From de10c8508e29181d5d4f54117058d4887ace76be Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Tue, 26 Sep 2023 13:17:36 +0200 Subject: [PATCH 01/23] readme: URL list --- README.md | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index e91a54a..4947f8a 100644 --- a/README.md +++ b/README.md @@ -55,21 +55,35 @@ Ensure the following software (or newer) is installed: We recommend to install Docker(-compose) from its official sources as described on the [Docker website](https://docs.docker.com). -Note for Ubuntu: Please note that snap versions of Docker are not supported. +> 📝 Note for Ubuntu: Please note that snap versions of Docker are not supported. -Note for git and Docker: if you have a local proxy, you will need to adjust your setup appropriately, see [git proxy](https://gist.github.com/evantoli/f8c23a37eb3558ab8765) and [docker proxy](https://docs.docker.com/network/proxy/). +> 📝 Note for git and Docker: if you have a local proxy, you will need to adjust your setup appropriately, see [git proxy](https://gist.github.com/evantoli/f8c23a37eb3558ab8765) and [docker proxy](https://docs.docker.com/network/proxy/). ### Network -A running Bridgehead requires an outgoing HTTPS proxy to communicate with the central components. +A Bridgehead communicates to all central components via outgoing HTTPS connections. -Additionally, your site might use its own proxy. You should discuss this with your local systems administration. If a proxy is being used, you will need to note down the URL of the proxy. If it is a secure proxy, then you will also need to make a note of its username and password. This information will be used later on during the installation process. +Your site might require an outgoing proxy (i.e. HTTPS forward proxy) to connect to external servers; you should discuss this with your local systems administration. In that case, you will need to note down the URL of the proxy. If the proxy requires authentication, you will also need to make a note of its username and password. This information will be used later on during the installation process. TLS terminating proxies are also supported, see [here](#tls-terminating-proxies). The following URLs need to be accessible (prefix with `https://`): +* To fetch code and configuration from git repositories + * github.com + * git.verbis.dkfz.de +* To fetch docker images (📝 Docker URLs are subject to change, see [official list](https://docs.docker.com/desktop/allow-list/)) + * docker.verbis.dkfz.de + * hub.docker.com + * registry-1.docker.io + * production.cloudflare.docker.com +* only for DKTK/CCP + * broker.ccp-it.dktk.dkfz.de +* only for BBMRI-ERIC + * broker.bbmri.samply.de +* only for German Biobank Node + * broker.bbmri.de -Note that git and Docker may also need to be configured to use this proxy. This is a job for your systems administrators. +> 📝 This URL list is subject to change. Instead of the individual names, we highly recommend whitelisting wildcard domains: *.dkfz.de, github.com, *.docker.com, *.docker.io, *.samply.de, *.bbmri.de. -If there is a site firewall, this needs to be configured so that outgoing calls to the following URLs are allowed: *.dkfz.de, github.com, docker.io, *.docker.io, *.samply.de. +Note that apart from the Bridgehead itself, git and Docker may also need to be configured to use this proxy. This is a job for your systems administrators. -Note for Ubuntu: Please note that the uncomplicated firewall (ufw) is known to conflict with Docker [here](https://github.com/chaifeng/ufw-docker). +> 📝 Note for Ubuntu: The uncomplicated firewall (ufw) is known to conflict with Docker, more info [here](https://github.com/chaifeng/ufw-docker). ## Deployment From d21c6d7835c19381234634e9856ccaa6916807f7 Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Tue, 26 Sep 2023 13:42:14 +0200 Subject: [PATCH 02/23] Move git/docker proxy config --- README.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 4947f8a..03e4df2 100644 --- a/README.md +++ b/README.md @@ -55,15 +55,15 @@ Ensure the following software (or newer) is installed: We recommend to install Docker(-compose) from its official sources as described on the [Docker website](https://docs.docker.com). -> 📝 Note for Ubuntu: Please note that snap versions of Docker are not supported. - -> 📝 Note for git and Docker: if you have a local proxy, you will need to adjust your setup appropriately, see [git proxy](https://gist.github.com/evantoli/f8c23a37eb3558ab8765) and [docker proxy](https://docs.docker.com/network/proxy/). +> 📝 Note for Ubuntu: Snap versions of Docker are not supported. ### Network A Bridgehead communicates to all central components via outgoing HTTPS connections. -Your site might require an outgoing proxy (i.e. HTTPS forward proxy) to connect to external servers; you should discuss this with your local systems