOR_RANDOM_1 + - ML_MDS_IDGENERATOR_RANDOM_2 + - ML_MDS_IDGENERATOR_RANDOM_3 + - ML_DKTK000001985_IDGENERATOR_RANDOM_1 + - ML_DKTK000001985_IDGENERATOR_RANDOM_2 + - ML_DKTK000001985_IDGENERATOR_RANDOM_3 + - ML_DKTK000001986_IDGENERATOR_RANDOM_1 + - ML_DKTK000001986_IDGENERATOR_RANDOM_2 + - ML_DKTK000001986_IDGENERATOR_RANDOM_3 + - ML_DKTK000001950_IDGENERATOR_RANDOM_1 + - ML_DKTK000001950_IDGENERATOR_RANDOM_2 + - ML_DKTK000001950_IDGENERATOR_RANDOM_3 + - ML_DKTK000001951_IDGENERATOR_RANDOM_1 + - ML_DKTK000001951_IDGENERATOR_RANDOM_2 + - ML_DKTK000001951_IDGENERATOR_RANDOM_3 + - ML_DKTK999999999_IDGENERATOR_RANDOM_1 + - ML_DKTK999999999_IDGENERATOR_RANDOM_2 + - ML_DKTK999999999_IDGENERATOR_RANDOM_3 + - ML_DKTK000002089_IDGENERATOR_RANDOM_1 + - ML_DKTK000002089_IDGENERATOR_RANDOM_2 + - ML_DKTK000002089_IDGENERATOR_RANDOM_3 + labels: + - "traefik.enable=true" + - "traefik.http.routers.patientlist.rule=PathPrefix(`/patientlist`)" + - "traefik.http.services.patientlist.loadbalancer.server.port=8080" + - "traefik.http.routers.patientlist.tls=true" + depends_on: + - patientlist-db + + patientlist-db: + image: postgres:14-alpine + environment: + POSTGRES_USER: "mainzelliste" + POSTGRES_DB: "mainzelliste" + POSTGRES_PASSWORD: ${PATIENTLIST_POSTGRES_PASSWORD} + volumes: + - "patientlist-db-data:/var/lib/postgresql/data" + +volumes: + patientlist-db-data: + diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh new file mode 100644 index 0000000..ca939fb --- /dev/null +++ b/ccp/modules/id-management-setup.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +function idManagementSetup() { + if [ -n "$ENABLE_ID_MANAGEMENT" ]; then + log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)." + OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml" + + # Auto Generate local Passwords + PATIENTLIST_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + IDMANAGER_LOCAL_PATIENTLIST_APIKEY="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" + + # Source the ID Generators Configuration + source /etc/bridgehead/patientlist-id-generators.env + log INFO "ID-Management Generator 1: ${ML_BK_IDGENERATOR_RANDOM_1}" + fi + +} diff --git a/ccp/vars b/ccp/vars index 63def80..89deae0 100644 --- a/ccp/vars +++ b/ccp/vars @@ -8,6 +8,9 @@ REPORTHUB_BEAM_SECRET_LONG="ApiKey report-hub.${PROXY_ID} ${REPORTHUB_BEAM_SECRE SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem +# This will load id-management setup. Effective only if id-management configuration is defined. +source $PROJECT/modules/id-management-setup.sh +idManagementSetup # This will load nngm setup. Effective only if nngm configuration is defined. source $PROJECT/nngm-setup.sh nngmSetup diff --git a/lib/functions.sh b/lib/functions.sh index 4f40fd0..355ebaa 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -131,7 +131,7 @@ fail_and_report() { setHostname() { if [ -z "$HOST" ]; then - export HOST=$(hostname -f) + export HOST=$(hostname -f | tr "[:upper:]" "[:lower:]") log DEBUG "Using auto-detected hostname $HOST." fi } From 1ffc9b9cd581e592c42a8ac2c881045aa39c1c3c Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Tue, 13 Dec 2022 16:51:32 +0100 Subject: [PATCH 31/93] feature: Added automated Backups for PostgreSQL --- README.md | 9 +++++++ ccp/modules/id-management-compose.yml | 11 ++++---- lib/functions.sh | 11 ++++++++ lib/install-bridgehead.sh | 10 ++++--- lib/update-bridgehead.sh | 39 +++++++++++++++++++++++++++ 5 files changed, 72 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index b57c10e..24ebdf2 100644 --- a/README.md +++ b/README.md @@ -128,6 +128,8 @@ All of the Bridgehead's outgoing connections are secured by transport encryption - `/etc/bridgehead/traefik-tls` contains your Bridgehead's reverse proxies TLS certificates for [HTTPS access](#https-access). - `/etc/bridgehead/pki` contains your Bridgehead's private key (e.g., but not limited to Samply.Beam), generated as part of the [Samply.Beam enrollment](#register-with-samplybeam). - `/etc/bridgehead/trusted-ca-certs` contains third-party certificates to be trusted by the Bridgehead. For example, you want to place the certificates of your [TLS-terminating proxy](#network) here. +- `/var/data/bridgehead` contains persistent data of the bridgehead + - `/var/data/bridgehead/backups` contains automatically created backups of the databases. Your Bridgehead's actual data is not stored in the above directories, but in named docker volumes, see `docker volume ls` and `docker volume inspect `. @@ -139,6 +141,13 @@ Your Bridgehead will automatically and regularly check for updates. Whenever som If you would like to understand what happens exactly and when, please check the systemd units deployed during the [installation](#base-installation) via `systemctl cat bridgehead-update@.service` and `systemctl cat bridgehead-update@ \ + "$1/$2/$(date +%Y-KW%V).sql" +} + + # from: https://gist.github.com/sj26/88e1c6584397bb7c13bd11108a579746 # ex. use: retry 5 /bin/false function retry { diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh index 5e3add3..7cbd8ef 100755 --- a/lib/install-bridgehead.sh +++ b/lib/install-bridgehead.sh @@ -22,8 +22,8 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\ /bin/systemctl stop bridgehead@${PROJECT}.service, \\ /bin/systemctl restart bridgehead@${PROJECT}.service, \\ /bin/systemctl restart bridgehead@*.service, \\ - /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead, \\ - /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead + /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/data/bridgehead, \\ + /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/data/bridgehead bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^} EOF @@ -37,6 +37,10 @@ if [ -z "$LDM_PASSWORD" ]; then echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf; fi +log "INFO" "Creating directory /var/data/bridgehead for storage of persistent data." +mkdir -p /var/data/bridgehead +chown -R bridgehead /var/data/bridgehead + log "INFO" "Registering system units for bridgehead and bridgehead-update" cp -v \ lib/systemd/bridgehead\@.service \ @@ -63,4 +67,4 @@ else STR="Success. Next, enroll into the $PROJECT broker by creating a cryptographic certificate. To do so, run\n\n /srv/docker/bridgehead/bridgehead enroll $PROJECT\n\nThen, you may start the bridgehead by running$STR" fi -log "INFO" "$STR" \ No newline at end of file +log "INFO" "$STR" diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 897c8a2..cc1d55f 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -1,6 +1,45 @@ #!/bin/bash source lib/functions.sh +AUTO_BACKUP=${AUTO_BACKUP:-true} + +if [ "$AUTO_BACKUP" == "true" ]; then + BACKUP_DIRECTORY="/var/data/bridgehead/backups" + if [ ! -d /var/data ]; then + log DEBUG "Created /var/data" + mkdir /var/data + fi + if [ ! -d /var/data/bridgehead ]; then + log DEBUG "Created /var/data/bridgehead" + mkdir /var/data/bridgehead + fi + if [ ! -d $BACKUP_DIRECTORY ]; then + message="Performing automatic maintenance: Creating Backup directory $BACKUP_DIRECTORY." + hc_send log "$message" + log INFO "$message" + mkdir -p $BACKUP_DIRECTORY + fi + BACKUP_SERVICES="$(docker ps --filter ancestor=postgres:14-alpine --format "{{.Names}}" | tr "\n" "\ ")" + log INFO "Performing automatic maintenance: Creating Backups for $BACKUP_SERVICES"; + for service in $BACKUP_SERVICES; do + if [ ! -d $BACKUP_DIRECTORY/$service ]; then + message="Performing automatic maintenance: Creating Backup directory for $service in $BACKUP_DIRECTORY." + hc_send log "$message" + log INFO "$message" + mkdir -p $BACKUP_DIRECTORY/$service + fi + if createEncryptedPostgresBackup "$BACKUP_DIRECTORY" "$service"; then + message="Performing automatic maintenance: Stored encrypted Backup for $service in $BACKUP_DIRECTORY." + hc_send log "$message" + log INFO "$message" + else + fail_and_report 5 "Failed to create encrypted update for $service" + fi + done +else + log WARN "Automated backups are disabled (variable AUTO_BACKUPS != \"true\")" +fi + AUTO_HOUSEKEEPING=${AUTO_HOUSEKEEPING:-true} if [ "$AUTO_HOUSEKEEPING" == "true" ]; then From 2a46bd00fd31a5278ac23f1f434b21ca355d516d Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Thu, 15 Dec 2022 16:39:03 +0100 Subject: [PATCH 32/93] refactor: Changed Trigger of the IDM Module --- ccp/modules/id-management-setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh index ca939fb..790f846 100644 --- a/ccp/modules/id-management-setup.sh +++ b/ccp/modules/id-management-setup.sh @@ -1,7 +1,7 @@ #!/bin/bash function idManagementSetup() { - if [ -n "$ENABLE_ID_MANAGEMENT" ]; then + if [ -n "$IDMANAGER_CENTRAXX_APIKEY" ]; then log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)." OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml" From 4f0526ddf4de73836c74f0607676f3f2fc583f40 Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Thu, 15 Dec 2022 16:39:23 +0100 Subject: [PATCH 33/93] docs: Added Documentation for the IDM Module --- ccp/modules/id-management.md | 58 ++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 ccp/modules/id-management.md diff --git a/ccp/modules/id-management.md b/ccp/modules/id-management.md new file mode 100644 index 0000000..8de2f5a --- /dev/null +++ b/ccp/modules/id-management.md @@ -0,0 +1,58 @@ +# Module: Id-Management +This module provides integration with the CCP-Pseudonymiziation Service. To learn more on the backgrounds of this service, you can refer to the [CCP-DSK](https://dktk.dkfz.de/application/files/5016/2030/2474/20_11_23_Datenschutzkonzept_CCP-IT_inkl_Anlagen.pdf). + +## Getting Started +You must add following configuration variables to your sites-configuration repository: + +``` +IDMANAGER_CENTRAXX_APIKEY="" +IDMANAGER_CONNECTOR_APIKEY="" +IDMANAGER_CENTRAL_PATIENTLIST_APIKEY="" +IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY="" +IDMANAGER_AUTH_CLIENT_ID="" +IDMANAGER_AUTH_CLIENT_SECRET="" +``` + +Additionally, the ccp-it needs to add a new file "patientlist-id-generators.env" to your site configuration. This file will hold the seeds for the different id-generators used in all projects. + +After adding the configuration, you simply need to update your bridgehead and 3 new services will run on your server: + +- `bridgehead-id-manager`, accessible by "https:///id-manager". This component adds a common interface for creating pseudonymes in the bridgehead. +- `bridgehead-patientlist`, accessible by "https:// NOTE: Please create the postgres dump with the options "--no-owner" and "--no-privileges". Additionally ensure the dump is created in the plain format (SQL). + +After this, you can restart your bridgehead and the dump will be imported: +``` +systemctl start bridgehead@ccp +``` + +### How to connect your local data-management +Typically, the sites connect their local data-management for the pseudonym creation with the id-management in the bridgehead. In the following two sections, you can read where you can change the configuration: +#### Sites using CentraXX +On your CentraXX Server, you need to change following settings in the "centraxx-dev.properties" file. +``` +dktk.idmanagement.url=https:///id-manager/translator/getId +dktk.idmanagement.apiKey= +``` +They typically already exist, but need to be changed to the new values! +#### Sites using ADT2FHIR +@Pierre + + +### How to connect the legacy windows bridgehead +You need to change the configuration file "..." of your Windows Bridgehead. TODO... From 4d49351ad21f734ec1fcd7aaf9f4ee9bf475a10d Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Fri, 16 Dec 2022 12:02:49 +0100 Subject: [PATCH 34/93] fix: Included Legacy ID-Mapping (Please Complete) --- ccp/modules/id-management-compose.yml | 6 +++--- ccp/modules/id-management-setup.sh | 24 ++++++++++++++++++++++-- ccp/modules/id-management.md | 6 +++--- 3 files changed, 28 insertions(+), 8 deletions(-) diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml index d1639af..4baaba7 100644 --- a/ccp/modules/id-management-compose.yml +++ b/ccp/modules/id-management-compose.yml @@ -5,11 +5,11 @@ services: container_name: bridgehead-id-manager environment: TOMCAT_REVERSEPROXY_FQDN: ${HOST} - MAGICPL_SITE: ${SITE_ID} + MAGICPL_SITE: ${IDMANAGEMENT_FRIENDLY_ID} MAGICPL_ALLOWED_ORIGINS: https://${HOST} MAGICPL_LOCAL_PATIENTLIST_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} - MAGICPL_CENTRAXX_APIKEY: ${IDMANAGER_CENTRAXX_APIKEY} - MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_CONNECTOR_APIKEY} + MAGICPL_CENTRAXX_APIKEY: ${IDMANAGER_UPLOAD_APIKEY} + MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_READ_APIKEY} MAGICPL_CENTRAL_PATIENTLIST_APIKEY: ${IDMANAGER_CENTRAL_PATIENTLIST_APIKEY} MAGICPL_CONTROLNUMBERGENERATOR_APIKEY: ${IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY} MAGICPL_OIDC_CLIENT_ID: ${IDMANAGER_AUTH_CLIENT_ID} diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh index 790f846..d2449c7 100644 --- a/ccp/modules/id-management-setup.sh +++ b/ccp/modules/id-management-setup.sh @@ -1,7 +1,7 @@ #!/bin/bash function idManagementSetup() { - if [ -n "$IDMANAGER_CENTRAXX_APIKEY" ]; then + if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)." OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml" @@ -11,7 +11,27 @@ function idManagementSetup() { # Source the ID Generators Configuration source /etc/bridgehead/patientlist-id-generators.env - log INFO "ID-Management Generator 1: ${ML_BK_IDGENERATOR_RANDOM_1}" + + # Ensure old ids are working !!! + legacyIdMapping fi } + +# TODO: Map all old site ids to the new ones +function legacyIdMapping() { + case ${SITE_ID} in + "berlin") + export IDMANAGEMENT_FRIENDLY_ID=Berlin + ;; + "dresden") + export IDMANAGEMENT_FRIENDLY_ID=Dresden + ;; + "frankfurt") + export IDMANAGEMENT_FRIENDLY_ID=Frankfurt + ;; + *) + export IDMANAGEMENT_FRIENDLY_ID=$SITE_ID + ;; + esac +} diff --git a/ccp/modules/id-management.md b/ccp/modules/id-management.md index 8de2f5a..89ff65c 100644 --- a/ccp/modules/id-management.md +++ b/ccp/modules/id-management.md @@ -5,8 +5,8 @@ This module provides integration with the CCP-Pseudonymiziation Service. To lear You must add following configuration variables to your sites-configuration repository: ``` -IDMANAGER_CENTRAXX_APIKEY="" -IDMANAGER_CONNECTOR_APIKEY="" +IDMANAGER_UPLOAD_APIKEY="" +IDMANAGER_READ_APIKEY="" IDMANAGER_CENTRAL_PATIENTLIST_APIKEY="" IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY="" IDMANAGER_AUTH_CLIENT_ID="" @@ -47,7 +47,7 @@ Typically, the sites connect their local data-management for the pseudonym creat On your CentraXX Server, you need to change following settings in the "centraxx-dev.properties" file. ``` dktk.idmanagement.url=https:///id-manager/translator/getId -dktk.idmanagement.apiKey= +dktk.idmanagement.apiKey= ``` They typically already exist, but need to be changed to the new values! #### Sites using ADT2FHIR From e0c9a5ced38a61da718b0bdf2b01208c2371f094 Mon Sep 17 00:00:00 2001 From: "p.delpy@dkfz-heidelberg.de" Date: Fri, 2 Dec 2022 15:38:33 +0100 Subject: [PATCH 35/93] Added MTBA Module --- ccp/mtba-compose.yml | 33 +++++++++++++++++++++++++++++++++ ccp/nngm-setup.sh | 12 ++++++++++++ ccp/vars | 1 + 3 files changed, 46 insertions(+) create mode 100644 ccp/mtba-compose.yml diff --git a/ccp/mtba-compose.yml b/ccp/mtba-compose.yml new file mode 100644 index 0000000..53fd327 --- /dev/null +++ b/ccp/mtba-compose.yml @@ -0,0 +1,33 @@ +version: "3.7" + +services: + mtba: + image: samply/mtba:develop + container_name: bridgehead-mtba + environment: + BLAZE_STORE_URL: http://bridgehead-ccp-blaze:8080/fhir + # NOTE: Aktuell Berechtigungen wie MagicPL!!! + # TODO: Add separate ApiKey to Patientlist only for MTBA! + ID_MANAGER_API_KEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} + ID_MANAGER_PSEUDONYM_ID_TYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID + ID_MANAGER_URL: http://bridgehead-id-manager:8080 + PATIENT_CSV_FIRST_NAME_HEADER: ${PATIENT_CSV_FIRST_NAME_HEADER:-"FIRST_NAME"} + PATIENT_CSV_LAST_NAME_HEADER: ${PATIENT_CSV_LAST_NAME_HEADER:-"LAST_NAME"} + PATIENT_CSV_GENDER_HEADER: ${PATIENT_CSV_GENDER_HEADER:-"GENDER"} + PATIENT_CSV_BIRTHDAY_HEADER: ${PATIENT_CSV_BIRTHDAY_HEADER:-"BIRTHDAY"} + CBIOPORTAL_URL: http://bridgehead-ccp-cbioportal:8080 + MUTATIONS_CSV_SCRIPT_INTERPRETER: "python3" + labels: + - "traefik.enable=true" + - "traefik.http.routers.mtba.rule=PathPrefix(`/`)" + - "traefik.http.services.mtba.loadbalancer.server.port=80" + - "traefik.http.routers.mtba.tls=true" + volumes: + # This directory persists the FHIR Resources that are needed to import data into blaze. + - /var/data/bridgehead/mtba:/app/mtba-files/persist + # Place new import files in this directory + - /tmp/bridgehead/mtba/:/app/mtba-files/input + + # TODO: Include CBioPortal in Deployment ... + # NOTE: CBioPortal can't load data while the system is running. So after import of data bridgehead needs to be restarted! + # TODO: Find a trigger to let mtba signal a restart for CBioPortal diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh index d5b80eb..b55d48e 100644 --- a/ccp/nngm-setup.sh +++ b/ccp/nngm-setup.sh @@ -7,3 +7,15 @@ function nngmSetup() { fi CONNECTOR_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" } + +function mtbaSetup() { + # TODO: Check if ID-Management Module is activated! + if [ -n "$ENABLE_MTBA" ];then + log INFO "MTBA setup detected -- will start MTBA Service and CBioPortal." + if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then + log ERROR "Detected MTBA Module configuration but ID-Management Module seems not to be configured!" + exit 1; + fi + OVERRIDE+=" -f ./$PROJECT/mtba-compose.yml" + fi +} diff --git a/ccp/vars b/ccp/vars index 89deae0..5172d24 100644 --- a/ccp/vars +++ b/ccp/vars @@ -16,3 +16,4 @@ source $PROJECT/nngm-setup.sh nngmSetup source $PROJECT/exliquid-setup.sh exliquidSetup +mtbaSetup \ No newline at end of file From e7b238de9d023abf69b88699eb132f67acdbe8f9 Mon Sep 17 00:00:00 2001 From: "p.delpy@dkfz-heidelberg.de" Date: Fri, 16 Dec 2022 15:01:04 +0100 Subject: [PATCH 36/93] set magicpl instead of patientlist --- ccp/mtba-compose.yml | 4 ++-- ccp/nngm-setup.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ccp/mtba-compose.yml b/ccp/mtba-compose.yml index 53fd327..d492ae0 100644 --- a/ccp/mtba-compose.yml +++ b/ccp/mtba-compose.yml @@ -7,8 +7,8 @@ services: environment: BLAZE_STORE_URL: http://bridgehead-ccp-blaze:8080/fhir # NOTE: Aktuell Berechtigungen wie MagicPL!!! - # TODO: Add separate ApiKey to Patientlist only for MTBA! - ID_MANAGER_API_KEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} + # TODO: Add separate ApiKey to MagicPL only for MTBA! + ID_MANAGER_API_KEY: ${IDMANAGER_UPLOAD_APIKEY} ID_MANAGER_PSEUDONYM_ID_TYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID ID_MANAGER_URL: http://bridgehead-id-manager:8080 PATIENT_CSV_FIRST_NAME_HEADER: ${PATIENT_CSV_FIRST_NAME_HEADER:-"FIRST_NAME"} diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh index b55d48e..ba2e77f 100644 --- a/ccp/nngm-setup.sh +++ b/ccp/nngm-setup.sh @@ -12,7 +12,7 @@ function mtbaSetup() { # TODO: Check if ID-Management Module is activated! if [ -n "$ENABLE_MTBA" ];then log INFO "MTBA setup detected -- will start MTBA Service and CBioPortal." - if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then + if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then log ERROR "Detected MTBA Module configuration but ID-Management Module seems not to be configured!" exit 1; fi From ee6f60ef6542adcf41ca827f54fe7ad45b7609ec Mon Sep 17 00:00:00 2001 From: Croft Date: Thu, 19 Jan 2023 09:59:47 +0100 Subject: [PATCH 37/93] Enhanced the installation documentation. Explained the following: * Bridgehead projects * Configuration repository --- README.md | 41 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 39 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b57c10e..e559842 100644 --- a/README.md +++ b/README.md @@ -57,10 +57,43 @@ Since it needs to carry sensitive patient data, Bridgeheads are intended to be d Note for Ubuntu: Please note that the uncomplicated firewall (ufw) is known to conflict with Docker [here](https://github.com/chaifeng/ufw-docker). ## Deployment +You will need to choose a short name for your site. This is not a URL, just a simple identifying string. For the examples below, we will use "your-site-name", but you should obviously choose something that is meaningful to you and which is unique. + +### Projects + +The following "projects" are known to the Bridgehead installation: + +- bbmri +- ccp + +Use "bbmri" if you are in the BBMRI-ERIC European biobank network or the GBA (German Biobank Alliance) network. + +Use "ccp" if you are in the DKTK network, the C4 network or the nNGM network. + +### GitLab repository + +In order to be able to install, you will need to have your own repository in GitLab for your site's configuration settings. This allows automated updates of the Bridgehead software. + +To request a new repository, please send an email to bridgehead@helpdesk.bbmri-eric.eu. Mention which project you belong to, i.e. "bbmri" or "ccp", plus your chosen site name. + +We will set the repository up for you. We will then send you the repository's URL plus a token to access it. + +Before installation, you must set up your site's configuration in GitLab. + +To do this, visit the configuration repository's URL and click on the configuration file. Depending on your project, this will be called either ```bbmri.conf```or ```ccp.conf```. Use the blue button to edit it. You will need to change, as a minimum, the following variables: + +- SITE_NAME +- SITE_ID +- OPERATOR_FIRST_NAME +- OPERATOR_LAST_NAME +- OPERATOR_EMAIL +- OPERATOR_PHONE + +SITE_NAME and SITE_ID can be set to the chosen name for your site, e.g. "your-site-name". OPERATOR_* should be set to values appropriate for the administrator of your site. ### Base Installation -First, clone the repository to the directory `/srv/docker/bridgehead`: +First, get the Bridgehead: ```shell sudo mkdir -p /srv/docker/ @@ -74,7 +107,11 @@ cd /srv/docker/bridgehead sudo ./bridgehead install ``` -... and follow the instructions on the screen. You should then be prompted to do the next step: +When prompted with "Please enter your site", you should enter the name you have given to your site (not its URL). E.g., in the example in the previous section, that would be "your-site-name". + +When prompted with "Please enter the bridgehead's access token for your site configuration repository", you should enter the token for the GitLab repository that was given to you. + +You should then be prompted to do the next step: ### Register with Samply.Beam From af7960e036deb3ddff22d42354f554ee71942649 Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Thu, 19 Jan 2023 10:05:03 +0000 Subject: [PATCH 38/93] Improve documentation --- ccp/modules/id-management.md | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/ccp/modules/id-management.md b/ccp/modules/id-management.md index 89ff65c..4c929b9 100644 --- a/ccp/modules/id-management.md +++ b/ccp/modules/id-management.md @@ -1,8 +1,8 @@ # Module: Id-Management -This module provides integration with the CCP-Pseudonymiziation Service. To learn more on the backgrounds of this service, you can refer to the [CCP-DSK](https://dktk.dkfz.de/application/files/5016/2030/2474/20_11_23_Datenschutzkonzept_CCP-IT_inkl_Anlagen.pdf). +This module provides integration with the CCP-Pseudonymiziation Service. To learn more on the backgrounds of this service, you can refer to the [CCP Data Protection Concept](https://dktk.dkfz.de/klinische-plattformen/documents-download). ## Getting Started -You must add following configuration variables to your sites-configuration repository: +The following configuration variables are added to your sites-configuration repository: ``` IDMANAGER_UPLOAD_APIKEY="" @@ -13,15 +13,19 @@ IDMANAGER_AUTH_CLIENT_ID="" IDMANAGER_AUTH_CLIENT_SECRET="" ``` -Additionally, the ccp-it needs to add a new file "patientlist-id-generators.env" to your site configuration. This file will hold the seeds for the different id-generators used in all projects. +Most of the configuration is kept identical across all sites. Some site-specific variables, however, go into a file called `/etc/bridgehead/ccp/id-management.local`. -After adding the configuration, you simply need to update your bridgehead and 3 new services will run on your server: +After adding the configuration, you simply need to update your bridgehead. You're all set! -- `bridgehead-id-manager`, accessible by "https:///id-manager". This component adds a common interface for creating pseudonymes in the bridgehead. -- `bridgehead-patientlist`, accessible by "https:// Date: Thu, 19 Jan 2023 10:15:12 +0000 Subject: [PATCH 39/93] Made it even easier for sites --- ccp/modules/id-management.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ccp/modules/id-management.md b/ccp/modules/id-management.md index 4c929b9..60cb5b1 100644 --- a/ccp/modules/id-management.md +++ b/ccp/modules/id-management.md @@ -11,11 +11,13 @@ IDMANAGER_CENTRAL_PATIENTLIST_APIKEY="" IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY="" IDMANAGER_AUTH_CLIENT_ID="" IDMANAGER_AUTH_CLIENT_SECRET="" + +IDMANAGER_SEEDS_BK="" +IDMANAGER_SEEDS_MDS="" +IDMANAGER_SEEDS_DKTK000001985="" ``` -Most of the configuration is kept identical across all sites. Some site-specific variables, however, go into a file called `/etc/bridgehead/ccp/id-management.local`. - -After adding the configuration, you simply need to update your bridgehead. You're all set! +Once your Bridgehead is updated and restarted, you're all set! ## Additional information you may want to know ### Services From 0c2873132a946a2daf52631de69e612e8454ef80 Mon Sep 17 00:00:00 2001 From: Croft Date: Thu, 19 Jan 2023 11:22:48 +0100 Subject: [PATCH 40/93] Included site naming conventions --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index e559842..8a0e274 100644 --- a/README.md +++ b/README.md @@ -59,6 +59,14 @@ Note for Ubuntu: Please note that the uncomplicated firewall (ufw) is known to c ## Deployment You will need to choose a short name for your site. This is not a URL, just a simple identifying string. For the examples below, we will use "your-site-name", but you should obviously choose something that is meaningful to you and which is unique. +Site names should adhere to the following conventions: + +- They should be lower-case. +- They should generally be named after the city where your site is based, e.g. ```karlsruhe```. +- If you have a multi-part name, please use a hypen ("-") as separator, e.g. ```le-havre```. +- If your site is for testing purposes, rather than production, please prepend with "test-", e.g. ```test-zaragoza```. +- If you are a developer and you are making changes to the Bridgehead, please use your name and prepend with "dev-", e.g. ```dev-joe-doe```. + ### Projects The following "projects" are known to the Bridgehead installation: From 92ccb7867452f0999cd701fc916ab7d2a2fada89 Mon Sep 17 00:00:00 2001 From: Croft Date: Mon, 23 Jan 2023 14:49:03 +0100 Subject: [PATCH 41/93] Fix for Tobias' comment in PR52 --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 8a0e274..4ac1c84 100644 --- a/README.md +++ b/README.md @@ -99,6 +99,8 @@ To do this, visit the configuration repository's URL and click on the configurat SITE_NAME and SITE_ID can be set to the chosen name for your site, e.g. "your-site-name". OPERATOR_* should be set to values appropriate for the administrator of your site. +Once you have made your changes, these will need to be reviewed by members of our team before you can proceed with the installation. + ### Base Installation First, get the Bridgehead: From d2c5ec0418c3f306717f3e2cccd65d1dce0718a6 Mon Sep 17 00:00:00 2001 From: Croft Date: Wed, 25 Jan 2023 14:09:14 +0100 Subject: [PATCH 42/93] Added instructions for Bridgehead de-install --- README.md | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/README.md b/README.md index 4ac1c84..31fc0b0 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,9 @@ Since it needs to carry sensitive patient data, Bridgeheads are intended to be d Note for Ubuntu: Please note that the uncomplicated firewall (ufw) is known to conflict with Docker [here](https://github.com/chaifeng/ufw-docker). ## Deployment + +### Site name + You will need to choose a short name for your site. This is not a URL, just a simple identifying string. For the examples below, we will use "your-site-name", but you should obviously choose something that is meaningful to you and which is unique. Site names should adhere to the following conventions: @@ -156,6 +159,35 @@ To enable/disable autostart, run sudo systemctl [enable|disable] bridgehead@.service ``` +### De-installing a Bridgehead + +You may decide that you want to remove a Bridgehead installation from your machine, e.g. if you want to migrate it to a new location or if you want to start a fresh installation because the initial attempts did not work. + +The following steps will remove all traces of the Bridgehead from your machine. All locally stored data pertaining to the Bridgehead will be lost. + +First, purge the Bridgehead from ```systemctl```: + +```shell +sudo systemctl stop bridgehead@bbmri.service +sudo systemctl disable bridgehead@bbmri.service +sudo systemctl daemon-reload +sudo systemctl reset-failed +``` + +Now remove the directories where the Bridgehead files reside: + +```shell +sudo rm -rf /srv/docker/bridgehead /etc/bridgehead +``` + +Finally, get rid of the Docker images: + +```shell +docker image rm traefik:latest samply/beam-proxy:develop samply/blaze:0.18 samply/bridgehead-forward-proxy:latest samply/bridgehead-landingpage:master samply/spot:latest +``` + +Note that you will still have a functioning Beam certificate and a functioning GitLab configuration repository, even after you have removed everything locally. + ## Site-specific configuration ### HTTPS Access From 92d88ad815c58d52aa53e46faaaaedf76e973e4e Mon Sep 17 00:00:00 2001 From: Croft Date: Thu, 26 Jan 2023 09:37:44 +0100 Subject: [PATCH 43/93] Added new section for testing the Bridgehead --- README.