administration. In that case, you will need to note down the URL of the proxy. If the proxy requires authentication, you will also need to make a note of its username and password. This information will be used later on during the installation process. TLS terminating proxies are also supported, see [here](#tls-terminating-proxies). The following URLs need to be accessible (prefix with `https://`): +Your site might require an outgoing proxy (i.e. HTTPS forward proxy) to connect to external servers; you should discuss this with your local systems administration. In that case, you will need to note down the URL of the proxy. If the proxy requires authentication, you will also need to make a note of its username and password. This information will be used later on during the installation process. TLS terminating proxies are also supported, see [here](#tls-terminating-proxies). Apart from the Bridgehead itself, you may also need to configure the proxy server in [git](https://gist.github.com/evantoli/f8c23a37eb3558ab8765) and [docker](https://docs.docker.com/network/proxy/). + +The following URLs need to be accessible (prefix with `https://`): * To fetch code and configuration from git repositories * github.com * git.verbis.dkfz.de @@ -81,9 +81,7 @@ Your site might require an outgoing proxy (i.e. HTTPS forward proxy) to connect > 📝 This URL list is subject to change. Instead of the individual names, we highly recommend whitelisting wildcard domains: *.dkfz.de, github.com, *.docker.com, *.docker.io, *.samply.de, *.bbmri.de. -Note that apart from the Bridgehead itself, git and Docker may also need to be configured to use this proxy. This is a job for your systems administrators. - -> 📝 Note for Ubuntu: The uncomplicated firewall (ufw) is known to conflict with Docker, more info [here](https://github.com/chaifeng/ufw-docker). +> 📝 Ubuntu's pre-installed uncomplicated firewall (ufw) is known to conflict with Docker, more info [here](https://github.com/chaifeng/ufw-docker). ## Deployment From 0c75ac281061750ebc69abd9872a9ce503aefbe8 Mon Sep 17 00:00:00 2001 From: Martin Lablans <6804500+lablans@users.noreply.github.com> Date: Wed, 27 Sep 2023 08:48:45 +0200 Subject: [PATCH 03/23] Add healthchecks Co-authored-by: Torben Brenner <76154651+torbrenner@users.noreply.github.com> --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 03e4df2..3c5234d 100644 --- a/README.md +++ b/README.md @@ -72,6 +72,8 @@ The following URLs need to be accessible (prefix with `https://`): * hub.docker.com * registry-1.docker.io * production.cloudflare.docker.com +* To report bridgeheads operational status + * healthchecks.verbis.dkfz.de * only for DKTK/CCP * broker.ccp-it.dktk.dkfz.de * only for BBMRI-ERIC From 377b003207e81b17774286a9b29fd1bb728eb3f0 Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Wed, 27 Sep 2023 09:12:48 +0200 Subject: [PATCH 04/23] Refactor, add BBMRI-ERIC gitlab --- README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3c5234d..b2aa842 100644 --- a/README.md +++ b/README.md @@ -69,15 +69,17 @@ The following URLs need to be accessible (prefix with `https://`): * git.verbis.dkfz.de * To fetch docker images (📝 Docker URLs are subject to change, see [official list](https://docs.docker.com/desktop/allow-list/)) * docker.verbis.dkfz.de - * hub.docker.com - * registry-1.docker.io - * production.cloudflare.docker.com + * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/all)) + * hub.docker.com + * registry-1.docker.io + * production.cloudflare.docker.com * To report bridgeheads operational status * healthchecks.verbis.dkfz.de * only for DKTK/CCP * broker.ccp-it.dktk.dkfz.de * only for BBMRI-ERIC * broker.bbmri.samply.de + * gitlab.bbmri-eric.eu * only for German Biobank Node * broker.bbmri.de From 3c0a99423797416a80182f9e66feac85ac63da4a Mon Sep 17 00:00:00 2001 From: Pierre Delpy Date: Wed, 27 Sep 2023 09:22:11 +0200 Subject: [PATCH 05/23] use docker cache for beam-enroll and vaultfetcher --- lib/functions.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/functions.sh b/lib/functions.sh index 97b75f8..82a501d 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -49,7 +49,7 @@ fetchVarsFromVault() { set +e - PASS=$(BW_MASTERPASS="$BW_MASTERPASS" BW_CLIENTID="$BW_CLIENTID" BW_CLIENTSECRET="$BW_CLIENTSECRET" docker run --rm -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET -e http_proxy samply/bridgehead-vaultfetcher $@) + PASS=$(BW_MASTERPASS="$BW_MASTERPASS" BW_CLIENTID="$BW_CLIENTID" BW_CLIENTSECRET="$BW_CLIENTSECRET" docker run --rm -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET -e http_proxy docker.verbis.dkfz.de/cache/samply/bridgehead-vaultfetcher:latest $@) RET=$? if [ $RET -ne 0 ]; then @@ -188,7 +188,7 @@ function do_enroll_inner { PARAMS+="--admin-email $SUPPORT_EMAIL" fi - docker run --rm -v /etc/bridgehead/pki:/etc/bridgehead/