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/README.md b/README.md index 31fc0b0..6fe2e2e 100644 --- a/README.md +++ b/README.md @@ -159,6 +159,46 @@ To enable/disable autostart, run sudo systemctl [enable|disable] bridgehead@.service ``` +### Testing your new Bridgehead + +After starting the Bridgehead, you can watch the initialization process with the following command: + +```shell +sudo journalctl -xefu bridgehead@bbmri.service +``` + +if this exits with the following: + +``` +bridgehead@bbmri.service: Main process exited, code=exited, status=1/FAILURE +``` + +Then you know that there was a problem with starting the Bridgehead. Scroll up the printout to find the cause of the error. + +Once the Bridgehead is running, you can also view the individual Docker processes with: + +```shell +docker ps +``` + +There should be 6 Docker proceses. If there are fewer, then you know that something has gone wrong. + +Once the Bridgehead has passed these checks, take a look at the landing page: + +``` +https://localhost +``` + +You can either do this in a browser or with curl. If you visit the URL in the browser, you will neet to click through several warnings, because you will initially be using a self-signed certificate. With curl, you can bypass these checks: + +```shell +curl -k https://localhost +``` + +If you get errors when you do this, you need to use ```docker logs``` to examine your landing page container in order to determine what is going wrong. + +If you have chosen to take part in our monitoring program (by setting the ```MONITOR_APIKEY``` variable in the configuration), you will be informed by email when problems are detected in your Bridgehead. + ### De-installing a Bridgehead You may decide that you want to remove a Bridgehead installation from your machine, e.g. if you want to migrate it to a new location or if you want to start a fresh installation because the initial attempts did not work. From 90fe31b6c9a6794937bc9ee886283ae9514a3697 Mon Sep 17 00:00:00 2001 From: Croft Date: Thu, 26 Jan 2023 11:15:55 +0100 Subject: [PATCH 44/93] Described Docker logging in README --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 6fe2e2e..6d4a0f8 100644 --- a/README.md +++ b/README.md @@ -181,7 +181,11 @@ Once the Bridgehead is running, you can also view the individual Docker processe docker ps ``` -There should be 6 Docker proceses. If there are fewer, then you know that something has gone wrong. +There should be 6 Docker proceses. If there are fewer, then you know that something has gone wrong. To see what is going on, run: + +```shell +docker-compose -f bbmri/docker-compose.yml logs --follow +``` Once the Bridgehead has passed these checks, take a look at the landing page: From 7d9cec562ea5d00d744ac3610fe32c7eaeaef22d Mon Sep 17 00:00:00 2001 From: Croft Date: Fri, 27 Jan 2023 09:46:30 +0100 Subject: [PATCH 45/93] Corrected site naming convention to comply with DKTK --- README.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 6d4a0f8..1a43eed 100644 --- a/README.md +++ b/README.md @@ -67,8 +67,8 @@ Site names should adhere to the following conventions: - They should be lower-case. - They should generally be named after the city where your site is based, e.g. ```karlsruhe```. - If you have a multi-part name, please use a hypen ("-") as separator, e.g. ```le-havre```. -- If your site is for testing purposes, rather than production, please prepend with "test-", e.g. ```test-zaragoza```. -- If you are a developer and you are making changes to the Bridgehead, please use your name and prepend with "dev-", e.g. ```dev-joe-doe```. +- If your site is for testing purposes, rather than production, please append "-test", e.g. ```zaragoza-test```. +- If you are a developer and you are making changes to the Bridgehead, please use your name and append "-dev", e.g. ```joe-doe-dev```. ### Projects @@ -87,7 +87,11 @@ In order to be able to install, you will need to have your own repository in Git To request a new repository, please send an email to bridgehead@helpdesk.bbmri-eric.eu. Mention which project you belong to, i.e. "bbmri" or "ccp", plus your chosen site name. -We will set the repository up for you. We will then send you the repository's URL plus a token to access it. +We will set the repository up for you. We will then send you: + +- A Repository Short Name (RSN). Beware: this is distinct from your site name. +- The repository's URL. +- A token to access the repository. Before installation, you must set up your site's configuration in GitLab. @@ -120,7 +124,7 @@ cd /srv/docker/bridgehead sudo ./bridgehead install ``` -When prompted with "Please enter your site", you should enter the name you have given to your site (not its URL). E.g., in the example in the previous section, that would be "your-site-name". +When prompted with "Please enter your site", you should enter the Repository Short Name (RSN) for GitLab that you were given in the previous section. When prompted with "Please enter the bridgehead's access token for your site configuration repository", you should enter the token for the GitLab repository that was given to you. From 6123a9aeba60d0ac27f19f72905c0b166ef10fb7 Mon Sep 17 00:00:00 2001 From: Croft Date: Fri, 27 Jan 2023 11:08:00 +0100 Subject: [PATCH 46/93] Addressed Torben's comments to PR 52 - Included email for CCP repositories. - Used journalctl instead of docker ps for Bridgehead status. --- README.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 1a43eed..1a11d87 100644 --- a/README.md +++ b/README.md @@ -85,7 +85,12 @@ Use "ccp" if you are in the DKTK network, the C4 network or the nNGM network. In order to be able to install, you will need to have your own repository in GitLab for your site's configuration settings. This allows automated updates of the Bridgehead software. -To request a new repository, please send an email to bridgehead@helpdesk.bbmri-eric.eu. Mention which project you belong to, i.e. "bbmri" or "ccp", plus your chosen site name. +To request a new repository, please send an email to one of the following: + +- For the bbmri project: bridgehead@helpdesk.bbmri-eric.eu. +- For the ccp project: support-ccp@dkfz-heidelberg.de + +Mention which project you belong to, i.e. "bbmri" or "ccp", plus your chosen site name. We will set the repository up for you. We will then send you: @@ -168,7 +173,7 @@ sudo systemctl [enable|disable] bridgehead@.service After starting the Bridgehead, you can watch the initialization process with the following command: ```shell -sudo journalctl -xefu bridgehead@bbmri.service +journalctl -u bridgehead@bbmri -f ``` if this exits with the following: @@ -188,7 +193,7 @@ docker ps There should be 6 Docker proceses. If there are fewer, then you know that something has gone wrong. To see what is going on, run: ```shell -docker-compose -f bbmri/docker-compose.yml logs --follow +journalctl -u bridgehead@bbmri -f ``` Once the Bridgehead has passed these checks, take a look at the landing page: From eb37d16b847800cfb4ba31bb7423a7815ceb0a4c Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Tue, 31 Jan 2023 15:44:30 +0100 Subject: [PATCH 47/93] Updated Blaze to 0.19 --- bbmri/docker-compose.yml | 2 +- ccp/docker-compose.yml | 2 +- ccp/exliquid-compose.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml index 2433234..cbe2263 100644 --- a/bbmri/docker-compose.yml +++ b/bbmri/docker-compose.yml @@ -54,7 +54,7 @@ services: SITE_NAME: ${SITE_NAME} blaze: - image: "samply/blaze:0.18" + image: "samply/blaze:0.19" container_name: bridgehead-bbmri-blaze environment: BASE_URL: "http://bridgehead-bbmri-blaze:8080" diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index 54b2daa..6715a69 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -54,7 +54,7 @@ services: SITE_NAME: ${SITE_NAME} blaze: - image: "samply/blaze:0.18" + image: "samply/blaze:0.19" container_name: bridgehead-ccp-blaze environment: BASE_URL: "http://bridgehead-ccp-blaze:8080" diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml index e21617a..eb8d194 100644 --- a/ccp/exliquid-compose.yml +++ b/ccp/exliquid-compose.yml @@ -2,7 +2,7 @@ version: "3.7" services: exliquid-task-store: - image: "samply/blaze:0.18" + image: "samply/blaze:0.19" container_name: bridgehead-exliquid-task-store environment: BASE_URL: "http://bridgehead-exliquid-task-store:8080" From 6d8e877899870ba8a9a0191d80995f2b947db110 Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Fri, 3 Feb 2023 13:28:44 +0100 Subject: [PATCH 48/93] Use beam-proxy "main" tag --- bbmri/docker-compose.yml | 2 +- ccp/docker-compose.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml index cbe2263..3291326 100644 --- a/bbmri/docker-compose.yml +++ b/bbmri/docker-compose.yml @@ -85,7 +85,7 @@ services: - "blaze" beam-proxy: - image: "samply/beam-proxy:develop" + image: samply/beam-proxy:main container_name: bridgehead-beam-proxy environment: BROKER_URL: ${BROKER_URL} diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index 6715a69..4c26d5e 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -85,7 +85,7 @@ services: - "blaze" beam-proxy: - image: "samply/beam-proxy:develop" + image: samply/beam-proxy:main container_name: bridgehead-beam-proxy environment: BROKER_URL: ${BROKER_URL} From 1c3fa4fa3fb6c21f886f2c9fdb4fe19b73a6545c Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Tue, 17 Jan 2023 08:56:02 +0100 Subject: [PATCH 49/93] refactor: Changed Paths for persistent Data --- README.md | 4 ++-- ccp/modules/id-management-compose.yml | 4 ++-- ccp/modules/id-management.md | 6 +++--- ccp/mtba-compose.yml | 2 +- lib/install-bridgehead.sh | 15 ++++++++++----- lib/update-bridgehead.sh | 10 +--------- 6 files changed, 19 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 24ebdf2..134e1ae 100644 --- a/README.md +++ b/README.md @@ -128,8 +128,8 @@ All of the Bridgehead's outgoing connections are secured by transport encryption - `/etc/bridgehead/traefik-tls` contains your Bridgehead's reverse proxies TLS certificates for [HTTPS access](#https-access). - `/etc/bridgehead/pki` contains your Bridgehead's private key (e.g., but not limited to Samply.Beam), generated as part of the [Samply.Beam enrollment](#register-with-samplybeam). - `/etc/bridgehead/trusted-ca-certs` contains third-party certificates to be trusted by the Bridgehead. For example, you want to place the certificates of your [TLS-terminating proxy](#network) here. -- `/var/data/bridgehead` contains persistent data of the bridgehead - - `/var/data/bridgehead/backups` contains automatically created backups of the databases. + - `/var/lib/bridgehead/data` contains persistent data of the bridgehead + - `/var/cache/bridgehead/backup` contains automatically created backups of the databases. Your Bridgehead's actual data is not stored in the above directories, but in named docker volumes, see `docker volume ls` and `docker volume inspect `. diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml index 4baaba7..896663b 100644 --- a/ccp/modules/id-management-compose.yml +++ b/ccp/modules/id-management-compose.yml @@ -71,6 +71,6 @@ services: POSTGRES_DB: "mainzelliste" POSTGRES_PASSWORD: ${PATIENTLIST_POSTGRES_PASSWORD} volumes: - - "/var/data/bridgehead/patientlist:/var/lib/postgresql/data" - # NOTE: Add backups here. This is only imported if /var/data/bridgehead/patientlist/ is empty!!! + - "/var/lib/bridgehead/data/patientlist:/var/lib/postgresql/data" + # NOTE: Add backups here. This is only imported if /var/lib/bridgehead/data/patientlist/ is empty!!! - "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/" diff --git a/ccp/modules/id-management.md b/ccp/modules/id-management.md index 60cb5b1..c45b95a 100644 --- a/ccp/modules/id-management.md +++ b/ccp/modules/id-management.md @@ -26,7 +26,7 @@ Upon configuration, the Bridgehead will spawn the following services: - The `bridgehead-id-manager` at https://bridgehead.local/id-manager, provides a common interface for creating pseudonyms in the bridgehead. - The `bridgehead-patientlist` at https://bridgehead.local/patientlist is a local instance of the open-source software [Mainzelliste](https://mainzelliste.de). This service's primary task is to map patients IDAT to pseudonyms identifying them along the different CCP projects. -- The `bridgehead-patientlist-db` is only accessible within the Bridgehead itself. This is a local postgresql instance storing the database for `bridgehead-patientlist`. The data is persisted in `/var/data/bridgehead/patientlist` and backups are automatically created in `/var/data/bridgehead/backups/bridgehead-patientlist-db`. +- The `bridgehead-patientlist-db` is only accessible within the Bridgehead itself. This is a local postgresql instance storing the database for `bridgehead-patientlist`. The data is persisted in `/var/lib/bridgehead/data/patientlist` and backups are automatically created in `/var/cache/bridgehead/backup/bridgehead-patientlist-db`. ### How to import an existing database (e.g from Legacy Windows or from Backups) First you must shutdown your local bridgehead instance: @@ -36,10 +36,10 @@ systemctl stop bridgehead@ccp Next you need to remove the current patientlist database: ``` -rm -rf /var/data/bridgehead/patientlist +rm -rf /var/lib/bridgehead/data/patientlist ``` -Third, you need to place your postgres dump in the import directory `/tmp/bridgehead/patientlist/some-dump.sql`. This will only be imported, then /var/data/bridgehead/patientlist is empty. +Third, you need to place your postgres dump in the import directory `/tmp/bridgehead/patientlist/some-dump.sql`. This will only be imported, then /var/lib/bridgehead/data/patientlist is empty. > NOTE: Please create the postgres dump with the options "--no-owner" and "--no-privileges". Additionally ensure the dump is created in the plain format (SQL). After this, you can restart your bridgehead and the dump will be imported: diff --git a/ccp/mtba-compose.yml b/ccp/mtba-compose.yml index d492ae0..1c62989 100644 --- a/ccp/mtba-compose.yml +++ b/ccp/mtba-compose.yml @@ -24,7 +24,7 @@ services: - "traefik.http.routers.mtba.tls=true" volumes: # This directory persists the FHIR Resources that are needed to import data into blaze. - - /var/data/bridgehead/mtba:/app/mtba-files/persist + - /var/lib/bridgehead/data/mtba:/app/mtba-files/persist # Place new import files in this directory - /tmp/bridgehead/mtba/:/app/mtba-files/input diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh index 7cbd8ef..04503e3 100755 --- a/lib/install-bridgehead.sh +++ b/lib/install-bridgehead.sh @@ -22,8 +22,8 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\ /bin/systemctl stop bridgehead@${PROJECT}.service, \\ /bin/systemctl restart bridgehead@${PROJECT}.service, \\ /bin/systemctl restart bridgehead@*.service, \\ - /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/data/bridgehead, \\ - /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/data/bridgehead + /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/lib/bridgehead /var/cache/bridgehead, \\ + /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/lib/bridgehead /var/cache/bridgehead bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^} EOF @@ -37,9 +37,14 @@ if [ -z "$LDM_PASSWORD" ]; then echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf; fi -log "INFO" "Creating directory /var/data/bridgehead for storage of persistent data." -mkdir -p /var/data/bridgehead -chown -R bridgehead /var/data/bridgehead +log "INFO" "Creating directory /var/lib/bridgehead for storage of persistent data." +mkdir -p /var/lib/bridgehead +chown -R bridgehead /var/lib/bridgehead + + +log "INFO" "Creating directory /var/cache/bridgehead for storage of backups." +mkdir -p /var/cache/bridgehead +chown -R bridgehead /var/cache/bridgehead log "INFO" "Registering system units for bridgehead and bridgehead-update" cp -v \ diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index cc1d55f..65560ea 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -4,15 +4,7 @@ source lib/functions.sh AUTO_BACKUP=${AUTO_BACKUP:-true} if [ "$AUTO_BACKUP" == "true" ]; then - BACKUP_DIRECTORY="/var/data/bridgehead/backups" - if [ ! -d /var/data ]; then - log DEBUG "Created /var/data" - mkdir /var/data - fi - if [ ! -d /var/data/bridgehead ]; then - log DEBUG "Created /var/data/bridgehead" - mkdir /var/data/bridgehead - fi + BACKUP_DIRECTORY="/var/cache/bridgehead/backup" if [ ! -d $BACKUP_DIRECTORY ]; then message="Performing automatic maintenance: Creating Backup directory $BACKUP_DIRECTORY." hc_send log "$message" From 0d998ab8716a2e2c5c92fa84e65ccc608524ccef Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Fri, 27 Jan 2023 10:55:44 +0100 Subject: [PATCH 50/93] refactor: Move persistent data to named volumes --- README.md | 1 - ccp/modules/id-management-compose.yml | 5 ++++- ccp/modules/id-management.md | 6 +++--- ccp/mtba-compose.yml | 5 ++++- lib/install-bridgehead.sh | 9 ++------- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 134e1ae..e1d3286 100644 --- a/README.md +++ b/README.md @@ -128,7 +128,6 @@ All of the Bridgehead's outgoing connections are secured by transport encryption - `/etc/bridgehead/traefik-tls` contains your Bridgehead's reverse proxies TLS certificates for [HTTPS access](#https-access). - `/etc/bridgehead/pki` contains your Bridgehead's private key (e.g., but not limited to Samply.Beam), generated as part of the [Samply.Beam enrollment](#register-with-samplybeam). - `/etc/bridgehead/trusted-ca-certs` contains third-party certificates to be trusted by the Bridgehead. For example, you want to place the certificates of your [TLS-terminating proxy](#network) here. - - `/var/lib/bridgehead/data` contains persistent data of the bridgehead - `/var/cache/bridgehead/backup` contains automatically created backups of the databases. Your Bridgehead's actual data is not stored in the above directories, but in named docker volumes, see `docker volume ls` and `docker volume inspect `. diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml index 896663b..72aebcc 100644 --- a/ccp/modules/id-management-compose.yml +++ b/ccp/modules/id-management-compose.yml @@ -71,6 +71,9 @@ services: POSTGRES_DB: "mainzelliste" POSTGRES_PASSWORD: ${PATIENTLIST_POSTGRES_PASSWORD} volumes: - - "/var/lib/bridgehead/data/patientlist:/var/lib/postgresql/data" + - "patientlist-db-data:/var/lib/postgresql/data" # NOTE: Add backups here. This is only imported if /var/lib/bridgehead/data/patientlist/ is empty!!! - "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/" + +volumes: + patientlist-db-data: diff --git a/ccp/modules/id-management.md b/ccp/modules/id-management.md index c45b95a..e18d3f8 100644 --- a/ccp/modules/id-management.md +++ b/ccp/modules/id-management.md @@ -26,7 +26,7 @@ Upon configuration, the Bridgehead will spawn the following services: - The `bridgehead-id-manager` at https://bridgehead.local/id-manager, provides a common interface for creating pseudonyms in the bridgehead. - The `bridgehead-patientlist` at https://bridgehead.local/patientlist is a local instance of the open-source software [Mainzelliste](https://mainzelliste.de). This service's primary task is to map patients IDAT to pseudonyms identifying them along the different CCP projects. -- The `bridgehead-patientlist-db` is only accessible within the Bridgehead itself. This is a local postgresql instance storing the database for `bridgehead-patientlist`. The data is persisted in `/var/lib/bridgehead/data/patientlist` and backups are automatically created in `/var/cache/bridgehead/backup/bridgehead-patientlist-db`. +- The `bridgehead-patientlist-db` is only accessible within the Bridgehead itself. This is a local postgresql instance storing the database for `bridgehead-patientlist`. The data is persisted as a named volume `patientlist-db-data` and backups are automatically created in `/var/cache/bridgehead/backup/bridgehead-patientlist-db`. ### How to import an existing database (e.g from Legacy Windows or from Backups) First you must shutdown your local bridgehead instance: @@ -36,10 +36,10 @@ systemctl stop bridgehead@ccp Next you need to remove the current patientlist database: ``` -rm -rf /var/lib/bridgehead/data/patientlist +docker volume rm patientlist-db-data; ``` -Third, you need to place your postgres dump in the import directory `/tmp/bridgehead/patientlist/some-dump.sql`. This will only be imported, then /var/lib/bridgehead/data/patientlist is empty. +Third, you need to place your postgres dump in the import directory `/tmp/bridgehead/patientlist/some-dump.sql`. This will only be imported, then the volume `patientlist-db-data` was removed previously. > NOTE: Please create the postgres dump with the options "--no-owner" and "--no-privileges". Additionally ensure the dump is created in the plain format (SQL). After this, you can restart your bridgehead and the dump will be imported: diff --git a/ccp/mtba-compose.yml b/ccp/mtba-compose.yml index 1c62989..857ff34 100644 --- a/ccp/mtba-compose.yml +++ b/ccp/mtba-compose.yml @@ -24,10 +24,13 @@ services: - "traefik.http.routers.mtba.tls=true" volumes: # This directory persists the FHIR Resources that are needed to import data into blaze. - - /var/lib/bridgehead/data/mtba:/app/mtba-files/persist + - mtba-data:/app/mtba-files/persist # Place new import files in this directory - /tmp/bridgehead/mtba/:/app/mtba-files/input # TODO: Include CBioPortal in Deployment ... # NOTE: CBioPortal can't load data while the system is running. So after import of data bridgehead needs to be restarted! # TODO: Find a trigger to let mtba signal a restart for CBioPortal + +volumes: + mtba-data: diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh index 04503e3..f1aff73 100755 --- a/lib/install-bridgehead.sh +++ b/lib/install-bridgehead.sh @@ -22,8 +22,8 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\ /bin/systemctl stop bridgehead@${PROJECT}.service, \\ /bin/systemctl restart bridgehead@${PROJECT}.service, \\ /bin/systemctl restart bridgehead@*.service, \\ - /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/lib/bridgehead /var/cache/bridgehead, \\ - /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/lib/bridgehead /var/cache/bridgehead + /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/cache/bridgehead, \\ + /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/cache/bridgehead bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^} EOF @@ -37,11 +37,6 @@ if [ -z "$LDM_PASSWORD" ]; then echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf; fi -log "INFO" "Creating directory /var/lib/bridgehead for storage of persistent data." -mkdir -p /var/lib/bridgehead -chown -R bridgehead /var/lib/bridgehead - - log "INFO" "Creating directory /var/cache/bridgehead for storage of backups." mkdir -p /var/cache/bridgehead chown -R bridgehead /var/cache/bridgehead From 1befa65f35033f9383aae88b7fdcf5fd0244e156 Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Fri, 27 Jan 2023 10:59:29 +0100 Subject: [PATCH 51/93] refactor: Changed Salt for patientlist db password --- ccp/modules/id-management-setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh index d2449c7..98c4217 100644 --- a/ccp/modules/id-management-setup.sh +++ b/ccp/modules/id-management-setup.sh @@ -6,7 +6,7 @@ function idManagementSetup() { OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml" # Auto Generate local Passwords - PATIENTLIST_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + PATIENTLIST_POSTGRES_PASSWORD="$(echo \"id-management-module-db-password-salt\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" IDMANAGER_LOCAL_PATIENTLIST_APIKEY="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" # Source the ID Generators Configuration From 713dc5f4e9564596fb2a47afaceeb2a28cd2ea1d Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Fri, 27 Jan 2023 11:15:09 +0100 Subject: [PATCH 52/93] refactor: Move Backups after the Update --- lib/update-bridgehead.sh | 62 ++++++++++++++++++++-------------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 65560ea..7fb3688 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -1,37 +1,6 @@ #!/bin/bash source lib/functions.sh -AUTO_BACKUP=${AUTO_BACKUP:-true} - -if [ "$AUTO_BACKUP" == "true" ]; then - BACKUP_DIRECTORY="/var/cache/bridgehead/backup" - if [ ! -d $BACKUP_DIRECTORY ]; then - message="Performing automatic maintenance: Creating Backup directory $BACKUP_DIRECTORY." - hc_send log "$message" - log INFO "$message" - mkdir -p $BACKUP_DIRECTORY - fi - BACKUP_SERVICES="$(docker ps --filter ancestor=postgres:14-alpine --format "{{.Names}}" | tr "\n" "\ ")" - log INFO "Performing automatic maintenance: Creating Backups for $BACKUP_SERVICES"; - for service in $BACKUP_SERVICES; do - if [ ! -d $BACKUP_DIRECTORY/$service ]; then - message="Performing automatic maintenance: Creating Backup directory for $service in $BACKUP_DIRECTORY." - hc_send log "$message" - log INFO "$message" - mkdir -p $BACKUP_DIRECTORY/$service - fi - if createEncryptedPostgresBackup "$BACKUP_DIRECTORY" "$service"; then - message="Performing automatic maintenance: Stored encrypted Backup for $service in $BACKUP_DIRECTORY." - hc_send log "$message" - log INFO "$message" - else - fail_and_report 5 "Failed to create encrypted update for $service" - fi - done -else - log WARN "Automated backups are disabled (variable AUTO_BACKUPS != \"true\")" -fi - AUTO_HOUSEKEEPING=${AUTO_HOUSEKEEPING:-true} if [ "$AUTO_HOUSEKEEPING" == "true" ]; then @@ -134,6 +103,37 @@ else hc_send log "$RES" fi +AUTO_BACKUP=${AUTO_BACKUP:-true} + +if [ "$AUTO_BACKUP" == "true" ]; then + BACKUP_DIRECTORY="/var/cache/bridgehead/backup" + if [ ! -d $BACKUP_DIRECTORY ]; then + message="Performing automatic maintenance: Creating Backup directory $BACKUP_DIRECTORY." + hc_send log "$message" + log INFO "$message" + mkdir -p $BACKUP_DIRECTORY + fi + BACKUP_SERVICES="$(docker ps --filter ancestor=postgres:14-alpine --format "{{.Names}}" | tr "\n" "\ ")" + log INFO "Performing automatic maintenance: Creating Backups for $BACKUP_SERVICES"; + for service in $BACKUP_SERVICES; do + if [ ! -d $BACKUP_DIRECTORY/$service ]; then + message="Performing automatic maintenance: Creating Backup directory for $service in $BACKUP_DIRECTORY." + hc_send log "$message" + log INFO "$message" + mkdir -p $BACKUP_DIRECTORY/$service + fi + if createEncryptedPostgresBackup "$BACKUP_DIRECTORY" "$service"; then + message="Performing automatic maintenance: Stored encrypted Backup for $service in $BACKUP_DIRECTORY." + hc_send log "$message" + log INFO "$message" + else + fail_and_report 5 "Failed to create encrypted update for $service" + fi + done +else + log WARN "Automated backups are disabled (variable AUTO_BACKUPS != \"true\")" +fi + exit 0 # TODO: Print last commit explicit From 17d48a3636c812d7d2ac1a07b6adab20c930d75c Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Fri, 27 Jan 2023 11:26:31 +0100 Subject: [PATCH 53/93] refactor: Expect User to select a Backup Directory --- README.md | 3 ++- ccp/modules/id-management.md | 2 +- lib/install-bridgehead.sh | 8 ++------ lib/update-bridgehead.sh | 19 ++++++++----------- 4 files changed, 13 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index e1d3286..8fba0c9 100644 --- a/README.md +++ b/README.md @@ -128,7 +128,6 @@ All of the Bridgehead's outgoing connections are secured by transport encryption - `/etc/bridgehead/traefik-tls` contains your Bridgehead's reverse proxies TLS certificates for [HTTPS access](#https-access). - `/etc/bridgehead/pki` contains your Bridgehead's private key (e.g., but not limited to Samply.Beam), generated as part of the [Samply.Beam enrollment](#register-with-samplybeam). - `/etc/bridgehead/trusted-ca-certs` contains third-party certificates to be trusted by the Bridgehead. For example, you want to place the certificates of your [TLS-terminating proxy](#network) here. - - `/var/cache/bridgehead/backup` contains automatically created backups of the databases. Your Bridgehead's actual data is not stored in the above directories, but in named docker volumes, see `docker volume ls` and `docker volume inspect `. @@ -147,6 +146,8 @@ Some of the components in the bridgehead will store persistent data. For those c 2) Year-KW-XX, were XX represents the calendar week to allow re-import of at least one version per calendar week 3) Year-Month, to allow re-import of at least one version per month +To enable the Auto-Backup feature, please set the Variable `BACKUP_DIRECTORY` in your sites configuration. + ### Monitoring To keep all Bridgeheads up and working and detect any errors before a user does, a central monitoring diff --git a/ccp/modules/id-management.md b/ccp/modules/id-management.md index e18d3f8..98da3d1 100644 --- a/ccp/modules/id-management.md +++ b/ccp/modules/id-management.md @@ -26,7 +26,7 @@ Upon configuration, the Bridgehead will spawn the following services: - The `bridgehead-id-manager` at https://bridgehead.local/id-manager, provides a common interface for creating pseudonyms in the bridgehead. - The `bridgehead-patientlist` at https://bridgehead.local/patientlist is a local instance of the open-source software [Mainzelliste](https://mainzelliste.de). This service's primary task is to map patients IDAT to pseudonyms identifying them along the different CCP projects. -- The `bridgehead-patientlist-db` is only accessible within the Bridgehead itself. This is a local postgresql instance storing the database for `bridgehead-patientlist`. The data is persisted as a named volume `patientlist-db-data` and backups are automatically created in `/var/cache/bridgehead/backup/bridgehead-patientlist-db`. +- The `bridgehead-patientlist-db` is only accessible within the Bridgehead itself. This is a local postgresql instance storing the database for `bridgehead-patientlist`. The data is persisted as a named volume `patientlist-db-data`. ### How to import an existing database (e.g from Legacy Windows or from Backups) First you must shutdown your local bridgehead instance: diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh index f1aff73..c42119f 100755 --- a/lib/install-bridgehead.sh +++ b/lib/install-bridgehead.sh @@ -22,8 +22,8 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\ /bin/systemctl stop bridgehead@${PROJECT}.service, \\ /bin/systemctl restart bridgehead@${PROJECT}.service, \\ /bin/systemctl restart bridgehead@*.service, \\ - /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/cache/bridgehead, \\ - /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/cache/bridgehead + /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead, \\ + /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^} EOF @@ -37,10 +37,6 @@ if [ -z "$LDM_PASSWORD" ]; then echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf; fi -log "INFO" "Creating directory /var/cache/bridgehead for storage of backups." -mkdir -p /var/cache/bridgehead -chown -R bridgehead /var/cache/bridgehead - log "INFO" "Registering system units for bridgehead and bridgehead-update" cp -v \ lib/systemd/bridgehead\@.service \ diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 7fb3688..276f60c 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -103,27 +103,24 @@ else hc_send log "$RES" fi -AUTO_BACKUP=${AUTO_BACKUP:-true} - -if [ "$AUTO_BACKUP" == "true" ]; then - BACKUP_DIRECTORY="/var/cache/bridgehead/backup" - if [ ! -d $BACKUP_DIRECTORY ]; then - message="Performing automatic maintenance: Creating Backup directory $BACKUP_DIRECTORY." +if [ -z "${BACKUP_DIRECTORY}" ]; then + if [ ! -d "$BACKUP_DIRECTORY" ]; then + message="Performing automatic maintenance: Attempting to create backup directory $BACKUP_DIRECTORY." hc_send log "$message" log INFO "$message" - mkdir -p $BACKUP_DIRECTORY + mkdir -p "$BACKUP_DIRECTORY" fi BACKUP_SERVICES="$(docker ps --filter ancestor=postgres:14-alpine --format "{{.Names}}" | tr "\n" "\ ")" log INFO "Performing automatic maintenance: Creating Backups for $BACKUP_SERVICES"; for service in $BACKUP_SERVICES; do - if [ ! -d $BACKUP_DIRECTORY/$service ]; then - message="Performing automatic maintenance: Creating Backup directory for $service in $BACKUP_DIRECTORY." + if [ ! -d "$BACKUP_DIRECTORY/$service" ]; then + message="Performing automatic maintenance: Attempting to create backup directory for $service in $BACKUP_DIRECTORY." hc_send log "$message" log INFO "$message" - mkdir -p $BACKUP_DIRECTORY/$service + mkdir -p "$BACKUP_DIRECTORY/$service" fi if createEncryptedPostgresBackup "$BACKUP_DIRECTORY" "$service"; then - message="Performing automatic maintenance: Stored encrypted Backup for $service in $BACKUP_DIRECTORY." + message="Performing automatic maintenance: Stored encrypted backup for $service in $BACKUP_DIRECTORY." hc_send log "$message" log INFO "$message" else From a37bf79c030908e80284c981975161bb31b989cc Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Fri, 27 Jan 2023 11:31:36 +0100 Subject: [PATCH 54/93] refactor: Added Monitoring for backup permissions --- lib/update-bridgehead.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 276f60c..0f1c413 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -109,7 +109,9 @@ if [ -z "${BACKUP_DIRECTORY}" ]; then hc_send log "$message" log INFO "$message" mkdir -p "$BACKUP_DIRECTORY" + chown -R "$BACKUP_DIRECTORY" bridgehead; fi + checkOwner "$BACKUP_DIRECTORY" bridgehead || fail_and_report 1 "Automatic maintenance failed: Wrong permissions for backup directory $(pwd)" BACKUP_SERVICES="$(docker ps --filter ancestor=postgres:14-alpine --format "{{.Names}}" | tr "\n" "\ ")" log INFO "Performing automatic maintenance: Creating Backups for $BACKUP_SERVICES"; for service in $BACKUP_SERVICES; do From 98afeac701f0065d0052f07a8c9b27ce9e2ff779 Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Fri, 27 Jan 2023 11:49:18 +0100 Subject: [PATCH 55/93] refactor: Use -db as Indicator for Backups --- lib/update-bridgehead.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 0f1c413..ab39cca 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -112,7 +112,8 @@ if [ -z "${BACKUP_DIRECTORY}" ]; then chown -R "$BACKUP_DIRECTORY" bridgehead; fi checkOwner "$BACKUP_DIRECTORY" bridgehead || fail_and_report 1 "Automatic maintenance failed: Wrong permissions for backup directory $(pwd)" - BACKUP_SERVICES="$(docker ps --filter ancestor=postgres:14-alpine --format "{{.Names}}" | tr "\n" "\ ")" + # Collect all container names that contain '-db' + BACKUP_SERVICES="$(docker ps --filter name=-db --format "{{.Names}}" | tr "\n" "\ ")" log INFO "Performing automatic maintenance: Creating Backups for $BACKUP_SERVICES"; for service in $BACKUP_SERVICES; do if [ ! -d "$BACKUP_DIRECTORY/$service" ]; then From 2445a5978506bd7d3b84d85fafe7e8a16d6f239d Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Fri, 27 Jan 2023 11:52:09 +0100 Subject: [PATCH 56/93] refacotr: Restructured passing Patientlist Seeds --- ccp/modules/id-management-compose.yml | 25 +------------------------ ccp/modules/id-management-setup.sh | 4 ++-- ccp/modules/id-management.md | 2 ++ 3 files changed, 5 insertions(+), 26 deletions(-) diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml index 72aebcc..3f13519 100644 --- a/ccp/modules/id-management-compose.yml +++ b/ccp/modules/id-management-compose.yml @@ -31,30 +31,7 @@ services: - ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD} - ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} # Add Variables from /etc/patientlist-id-generators.env - - ML_BK_IDGENERATOR_RANDOM_1 - - ML_BK_IDGENERATOR_RANDOM_2 - - ML_BK_IDGENERATOR_RANDOM_3 - - ML_MDS_IDGENERATOR_RANDOM_1 - - ML_MDS_IDGENERATOR_RANDOM_2 - - ML_MDS_IDGENERATOR_RANDOM_3 - - ML_DKTK000001985_IDGENERATOR_RANDOM_1 - - ML_DKTK000001985_IDGENERATOR_RANDOM_2 - - ML_DKTK000001985_IDGENERATOR_RANDOM_3 - - ML_DKTK000001986_IDGENERATOR_RANDOM_1 - - ML_DKTK000001986_IDGENERATOR_RANDOM_2 - - ML_DKTK000001986_IDGENERATOR_RANDOM_3 - - ML_DKTK000001950_IDGENERATOR_RANDOM_1 - - ML_DKTK000001950_IDGENERATOR_RANDOM_2 - - ML_DKTK000001950_IDGENERATOR_RANDOM_3 - - ML_DKTK000001951_IDGENERATOR_RANDOM_1 - - ML_DKTK000001951_IDGENERATOR_RANDOM_2 - - ML_DKTK000001951_IDGENERATOR_RANDOM_3 - - ML_DKTK999999999_IDGENERATOR_RANDOM_1 - - ML_DKTK999999999_IDGENERATOR_RANDOM_2 - - ML_DKTK999999999_IDGENERATOR_RANDOM_3 - - ML_DKTK000002089_IDGENERATOR_RANDOM_1 - - ML_DKTK000002089_IDGENERATOR_RANDOM_2 - - ML_DKTK000002089_IDGENERATOR_RANDOM_3 + - PATIENTLIST_SEEDS_TRANSFORMED labels: - "traefik.enable=true" - "traefik.http.routers.patientlist.rule=PathPrefix(`/patientlist`)" diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh index 98c4217..0f361dc 100644 --- a/ccp/modules/id-management-setup.sh +++ b/ccp/modules/id-management-setup.sh @@ -9,8 +9,8 @@ function idManagementSetup() { PATIENTLIST_POSTGRES_PASSWORD="$(echo \"id-management-module-db-password-salt\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" IDMANAGER_LOCAL_PATIENTLIST_APIKEY="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" - # Source the ID Generators Configuration - source /etc/bridgehead/patientlist-id-generators.env + # Transform Seeds Configuration to pass it to the Mainzelliste Container + PATIENTLIST_SEEDS_TRANSFORMED="$(declare -p PATIENTLIST_SEEDS | tr -d '\"' | sed 's/\[/\[\"/g' | sed 's/\]/\"\]/g')" # Ensure old ids are working !!! legacyIdMapping diff --git a/ccp/modules/id-management.md b/ccp/modules/id-management.md index 98da3d1..66f9f71 100644 --- a/ccp/modules/id-management.md +++ b/ccp/modules/id-management.md @@ -16,10 +16,12 @@ IDMANAGER_SEEDS_BK="" IDMANAGER_SEEDS_MDS="" IDMANAGER_SEEDS_DKTK000001985="" ``` +> NOTE: Additionally, the CCP-IT adds lines declaring the `PATIENTLIST_SEEDS` array in your site configuration. This will contain the seeds for the different id-generators used in all projects. Once your Bridgehead is updated and restarted, you're all set! ## Additional information you may want to know + ### Services Upon configuration, the Bridgehead will spawn the following services: From a3ba98a2fdb1d950ab4fbcb2d1a9302692086816 Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Wed, 7 Dec 2022 15:46:19 +0100 Subject: [PATCH 57/93] Added Configuration for Local ID-Management --- ccp/modules/id-management-setup.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh index 0f361dc..b02ef66 100644 --- a/ccp/modules/id-management-setup.sh +++ b/ccp/modules/id-management-setup.sh @@ -1,7 +1,8 @@ #!/bin/bash function idManagementSetup() { - if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then +# if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then + if [ -n "$ENABLE_ID_MANAGEMENT" ]; then log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)." OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml" From e2d90447f7e3ad6ee981c16de6d02b048cfdebf2 Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Thu, 15 Dec 2022 16:39:03 +0100 Subject: [PATCH 58/93] refactor: Changed Trigger of the IDM Module --- ccp/modules/id-management-setup.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh index b02ef66..c8ea707 100644 --- a/ccp/modules/id-management-setup.sh +++ b/ccp/modules/id-management-setup.sh @@ -1,7 +1,6 @@ #!/bin/bash function idManagementSetup() { -# if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then if [ -n "$ENABLE_ID_MANAGEMENT" ]; then log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)." OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml" From bce28342f90482205a5eba1d284fb5dffb6e6cce Mon Sep 17 00:00:00 2001 From: "p.delpy@dkfz-heidelberg.de" Date: Wed, 18 Jan 2023 13:42:36 +0100 Subject: [PATCH 59/93] update docker and host paths --- ccp/mtba-compose.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ccp/mtba-compose.yml b/ccp/mtba-compose.yml index 857ff34..ad25dd0 100644 --- a/ccp/mtba-compose.yml +++ b/ccp/mtba-compose.yml @@ -17,16 +17,16 @@ services: PATIENT_CSV_BIRTHDAY_HEADER: ${PATIENT_CSV_BIRTHDAY_HEADER:-"BIRTHDAY"} CBIOPORTAL_URL: http://bridgehead-ccp-cbioportal:8080 MUTATIONS_CSV_SCRIPT_INTERPRETER: "python3" + NEW_FILES_DIRECTORY: "/app/input" + PERSIST_DIRECTORY: "/app/persist" labels: - "traefik.enable=true" - "traefik.http.routers.mtba.rule=PathPrefix(`/`)" - "traefik.http.services.mtba.loadbalancer.server.port=80" - "traefik.http.routers.mtba.tls=true" volumes: - # This directory persists the FHIR Resources that are needed to import data into blaze. - - mtba-data:/app/mtba-files/persist - # Place new import files in this directory - - /tmp/bridgehead/mtba/:/app/mtba-files/input + - /tmp/bridgehead/mtba/input:/app/input + - /tmp/bridgehead/mtba/persist:/app/persist # TODO: Include CBioPortal in Deployment ... # NOTE: CBioPortal can't load data while the system is running. So after import of data bridgehead needs to be restarted! From e9455a5558dd33de59bb46e3c048368f4c30df34 Mon Sep 17 00:00:00 2001 From: "p.delpy@dkfz-heidelberg.de" Date: Fri, 27 Jan 2023 11:13:49 +0100 Subject: [PATCH 60/93] update mtba config --- ccp/modules/id-management-setup.sh | 2 +- ccp/mtba-compose.yml | 20 ++++++++++---------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh index c8ea707..0f361dc 100644 --- a/ccp/modules/id-management-setup.sh +++ b/ccp/modules/id-management-setup.sh @@ -1,7 +1,7 @@ #!/bin/bash function idManagementSetup() { - if [ -n "$ENABLE_ID_MANAGEMENT" ]; then + if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)." OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml" diff --git a/ccp/mtba-compose.yml b/ccp/mtba-compose.yml index ad25dd0..bb90059 100644 --- a/ccp/mtba-compose.yml +++ b/ccp/mtba-compose.yml @@ -5,20 +5,20 @@ services: image: samply/mtba:develop container_name: bridgehead-mtba environment: - BLAZE_STORE_URL: http://bridgehead-ccp-blaze:8080/fhir + BLAZE_STORE_URL: http://blaze:8080 # NOTE: Aktuell Berechtigungen wie MagicPL!!! # TODO: Add separate ApiKey to MagicPL only for MTBA! ID_MANAGER_API_KEY: ${IDMANAGER_UPLOAD_APIKEY} ID_MANAGER_PSEUDONYM_ID_TYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID - ID_MANAGER_URL: http://bridgehead-id-manager:8080 - PATIENT_CSV_FIRST_NAME_HEADER: ${PATIENT_CSV_FIRST_NAME_HEADER:-"FIRST_NAME"} - PATIENT_CSV_LAST_NAME_HEADER: ${PATIENT_CSV_LAST_NAME_HEADER:-"LAST_NAME"} - PATIENT_CSV_GENDER_HEADER: ${PATIENT_CSV_GENDER_HEADER:-"GENDER"} - PATIENT_CSV_BIRTHDAY_HEADER: ${PATIENT_CSV_BIRTHDAY_HEADER:-"BIRTHDAY"} - CBIOPORTAL_URL: http://bridgehead-ccp-cbioportal:8080 - MUTATIONS_CSV_SCRIPT_INTERPRETER: "python3" - NEW_FILES_DIRECTORY: "/app/input" - PERSIST_DIRECTORY: "/app/persist" + ID_MANAGER_URL: http://id-manager:8080/id-manager + PATIENT_CSV_FIRST_NAME_HEADER: ${MTBA_PATIENT_CSV_FIRST_NAME_HEADER} + PATIENT_CSV_LAST_NAME_HEADER: ${MTBA_PATIENT_CSV_LAST_NAME_HEADER} + PATIENT_CSV_GENDER_HEADER: ${MTBA_PATIENT_CSV_GENDER_HEADER} + PATIENT_CSV_BIRTHDAY_HEADER: ${MTBA_PATIENT_CSV_BIRTHDAY_HEADER} + CBIOPORTAL_URL: http://cbioportal:8080 + FILE_CHARSET: ${MTBA_FILE_CHARSET} + FILE_END_OF_LINE: ${MTBA_FILE_END_OF_LINE} + CSV_DELIMITER: ${MTBA_CSV_DELIMITER} labels: - "traefik.enable=true" - "traefik.http.routers.mtba.rule=PathPrefix(`/`)" From c88919c926e1b07b0d5bfe8a21d32dfaee3c267e Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Wed, 8 Feb 2023 14:42:52 +0100 Subject: [PATCH 61/93] feature: Ensured the mapping to legacy ids works --- ccp/modules/id-management-setup.sh | 49 +++++++++++++++++++----------- 1 file changed, 32 insertions(+), 17 deletions(-) diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh index 0f361dc..ba8ad45 100644 --- a/ccp/modules/id-management-setup.sh +++ b/ccp/modules/id-management-setup.sh @@ -13,25 +13,40 @@ function idManagementSetup() { PATIENTLIST_SEEDS_TRANSFORMED="$(declare -p PATIENTLIST_SEEDS | tr -d '\"' | sed 's/\[/\[\"/g' | sed 's/\]/\"\]/g')" # Ensure old ids are working !!! - legacyIdMapping + export IDMANAGEMENT_FRIENDLY_ID=$(legacyIdMapping "$SITE_ID") fi - } -# TODO: Map all old site ids to the new ones +# Transform into single string array, e.g. 'dktk-test' to 'dktk test' +# Usage: transformToSingleStringArray 'dktk-test' -> 'dktk test' +function transformToSingleStringArray() { + echo "${1//-/ }"; +} + +# Ensure all Words are Uppercase +# Usage: transformToUppercase 'dktk test' -> 'Dktk Test' +function transformToUppercase() { + result=""; + for word in $1; do + result+=" ${word^}"; + done + echo "$result"; +} + +# Handle all execeptions from the norm (e.g LMU, TUM) +# Usage: applySpecialCases 'Muenchen Lmu Test' -> 'Muenchen LMU Test' +function applySpecialCases() { + result="$1"; + result="${result/Lmu/LMU}"; + result="${result/Tum/TUM}"; + echo "$result"; +} + +# Transform current siteids to legacy version +# Usage: legacyIdMapping "dktk-test" -> "DktkTest" function legacyIdMapping() { - case ${SITE_ID} in - "berlin") - export IDMANAGEMENT_FRIENDLY_ID=Berlin - ;; - "dresden") - export IDMANAGEMENT_FRIENDLY_ID=Dresden - ;; - "frankfurt") - export IDMANAGEMENT_FRIENDLY_ID=Frankfurt - ;; - *) - export IDMANAGEMENT_FRIENDLY_ID=$SITE_ID - ;; - esac + single_string_array=$(transformToSingleStringArray "$1"); + uppercase_string=$(transformToUppercase "$single_string_array"); + normalized_string=$(applySpecialCases "$uppercase_string"); + echo "$normalized_string" | tr -d ' ' } From d728ccd88657358374f107ee0a03b06442a5c4e1 Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Wed, 8 Feb 2023 15:02:35 +0100 Subject: [PATCH 62/93] refactor: Fixated Postgres Version to 15.1 All Minor Updates will cause a crashing postgres on start --- ccp/modules/id-management-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml index 3f13519..2f26ce4 100644 --- a/ccp/modules/id-management-compose.yml +++ b/ccp/modules/id-management-compose.yml @@ -41,7 +41,7 @@ services: - patientlist-db patientlist-db: - image: postgres:14-alpine + image: postgres:15.1-alpine container_name: bridgehead-patientlist-db environment: POSTGRES_USER: "mainzelliste" From 64095ac8dd3b0b0816ff6aefc77fe5d56a8efb16 Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Thu, 9 Feb 2023 09:15:29 +0100 Subject: [PATCH 63/93] feat: Added Upload ApiKey to Patientlist --- ccp/modules/id-management-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml index 2f26ce4..8e5bab8 100644 --- a/ccp/modules/id-management-compose.yml +++ b/ccp/modules/id-management-compose.yml @@ -30,6 +30,7 @@ services: - ML_SITE=${SITE_ID} - ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD} - ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} + - ML_UPLOAD_API_KEY=${IDMANAGER_UPLOAD_APIKEY} # Add Variables from /etc/patientlist-id-generators.env - PATIENTLIST_SEEDS_TRANSFORMED labels: From a1cd5a206e402922a22f037c4bedaa1488642150 Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Thu, 9 Feb 2023 09:50:30 +0100 Subject: [PATCH 64/93] fix: Repaired check for Auto Updates --- lib/update-bridgehead.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index ab39cca..c661595 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -103,7 +103,7 @@ else hc_send log "$RES" fi -if [ -z "${BACKUP_DIRECTORY}" ]; then +if [ -n "${BACKUP_DIRECTORY}" ]; then if [ ! -d "$BACKUP_DIRECTORY" ]; then message="Performing automatic maintenance: Attempting to create backup directory $BACKUP_DIRECTORY." hc_send log "$message" From a6975e37ac8433d615b8a8ee3d36c219e047c194 Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Thu, 9 Feb 2023 09:58:51 +0100 Subject: [PATCH 65/93] fix: Added Image Updates for activated Modules --- lib/update-bridgehead.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index c661595..c53b731 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -81,7 +81,7 @@ done # Check docker updates log "INFO" "Checking for updates to running docker images ..." docker_updated="false" -for IMAGE in $(cat $PROJECT/docker-compose.yml | grep -v "^#" | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do +for IMAGE in $(cat $PROJECT/docker-compose.yml ${OVERRIDE//-f/} | grep -v "^#" | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do log "INFO" "Checking for Updates of Image: $IMAGE" if docker pull $IMAGE | grep "Downloaded newer image"; then CHANGE="Image $IMAGE updated." From 5a7dd1d0aedeba61c6d8c2b954f0bc0cc8ef5114 Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Thu, 9 Feb 2023 10:07:05 +0100 Subject: [PATCH 66/93] fix: Use Mapped Site Id in Patientlist --- ccp/modules/id-management-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml index 8e5bab8..cb0c89a 100644 --- a/ccp/modules/id-management-compose.yml +++ b/ccp/modules/id-management-compose.yml @@ -27,7 +27,7 @@ services: container_name: bridgehead-patientlist environment: - TOMCAT_REVERSEPROXY_FQDN=${HOST} - - ML_SITE=${SITE_ID} + - ML_SITE=${IDMANAGEMENT_FRIENDLY_ID} - ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD} - ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} - ML_UPLOAD_API_KEY=${IDMANAGER_UPLOAD_APIKEY} From 8dd1b018420428d64f7a4152ea4d7077b00ff70d Mon Sep 17 00:00:00 2001 From: Croft Date: Mon, 20 Feb 2023 16:17:45 +0100 Subject: [PATCH 67/93] Updates for PR52 * Incorporated some of Martin's suggestions (the ones where I had no questions) * Updated the table of contents to reflect the current structure of the document. --- README.md | 93 +++++++++++++++++++++++-------------------------------- 1 file changed, 39 insertions(+), 54 deletions(-) diff --git a/README.md b/README.md index 1a11d87..d7c636f 100644 --- a/README.md +++ b/README.md @@ -6,24 +6,30 @@ This repository is the starting point for any information and tools you will nee 1. [Requirements](#requirements) - [Hardware](#hardware) - - [System](#system) + - [Software](#software) - [Git](#git) - [Docker](#docker) + - [Network](#network) 2. [Deployment](#deployment) - - [Installation](#installation) + - [Site name](#site-name) + - [Projects](#projects) + - [GitLab repository](#gitlab-repository) + - [Base Installation](#base-installation) - [Register with Samply.Beam](#register-with-samplybeam) - [Starting and stopping your Bridgehead](#starting-and-stopping-your-bridgehead) - - [Auto-starting your Bridgehead when the server starts](#auto-starting-your-bridgehead-when-the-server-starts) -3. [Additional Services](#additional-Services) - - [Monitoring](#monitoring) - - [Register with a Directory](#register-with-a-Directory) -4. [Site-specific configuration](#site-specific-configuration) + - [Testing your new Bridgehead](#testing-your-new-bridgehead) + - [De-installing a Bridgehead](#de-installing-a-bridgehead) +3. [Site-specific configuration](#site-specific-configuration) - [HTTPS Access](#https-access) - - [Locally Managed Secrets](#locally-managed-secrets) - - [Git Proxy Configuration](#git-proxy-configuration) - - [Docker Daemon Proxy Configuration](#docker-daemon-proxy-configuration) + - [TLS terminating proxies](#tls-terminating-proxies) + - [File structure](#file-structure) +4. [Things you should know](#things-you-should-know) + - [Auto-Updates](#auto-updates) - [Non-Linux OS](#non-linux-os) -5. [License](#license) +5. [Troubleshooting](#troubleshooting) + - [Monitoring](#monitoring) + - [Docker Daemon Proxy Configuration](#docker-Daemon-Proxy-Configuration) +6. [License](#license) ## Requirements @@ -98,9 +104,7 @@ We will set the repository up for you. We will then send you: - The repository's URL. - A token to access the repository. -Before installation, you must set up your site's configuration in GitLab. - -To do this, visit the configuration repository's URL and click on the configuration file. Depending on your project, this will be called either ```bbmri.conf```or ```ccp.conf```. Use the blue button to edit it. You will need to change, as a minimum, the following variables: +During the installation, your Bridgehead will download your site's configuration from GitLab. You will receive a weblink to review these settings and make changes as needed. To do this, visit the URL and click on the configuration file (```*.conf```, depending on your network). Use the blue button to edit it. You will need to check, as a minimum, the following variables: - SITE_NAME - SITE_ID @@ -109,9 +113,9 @@ To do this, visit the configuration repository's URL and click on the configurat - OPERATOR_EMAIL - OPERATOR_PHONE -SITE_NAME and SITE_ID can be set to the chosen name for your site, e.g. "your-site-name". OPERATOR_* should be set to values appropriate for the administrator of your site. +SITE_NAME and SITE_ID should be set to the chosen name for your site. OPERATOR_* should be set to values appropriate for the administrator of your site (see examples in the file). -Once you have made your changes, these will need to be reviewed by members of our team before you can proceed with the installation. +Once you have made your changes, these will need to be reviewed by members of our team as part of a git pull request. Once accepted, the Bridgehead will automatically re-download these settings as part of its auto-update. ### Base Installation @@ -176,7 +180,7 @@ After starting the Bridgehead, you can watch the initialization process with the journalctl -u bridgehead@bbmri -f ``` -if this exits with the following: +if this exits with something similar to the following: ``` bridgehead@bbmri.service: Main process exited, code=exited, status=1/FAILURE @@ -190,7 +194,7 @@ Once the Bridgehead is running, you can also view the individual Docker processe docker ps ``` -There should be 6 Docker proceses. If there are fewer, then you know that something has gone wrong. To see what is going on, run: +There should be 6 - 10 Docker proceses. If there are fewer, then you know that something has gone wrong. To see what is going on, run: ```shell journalctl -u bridgehead@bbmri -f @@ -216,31 +220,12 @@ If you have chosen to take part in our monitoring program (by setting the ```MON You may decide that you want to remove a Bridgehead installation from your machine, e.g. if you want to migrate it to a new location or if you want to start a fresh installation because the initial attempts did not work. -The following steps will remove all traces of the Bridgehead from your machine. All locally stored data pertaining to the Bridgehead will be lost. - -First, purge the Bridgehead from ```systemctl```: +To do this, run: ```shell -sudo systemctl stop bridgehead@bbmri.service -sudo systemctl disable bridgehead@bbmri.service -sudo systemctl daemon-reload -sudo systemctl reset-failed +sh bridgehead uninstall ``` -Now remove the directories where the Bridgehead files reside: - -```shell -sudo rm -rf /srv/docker/bridgehead /etc/bridgehead -``` - -Finally, get rid of the Docker images: - -```shell -docker image rm traefik:latest samply/beam-proxy:develop samply/blaze:0.18 samply/bridgehead-forward-proxy:latest samply/bridgehead-landingpage:master samply/spot:latest -``` - -Note that you will still have a functioning Beam certificate and a functioning GitLab configuration repository, even after you have removed everything locally. - ## Site-specific configuration ### HTTPS Access @@ -271,21 +256,6 @@ Your Bridgehead will automatically and regularly check for updates. Whenever som If you would like to understand what happens exactly and when, please check the systemd units deployed during the [installation](#base-installation) via `systemctl cat bridgehead-update@.service` and `systemctl cat bridgehead-update@ Date: Tue, 21 Feb 2023 09:26:53 +0100 Subject: [PATCH 68/93] Switch beam images to develop tag --- bbmri/docker-compose.yml | 2 +- ccp/docker-compose.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml index 3291326..89ed1a9 100644 --- a/bbmri/docker-compose.yml +++ b/bbmri/docker-compose.yml @@ -85,7 +85,7 @@ services: - "blaze" beam-proxy: - image: samply/beam-proxy:main + image: samply/beam-proxy:develop container_name: bridgehead-beam-proxy environment: BROKER_URL: ${BROKER_URL} diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index 4c26d5e..65e57d2 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -85,7 +85,7 @@ services: - "blaze" beam-proxy: - image: samply/beam-proxy:main + image: samply/beam-proxy:develop container_name: bridgehead-beam-proxy environment: BROKER_URL: ${BROKER_URL} From 191e9863642119a5088124f714bb045de29e3348 Mon Sep 17 00:00:00 2001 From: Tobias Kussel Date: Wed, 22 Feb 2023 15:32:21 +0100 Subject: [PATCH 69/93] Add check for installation in WSL and for systemd --- lib/prepare-system.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh index 2cba2e2..2a4fdae 100755 --- a/lib/prepare-system.sh +++ b/lib/prepare-system.sh @@ -5,6 +5,15 @@ source lib/functions.sh log "INFO" "Preparing your system for bridgehead installation ..." +# Check, if running in WSL +if [[ $(grep -i Microsoft /proc/version) ]]; then + # Check, if systemd is available + if [ ! $(systemctl) ]; then + log "ERROR" "It seems, that you have no active systemd environment in your WSL. Please follow the guide in https://devblogs.microsoft.com/commandline/systemd-support-is-now-available-in-wsl/" + exit 1 + fi +fi + # Create the bridgehead user if id bridgehead &>/dev/null; then log "INFO" "Existing user with id $(id -u bridgehead) will be used by the bridgehead system units." From 4578c77d4bf18d2275d45a94532cdfed04673bb8 Mon Sep 17 00:00:00 2001 From: Tobias Kussel Date: Wed, 22 Feb 2023 15:42:52 +0100 Subject: [PATCH 70/93] Fix systemd check --- lib/prepare-system.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh index 2a4fdae..cfede1e 100755 --- a/lib/prepare-system.sh +++ b/lib/prepare-system.sh @@ -8,7 +8,7 @@ log "INFO" "Preparing your system for bridgehead installation ..." # Check, if running in WSL if [[ $(grep -i Microsoft /proc/version) ]]; then # Check, if systemd is available - if [ ! $(systemctl) ]; then + if [ $(systemctl is-system-running) -eq "offline" ]; then log "ERROR" "It seems, that you have no active systemd environment in your WSL. Please follow the guide in https://devblogs.microsoft.com/commandline/systemd-support-is-now-available-in-wsl/" exit 1 fi From fdda14c1bea574c9a8eef11e8459056ae2ed3f16 Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Thu, 23 Feb 2023 14:26:59 +0100 Subject: [PATCH 71/93] Fixed naming of site in exliquid script --- ccp/exliquid-setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/exliquid-setup.sh b/ccp/exliquid-setup.sh index 83daa45..91909eb 100644 --- a/ccp/exliquid-setup.sh +++ b/ccp/exliquid-setup.sh @@ -2,7 +2,7 @@ function exliquidSetup() { case ${SITE_ID} in - berlin|dresden|essen|frankfurt|freiburg|luebeck|mainz|muenchen-lmu|muenchen-tu|mannheim|tuebingen) + berlin|dresden|essen|frankfurt|freiburg|luebeck|mainz|muenchen-lmu|muenchen-tum|mannheim|tuebingen) EXLIQUID=1 ;; dktk-test) From 3023b82bb164a99d331f86a113418e6c78b90895 Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Tue, 21 Feb 2023 09:26:53 +0100 Subject: [PATCH 72/93] Switch beam images to develop tag --- bbmri/docker-compose.yml | 2 +- ccp/docker-compose.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml index 3291326..89ed1a9 100644 --- a/bbmri/docker-compose.yml +++ b/bbmri/docker-compose.yml @@ -85,7 +85,7 @@ services: - "blaze" beam-proxy: - image: samply/beam-proxy:main + image: samply/beam-proxy:develop container_name: bridgehead-beam-proxy environment: BROKER_URL: ${BROKER_URL} diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index 4c26d5e..65e57d2 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -85,7 +85,7 @@ services: - "blaze" beam-proxy: - image: samply/beam-proxy:main + image: samply/beam-proxy:develop container_name: bridgehead-beam-proxy environment: BROKER_URL: ${BROKER_URL} From 2dc36433bf38527970160942e793cfc21a91e6d3 Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Thu, 23 Feb 2023 14:26:59 +0100 Subject: [PATCH 73/93] Fixed naming of site in exliquid script --- ccp/exliquid-setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/exliquid-setup.sh b/ccp/exliquid-setup.sh index 83daa45..91909eb 100644 --- a/ccp/exliquid-setup.sh +++ b/ccp/exliquid-setup.sh @@ -2,7 +2,7 @@ function exliquidSetup() { case ${SITE_ID} in - berlin|dresden|essen|frankfurt|freiburg|luebeck|mainz|muenchen-lmu|muenchen-tu|mannheim|tuebingen) + berlin|dresden|essen|frankfurt|freiburg|luebeck|mainz|muenchen-lmu|muenchen-tum|mannheim|tuebingen) EXLIQUID=1 ;; dktk-test) From 8b2e99200ed0586faf6ed7e7df229908c9809072 Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Thu, 23 Feb 2023 18:05:34 +0100 Subject: [PATCH 74/93] Fix typo --- lib/prepare-system.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh index 2cba2e2..f54ee07 100755 --- a/lib/prepare-system.sh +++ b/lib/prepare-system.sh @@ -26,7 +26,7 @@ if [ -d "/srv/docker/bridgehead" ]; then else log "INFO" "Cloning $bridgehead_repository_url to /srv/docker/bridgehead" mkdir -p /srv/docker/ - git clone bridgehead_repository_url /srv/docker/bridgehead + git clone $bridgehead_repository_url /srv/docker/bridgehead fi case "$PROJECT" in From 857e351b884b11d123d4516e4fadea04f893addb Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Thu, 23 Feb 2023 18:05:53 +0100 Subject: [PATCH 75/93] Support gitmirror for github.com repo --- lib/prepare-system.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh index f54ee07..8cacdf0 100755 --- a/lib/prepare-system.sh +++ b/lib/prepare-system.sh @@ -14,7 +14,12 @@ else fi # Clone the OpenSource repository of bridgehead -bridgehead_repository_url="https://github.com/samply/bridgehead.git" +set +e +bridgehead_repository_url=$(git remote get-url origin) +if [ $? -ne 0 ]; then + bridgehead_repository_url="https://github.com/samply/bridgehead.git" +fi +set -e if [ -d "/srv/docker/bridgehead" ]; then current_owner=$(stat -c '%U' /srv/docker/bridgehead) if [ "$(su -c 'git -C /srv/docker/bridgehead remote get-url origin' $current_owner)" == "$bridgehead_repository_url" ]; then From 7a350a8c9b2e3c1d5a8c3a56d0e7958e468ea39a Mon Sep 17 00:00:00 2001 From: Tobias Kussel Date: Fri, 24 Feb 2023 11:29:06 +0100 Subject: [PATCH 76/93] Fix string comparison in WSL check --- lib/prepare-system.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh index cfede1e..169ad2c 100755 --- a/lib/prepare-system.sh +++ b/lib/prepare-system.sh @@ -8,7 +8,7 @@ log "INFO" "Preparing your system for bridgehead installation ..." # Check, if running in WSL if [[ $(grep -i Microsoft /proc/version) ]]; then # Check, if systemd is available - if [ $(systemctl is-system-running) -eq "offline" ]; then + if [ $(systemctl is-system-running) = "offline" ]; then log "ERROR" "It seems, that you have no active systemd environment in your WSL. Please follow the guide in https://devblogs.microsoft.com/commandline/systemd-support-is-now-available-in-wsl/" exit 1 fi From bfc00b99676ce51c821bd9fd38739ed5e3495843 Mon Sep 17 00:00:00 2001 From: Tobias Kussel Date: Fri, 24 Feb 2023 11:41:05 +0100 Subject: [PATCH 77/93] Prevent variable splitting in wsl check and improve error message --- lib/prepare-system.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh index 169ad2c..7e9f24f 100755 --- a/lib/prepare-system.sh +++ b/lib/prepare-system.sh @@ -8,8 +8,8 @@ log "INFO" "Preparing your system for bridgehead installation ..." # Check, if running in WSL if [[ $(grep -i Microsoft /proc/version) ]]; then # Check, if systemd is available - if [ $(systemctl is-system-running) = "offline" ]; then - log "ERROR" "It seems, that you have no active systemd environment in your WSL. Please follow the guide in https://devblogs.microsoft.com/commandline/systemd-support-is-now-available-in-wsl/" + if [ "$(systemctl is-system-running)" = "offline" ]; then + log "ERROR" "It seems you have no active systemd environment in your WSL environment. Please follow the guide in https://devblogs.microsoft.com/commandline/systemd-support-is-now-available-in-wsl/" exit 1 fi fi From 5d38f48f682065d3ec1ce70275452a57ea9da932 Mon Sep 17 00:00:00 2001 From: Tobias Kussel Date: Fri, 24 Feb 2023 16:32:17 +0100 Subject: [PATCH 78/93] Add developer install --- bridgehead | 7 ++++++- lib/prepare-system.sh | 10 ++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/bridgehead b/bridgehead index ecf4ec0..227a0d7 100755 --- a/bridgehead +++ b/bridgehead @@ -77,7 +77,12 @@ case "$ACTION" in exec ./lib/update-bridgehead.sh $PROJECT ;; install) - source ./lib/prepare-system.sh + source ./lib/prepare-system.sh NODEV + loadVars + exec ./lib/install-bridgehead.sh $PROJECT + ;; + dev-install) + exec ./lib/prepare-system.sh DEV loadVars exec ./lib/install-bridgehead.sh $PROJECT ;; diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh index 8cacdf0..765c6d3 100755 --- a/lib/prepare-system.sh +++ b/lib/prepare-system.sh @@ -1,5 +1,7 @@ #!/bin/bash -e +DEV_MODE="${1:-NODEV}" + source lib/log.sh source lib/functions.sh @@ -55,7 +57,7 @@ if [ -d /etc/bridgehead ]; then else log "WARN" "Your site configuration repository in /etc/bridgehead seems to have another origin than git.verbis.dkfz.de. Please check if the repository is correctly cloned!" fi -else +elif [[ "$DEV_MODE" == "NODEV" ]]; then log "INFO" "Now cloning your site configuration repository for you." read -p "Please enter your site: " site read -s -p "Please enter the bridgehead's access token for your site configuration repository (will not be echoed): " access_token @@ -64,9 +66,13 @@ else if [ $? -gt 0 ]; then log "ERROR" "Unable to clone your configuration repository. Please obtain correct access data and try again." fi +elif [[ "$DEV_MODE" == "DEV" ]]; then + log "INFO" "Now cloning your developer configuration repository for you." + read -p "Please enter your config repository URL: " url + git clone "$url" /etc/bridgehead fi chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead -log INFO "System preparation is completed and private key is present." +log INFO "System preparation is completed and configuration is present." From cedc97477f3bc094cdb35daf1d6b2a8ba81513c6 Mon Sep 17 00:00:00 2001 From: Tobias Kussel Date: Mon, 27 Feb 2023 13:02:59 +0100 Subject: [PATCH 79/93] Add developer install option to the documentation --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 8fba0c9..2951102 100644 --- a/README.md +++ b/README.md @@ -157,6 +157,10 @@ To keep all Bridgeheads up and working and detect any errors before a user does, In all monitoring cases, obviously no sensitive information is transmitted, in particular not any patient-related data. Aggregated data, e.g. total amount of datasets, may be transmitted for diagnostic purposes. +### Development Installation + +By using `./bridgehead dev-install ` instead of `install`, you can install a developer bridgehead. The difference is, that you can provide an arbitrary configuration repository during the installation, meaning that it does not have to adhere to the usual naming scheme. This allows for better decoupling between development and production configurations. + ## Troubleshooting ### Docker Daemon Proxy Configuration From 0ff153ef22ab71ad6ca6e31d37f59950062a9545 Mon Sep 17 00:00:00 2001 From: lablans Date: Wed, 8 Mar 2023 09:00:38 +0000 Subject: [PATCH 80/93] Use project name. Add is-running function. --- bridgehead | 7 +++++-- lib/functions.sh | 12 +++++++++++- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/bridgehead b/bridgehead index 227a0d7..60f4aa9 100755 --- a/bridgehead +++ b/bridgehead @@ -66,11 +66,14 @@ case "$ACTION" in checkRequirements hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..." export LDM_LOGIN=$(getLdmPassword) - exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit + exec $COMPOSE -p bridgehead-$PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit ;; stop) loadVars - exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE down + exec $COMPOSE -p bridgehead-$PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE down + ;; + is-running) + exit bk_is_running ;; update) loadVars diff --git a/lib/functions.sh b/lib/functions.sh index 23fb939..6954cd2 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -34,7 +34,7 @@ checkOwner(){ } printUsage() { - echo "Usage: bridgehead start|stop|update|install|uninstall|enroll PROJECTNAME" + echo "Usage: bridgehead start|stop|is-running|update|install|uninstall|enroll PROJECTNAME" echo "PROJECTNAME should be one of ccp|bbmri" } @@ -169,6 +169,16 @@ function retry { return 0 } +function bk_is_running { + RUNNING="$($COMPOSE -p bridgehead-$PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE ps -q)" + NUMBEROFRUNNING=$(echo "$RUNNING" | wc -l) + if [ $NUMBEROFRUNNING -gt 0 ]; then + return 0 + else + return 1 + fi +} + ##Setting Network properties # currently not needed #export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}'); From 380511d3bb5ff95422f269621eb49484b231199a Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Wed, 8 Mar 2023 10:37:37 +0100 Subject: [PATCH 81/93] Don't delete docker images if BK is not running --- bridgehead | 3 ++- lib/functions.sh | 3 ++- lib/update-bridgehead.sh | 9 +++++++-- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/bridgehead b/bridgehead index 60f4aa9..f2eaa6b 100755 --- a/bridgehead +++ b/bridgehead @@ -73,7 +73,8 @@ case "$ACTION" in exec $COMPOSE -p bridgehead-$PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE down ;; is-running) - exit bk_is_running + bk_is_running + exit $? ;; update) loadVars diff --git a/lib/functions.sh b/lib/functions.sh index 6954cd2..836ffcc 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -170,9 +170,10 @@ function retry { } function bk_is_running { + detectCompose RUNNING="$($COMPOSE -p bridgehead-$PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE ps -q)" NUMBEROFRUNNING=$(echo "$RUNNING" | wc -l) - if [ $NUMBEROFRUNNING -gt 0 ]; then + if [ $NUMBEROFRUNNING -ge 2 ]; then return 0 else return 1 diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index c53b731..bce720d 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -4,10 +4,15 @@ source lib/functions.sh AUTO_HOUSEKEEPING=${AUTO_HOUSEKEEPING:-true} if [ "$AUTO_HOUSEKEEPING" == "true" ]; then - A="Performing automatic maintenance: Cleaning docker images." + A="Performing automatic maintenance: " + if bk_is_running; then + A="$A Cleaning docker images." + docker system prune -a -f + else + A="$A Not cleaning docker images since BK is not running." + fi hc_send log "$A" log INFO "$A" - docker system prune -a -f else log WARN "Automatic housekeeping disabled (variable AUTO_HOUSEKEEPING != \"true\")" fi From 33b50372c6d264ce17811656ab2b2d74bf846404 Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Thu, 9 Mar 2023 11:16:34 +0100 Subject: [PATCH 82/93] Pull docker images from DKFZ mirror --- bbmri/docker-compose.yml | 12 ++++++------ ccp/docker-compose.yml | 12 ++++++------ ccp/exliquid-compose.yml | 4 ++-- ccp/modules/id-management-compose.yml | 2 +- ccp/mtba-compose.yml | 2 +- ccp/nngm-compose.yml | 2 +- lib/functions.sh | 2 +- 7 files changed, 18 insertions(+), 18 deletions(-) diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml index 89ed1a9..6a6d0a8 100644 --- a/bbmri/docker-compose.yml +++ b/bbmri/docker-compose.yml @@ -3,7 +3,7 @@ version: "3.7" services: traefik: container_name: bridgehead-traefik - image: traefik:latest + image: docker.verbis.dkfz.de/cache/traefik:latest command: - --entrypoints.web.address=:80 - --entrypoints.websecure.address=:443 @@ -32,7 +32,7 @@ services: forward_proxy: container_name: bridgehead-forward-proxy - image: samply/bridgehead-forward-proxy:latest + image: docker.verbis.dkfz.de/cache/samply/bridgehead-forward-proxy:latest environment: HTTPS_PROXY: ${HTTPS_PROXY_URL} USERNAME: ${HTTPS_PROXY_USERNAME} @@ -42,7 +42,7 @@ services: landing: container_name: bridgehead-landingpage - image: samply/bridgehead-landingpage:master + image: docker.verbis.dkfz.de/cache/samply/bridgehead-landingpage:master labels: - "traefik.enable=true" - "traefik.http.routers.landing.rule=PathPrefix(`/`)" @@ -54,7 +54,7 @@ services: SITE_NAME: ${SITE_NAME} blaze: - image: "samply/blaze:0.19" + image: docker.verbis.dkfz.de/cache/samply/blaze:0.19 container_name: bridgehead-bbmri-blaze environment: BASE_URL: "http://bridgehead-bbmri-blaze:8080" @@ -72,7 +72,7 @@ services: - "traefik.http.routers.blaze_ccp.tls=true" spot: - image: samply/spot:latest + image: docker.verbis.dkfz.de/cache/samply/spot:latest container_name: bridgehead-spot environment: SECRET: ${SPOT_BEAM_SECRET_LONG} @@ -85,7 +85,7 @@ services: - "blaze" beam-proxy: - image: samply/beam-proxy:develop + image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop container_name: bridgehead-beam-proxy environment: BROKER_URL: ${BROKER_URL} diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index 65e57d2..209ee70 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -3,7 +3,7 @@ version: "3.7" services: traefik: container_name: bridgehead-traefik - image: traefik:latest + image: docker.verbis.dkfz.de/cache/traefik:latest command: - --entrypoints.web.address=:80 - --entrypoints.websecure.address=:443 @@ -32,7 +32,7 @@ services: forward_proxy: container_name: bridgehead-forward-proxy - image: samply/bridgehead-forward-proxy:latest + image: docker.verbis.dkfz.de/cache/samply/bridgehead-forward-proxy:latest environment: HTTPS_PROXY: ${HTTPS_PROXY_URL} USERNAME: ${HTTPS_PROXY_USERNAME} @@ -42,7 +42,7 @@ services: landing: container_name: bridgehead-landingpage - image: samply/bridgehead-landingpage:master + image: docker.verbis.dkfz.de/cache/samply/bridgehead-landingpage:master labels: - "traefik.enable=true" - "traefik.http.routers.landing.rule=PathPrefix(`/`)" @@ -54,7 +54,7 @@ services: SITE_NAME: ${SITE_NAME} blaze: - image: "samply/blaze:0.19" + image: docker.verbis.dkfz.de/cache/samply/blaze:0.19 container_name: bridgehead-ccp-blaze environment: BASE_URL: "http://bridgehead-ccp-blaze:8080" @@ -72,7 +72,7 @@ services: - "traefik.http.routers.blaze_ccp.tls=true" spot: - image: samply/spot:latest + image: docker.verbis.dkfz.de/cache/samply/spot:latest container_name: bridgehead-spot environment: SECRET: ${SPOT_BEAM_SECRET_LONG} @@ -85,7 +85,7 @@ services: - "blaze" beam-proxy: - image: samply/beam-proxy:develop + image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop container_name: bridgehead-beam-proxy environment: BROKER_URL: ${BROKER_URL} diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml index eb8d194..d5bb351 100644 --- a/ccp/exliquid-compose.yml +++ b/ccp/exliquid-compose.yml @@ -2,7 +2,7 @@ version: "3.7" services: exliquid-task-store: - image: "samply/blaze:0.19" + image: docker.verbis.dkfz.de/cache/samply/blaze:0.19 container_name: bridgehead-exliquid-task-store environment: BASE_URL: "http://bridgehead-exliquid-task-store:8080" @@ -13,7 +13,7 @@ services: - "traefik.enable=false" exliquid-report-hub: - image: "samply/report-hub:latest" + image: docker.verbis.dkfz.de/cache/samply/report-hub:latest container_name: bridgehead-exliquid-report-hub environment: SPRING_WEBFLUX_BASE_PATH: "/exliquid" diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml index cb0c89a..be1375e 100644 --- a/ccp/modules/id-management-compose.yml +++ b/ccp/modules/id-management-compose.yml @@ -42,7 +42,7 @@ services: - patientlist-db patientlist-db: - image: postgres:15.1-alpine + image: docker.verbis.dkfz.de/cache/postgres:15.1-alpine container_name: bridgehead-patientlist-db environment: POSTGRES_USER: "mainzelliste" diff --git a/ccp/mtba-compose.yml b/ccp/mtba-compose.yml index bb90059..01cff12 100644 --- a/ccp/mtba-compose.yml +++ b/ccp/mtba-compose.yml @@ -2,7 +2,7 @@ version: "3.7" services: mtba: - image: samply/mtba:develop + image: docker.verbis.dkfz.de/cache/samply/mtba:develop container_name: bridgehead-mtba environment: BLAZE_STORE_URL: http://blaze:8080 diff --git a/ccp/nngm-compose.yml b/ccp/nngm-compose.yml index c212fed..bd189fb 100644 --- a/ccp/nngm-compose.yml +++ b/ccp/nngm-compose.yml @@ -18,7 +18,7 @@ services: - "traefik.http.routers.connector.tls=true" connector_db: - image: postgres:9.5-alpine + image: docker.verbis.dkfz.de/cache/postgres:9.5-alpine container_name: bridgehead-ccp-connector-db volumes: - "connector_db_data:/var/lib/postgresql/data" diff --git a/lib/functions.sh b/lib/functions.sh index 836ffcc..fb93e87 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -11,7 +11,7 @@ detectCompose() { getLdmPassword() { if [ -n "$LDM_PASSWORD" ]; then - docker run --rm httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r' + docker run --rm docker.verbis.dkfz.de/cache/httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r' else echo -n "" fi From 25081c1bf48b53d097579468642a079afffd4146 Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Thu, 9 Mar 2023 14:56:45 +0100 Subject: [PATCH 83/93] hotfix: Switch to old Project Name --- bridgehead | 6 ++++-- lib/functions.sh | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/bridgehead b/bridgehead index f2eaa6b..13cb682 100755 --- a/bridgehead +++ b/bridgehead @@ -66,11 +66,13 @@ case "$ACTION" in checkRequirements hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..." export LDM_LOGIN=$(getLdmPassword) - exec $COMPOSE -p bridgehead-$PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit + exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit ;; stop) loadVars - exec $COMPOSE -p bridgehead-$PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE down + # HACK: This is tempoarily to properly shut down false bridgehead instances (bridgehead-ccp instead ccp) + $COMPOSE -p bridgehead-$PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE down + exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE down ;; is-running) bk_is_running diff --git a/lib/functions.sh b/lib/functions.sh index fb93e87..ac5ae6b 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -171,7 +171,7 @@ function retry { function bk_is_running { detectCompose - RUNNING="$($COMPOSE -p bridgehead-$PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE ps -q)" + RUNNING="$($COMPOSE -p $PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE ps -q)" NUMBEROFRUNNING=$(echo "$RUNNING" | wc -l) if [ $NUMBEROFRUNNING -ge 2 ]; then return 0 From d7a983000b357fee0d06ae94f1263bc19d884dcb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Radovan=20Tom=C3=A1=C5=A1ik?= Date: Fri, 17 Mar 2023 11:03:19 +0100 Subject: [PATCH 84/93] Update README.md --- README.md | 41 +++++++++++++++++++++++------------------ 1 file changed, 23 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index d7c636f..69b1902 100644 --- a/README.md +++ b/README.md @@ -96,15 +96,33 @@ To request a new repository, please send an email to one of the following: - For the bbmri project: bridgehead@helpdesk.bbmri-eric.eu. - For the ccp project: support-ccp@dkfz-heidelberg.de -Mention which project you belong to, i.e. "bbmri" or "ccp", plus your chosen site name. +Mention: +- which project you belong to, i.e. "bbmri" or "ccp" +- site name (According to conventions listed above) +- operator name, email and contact phone We will set the repository up for you. We will then send you: - A Repository Short Name (RSN). Beware: this is distinct from your site name. -- The repository's URL. -- A token to access the repository. +- Repository URL containing the acces token eg. https://BH_Dummy:dummy_token@git.verbis.dkfz.de/bbmri-bridgehead-configs/dummy.git -During the installation, your Bridgehead will download your site's configuration from GitLab. You will receive a weblink to review these settings and make changes as needed. To do this, visit the URL and click on the configuration file (```*.conf```, depending on your network). Use the blue button to edit it. You will need to check, as a minimum, the following variables: +During the installation, your Bridgehead will download your site's configuration from GitLab and you can review the details provided to us by email. + + +### Base Installation + +First, download your site specific configuration repository: +```shell +sudo mkdir -p /etc/bridgehead/ +sudo git clone /etc/bridgehead/ +``` + +Review the site configuration: +```shell +sudo cat /etc/bridgehead/bbmri.conf +``` + +Pay special attention to: - SITE_NAME - SITE_ID @@ -113,14 +131,7 @@ During the installation, your Bridgehead will download your site's configuration - OPERATOR_EMAIL - OPERATOR_PHONE -SITE_NAME and SITE_ID should be set to the chosen name for your site. OPERATOR_* should be set to values appropriate for the administrator of your site (see examples in the file). - -Once you have made your changes, these will need to be reviewed by members of our team as part of a git pull request. Once accepted, the Bridgehead will automatically re-download these settings as part of its auto-update. - -### Base Installation - -First, get the Bridgehead: - +Download the bridghead repository: ```shell sudo mkdir -p /srv/docker/ sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead @@ -133,12 +144,6 @@ cd /srv/docker/bridgehead sudo ./bridgehead install ``` -When prompted with "Please enter your site", you should enter the Repository Short Name (RSN) for GitLab that you were given in the previous section. - -When prompted with "Please enter the bridgehead's access token for your site configuration repository", you should enter the token for the GitLab repository that was given to you. - -You should then be prompted to do the next step: - ### Register with Samply.Beam Many Bridgehead services rely on the secure, performant and flexible messaging middleware called [Samply.Beam](https://github.com/samply/beam). You will need to register ("enroll") with Samply.Beam by creating a cryptographic key pair for your bridgehead: From c53fe491d97ec03ed63d7cecbd0f66389836ff6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Radovan=20Tom=C3=A1=C5=A1ik?= Date: Fri, 17 Mar 2023 11:17:25 +0100 Subject: [PATCH 85/93] Update README.md Co-authored-by: Martin Lablans <6804500+lablans@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 69b1902..3e0c4b3 100644 --- a/README.md +++ b/README.md @@ -74,7 +74,7 @@ Site names should adhere to the following conventions: - They should generally be named after the city where your site is based, e.g. ```karlsruhe```. - If you have a multi-part name, please use a hypen ("-") as separator, e.g. ```le-havre```. - If your site is for testing purposes, rather than production, please append "-test", e.g. ```zaragoza-test```. -- If you are a developer and you are making changes to the Bridgehead, please use your name and append "-dev", e.g. ```joe-doe-dev```. +- If you are a developer and you are making changes to the Bridgehead, please use your name and prepend "dev-", e.g. ```dev-joe-doe```. ### Projects From bf3989dcbd02a381a0c76115fab1585c286d9a41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Radovan=20Tom=C3=A1=C5=A1ik?= Date: Fri, 17 Mar 2023 11:17:47 +0100 Subject: [PATCH 86/93] Update README.md Co-authored-by: Martin Lablans <6804500+lablans@users.noreply.github.com> --- README.md | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/README.md b/README.md index 3e0c4b3..1f888f2 100644 --- a/README.md +++ b/README.md @@ -76,17 +76,6 @@ Site names should adhere to the following conventions: - If your site is for testing purposes, rather than production, please append "-test", e.g. ```zaragoza-test```. - If you are a developer and you are making changes to the Bridgehead, please use your name and prepend "dev-", e.g. ```dev-joe-doe```. -### Projects - -The following "projects" are known to the Bridgehead installation: - -- bbmri -- ccp - -Use "bbmri" if you are in the BBMRI-ERIC European biobank network or the GBA (German Biobank Alliance) network. - -Use "ccp" if you are in the DKTK network, the C4 network or the nNGM network. - ### GitLab repository In order to be able to install, you will need to have your own repository in GitLab for your site's configuration settings. This allows automated updates of the Bridgehead software. From c39518f763456401f0cb0dacfdee6f0e97ad8067 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Radovan=20Tom=C3=A1=C5=A1ik?= Date: Fri, 17 Mar 2023 11:25:56 +0100 Subject: [PATCH 87/93] Update README.md --- README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 1f888f2..45ecf52 100644 --- a/README.md +++ b/README.md @@ -80,7 +80,7 @@ Site names should adhere to the following conventions: In order to be able to install, you will need to have your own repository in GitLab for your site's configuration settings. This allows automated updates of the Bridgehead software. -To request a new repository, please send an email to one of the following: +To request a new repository, please contact your research network administration or send an email to one of the project specific addresses: - For the bbmri project: bridgehead@helpdesk.bbmri-eric.eu. - For the ccp project: support-ccp@dkfz-heidelberg.de @@ -88,7 +88,7 @@ To request a new repository, please send an email to one of the following: Mention: - which project you belong to, i.e. "bbmri" or "ccp" - site name (According to conventions listed above) -- operator name, email and contact phone +- operator name and email We will set the repository up for you. We will then send you: @@ -118,9 +118,8 @@ Pay special attention to: - OPERATOR_FIRST_NAME - OPERATOR_LAST_NAME - OPERATOR_EMAIL -- OPERATOR_PHONE -Download the bridghead repository: +Clone the bridgehead repository: ```shell sudo mkdir -p /srv/docker/ sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead From 8f3d2f0947c0c25641d1c7ebc0291b678fca8211 Mon Sep 17 00:00:00 2001 From: Enola Knezevic Date: Wed, 22 Mar 2023 11:26:55 +0100 Subject: [PATCH 88/93] replace local spot with focus --- bbmri/docker-compose.yml | 14 +++++++------- bbmri/vars | 3 +-- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml index 6a6d0a8..eb30a34 100644 --- a/bbmri/docker-compose.yml +++ b/bbmri/docker-compose.yml @@ -71,12 +71,12 @@ services: - "traefik.http.routers.blaze_ccp.middlewares=ccp_b_strip,auth" - "traefik.http.routers.blaze_ccp.tls=true" - spot: - image: docker.verbis.dkfz.de/cache/samply/spot:latest - container_name: bridgehead-spot + focus: + image: docker.verbis.dkfz.de/cache/samply/focus:develop + container_name: bridgehead-focus environment: - SECRET: ${SPOT_BEAM_SECRET_LONG} - APPID: spot + API_KEY: ${FOCUS_BEAM_SECRET_SHORT} + APP_ID: focus PROXY_ID: ${PROXY_ID} LDM_URL: http://bridgehead-bbmri-blaze:8080/fhir BEAM_PROXY: http://beam-proxy:8081 @@ -90,8 +90,8 @@ services: environment: BROKER_URL: ${BROKER_URL} PROXY_ID: ${PROXY_ID} - APP_0_ID: spot - APP_0_KEY: ${SPOT_BEAM_SECRET_SHORT} + APP_0_ID: focus + APP_0_KEY: ${FOCUS_BEAM_SECRET_SHORT} PRIVKEY_FILE: /run/secrets/proxy.pem ALL_PROXY: http://forward_proxy:3128 TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs diff --git a/bbmri/vars b/bbmri/vars index 6fb693d..5803ac5 100644 --- a/bbmri/vars +++ b/bbmri/vars @@ -1,7 +1,6 @@ BROKER_ID=broker.bbmri.samply.de BROKER_URL=https://${BROKER_ID} PROXY_ID=${SITE_ID}.${BROKER_ID} -SPOT_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" -SPOT_BEAM_SECRET_LONG="ApiKey spot.${PROXY_ID} ${SPOT_BEAM_SECRET_SHORT}" +FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" SUPPORT_EMAIL=bridgehead@helpdesk.bbmri-eric.eu PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem From 1c3785ace7579b9ab877d5edb6d5f4dc4860dda9 Mon Sep 17 00:00:00 2001 From: Enola Knezevic Date: Wed, 22 Mar 2023 11:37:48 +0100 Subject: [PATCH 89/93] added missing variables and renamed correctly --- bbmri/docker-compose.yml | 7 ++++--- bbmri/vars | 3 ++- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml index eb30a34..348166c 100644 --- a/bbmri/docker-compose.yml +++ b/bbmri/docker-compose.yml @@ -76,10 +76,11 @@ services: container_name: bridgehead-focus environment: API_KEY: ${FOCUS_BEAM_SECRET_SHORT} - APP_ID: focus + BEAM_APP_ID: focus PROXY_ID: ${PROXY_ID} - LDM_URL: http://bridgehead-bbmri-blaze:8080/fhir - BEAM_PROXY: http://beam-proxy:8081 + BLAZE_URL: http://bridgehead-bbmri-blaze:8080/fhir + BEAM_PROXY_URL: http://beam-proxy:8081 + RETRY_COUNT: ${FOCUS_RETRY_COUNT} depends_on: - "beam-proxy" - "blaze" diff --git a/bbmri/vars b/bbmri/vars index 5803ac5..34995ed 100644 --- a/bbmri/vars +++ b/bbmri/vars @@ -2,5 +2,6 @@ BROKER_ID=broker.bbmri.samply.de BROKER_URL=https://${BROKER_ID} PROXY_ID=${SITE_ID}.${BROKER_ID} FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" +FOCUS_RETRY_COUNT=32 SUPPORT_EMAIL=bridgehead@helpdesk.bbmri-eric.eu -PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem +PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem \ No newline at end of file From ebd213e1192d0d43c111ef70aa94817fe66713ce Mon Sep 17 00:00:00 2001 From: Enola Knezevic Date: Thu, 23 Mar 2023 15:07:30 +0100 Subject: [PATCH 90/93] focus app name long --- bbmri/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml index 348166c..6173830 100644 --- a/bbmri/docker-compose.yml +++ b/bbmri/docker-compose.yml @@ -76,7 +76,7 @@ services: container_name: bridgehead-focus environment: API_KEY: ${FOCUS_BEAM_SECRET_SHORT} - BEAM_APP_ID: focus + BEAM_APP_ID: focus.${PROXY_ID} PROXY_ID: ${PROXY_ID} BLAZE_URL: http://bridgehead-bbmri-blaze:8080/fhir BEAM_PROXY_URL: http://beam-proxy:8081 From caeb3034978a41af83ba964df162c57e5e88409b Mon Sep 17 00:00:00 2001 From: Enola Knezevic Date: Thu, 23 Mar 2023 15:26:10 +0100 Subject: [PATCH 91/93] beam app id changed to avoid confusion --- bbmri/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml index 6173830..9b1255e 100644 --- a/bbmri/docker-compose.yml +++ b/bbmri/docker-compose.yml @@ -76,7 +76,7 @@ services: container_name: bridgehead-focus environment: API_KEY: ${FOCUS_BEAM_SECRET_SHORT} - BEAM_APP_ID: focus.${PROXY_ID} + BEAM_APP_ID_LONG: focus.${PROXY_ID} PROXY_ID: ${PROXY_ID} BLAZE_URL: http://bridgehead-bbmri-blaze:8080/fhir BEAM_PROXY_URL: http://beam-proxy:8081 From 6530aca843e592c5a3d20a067dffc45f1f8fd857 Mon Sep 17 00:00:00 2001 From: Enola Knezevic Date: Thu, 23 Mar 2023 15:30:28 +0100 Subject: [PATCH 92/93] and proxy name --- bbmri/docker-compose.yml | 6 +++--- bbmri/vars | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml index 9b1255e..f8b7178 100644 --- a/bbmri/docker-compose.yml +++ b/bbmri/docker-compose.yml @@ -76,8 +76,8 @@ services: container_name: bridgehead-focus environment: API_KEY: ${FOCUS_BEAM_SECRET_SHORT} - BEAM_APP_ID_LONG: focus.${PROXY_ID} - PROXY_ID: ${PROXY_ID} + BEAM_APP_ID_LONG: focus.${PROXY_ID_LONG} + PROXY_ID: ${PROXY_ID_LONG} BLAZE_URL: http://bridgehead-bbmri-blaze:8080/fhir BEAM_PROXY_URL: http://beam-proxy:8081 RETRY_COUNT: ${FOCUS_RETRY_COUNT} @@ -90,7 +90,7 @@ services: container_name: bridgehead-beam-proxy environment: BROKER_URL: ${BROKER_URL} - PROXY_ID: ${PROXY_ID} + PROXY_ID: ${PROXY_ID_LONG} APP_0_ID: focus APP_0_KEY: ${FOCUS_BEAM_SECRET_SHORT} PRIVKEY_FILE: /run/secrets/proxy.pem diff --git a/bbmri/vars b/bbmri/vars index 34995ed..434cb4f 100644 --- a/bbmri/vars +++ b/bbmri/vars @@ -1,6 +1,6 @@ BROKER_ID=broker.bbmri.samply.de BROKER_URL=https://${BROKER_ID} -PROXY_ID=${SITE_ID}.${BROKER_ID} +PROXY_ID_LONG=${SITE_ID}.${BROKER_ID} FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" FOCUS_RETRY_COUNT=32 SUPPORT_EMAIL=bridgehead@helpdesk.bbmri-eric.eu From bf408f9297dce0874b3f46f29ec0dee3544ae8a0 Mon Sep 17 00:00:00 2001 From: Enola Knezevic Date: Mon, 27 Mar 2023 09:28:55 +0200 Subject: [PATCH 93/93] slash and quotation marks around blaze path --- bbmri/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml index f8b7178..d15f694 100644 --- a/bbmri/docker-compose.yml +++ b/bbmri/docker-compose.yml @@ -78,7 +78,7 @@ services: API_KEY: ${FOCUS_BEAM_SECRET_SHORT} BEAM_APP_ID_LONG: focus.${PROXY_ID_LONG} PROXY_ID: ${PROXY_ID_LONG} - BLAZE_URL: http://bridgehead-bbmri-blaze:8080/fhir + BLAZE_URL: "http://bridgehead-bbmri-blaze:8080/fhir/" BEAM_PROXY_URL: http://beam-proxy:8081 RETRY_COUNT: ${FOCUS_RETRY_COUNT} depends_on: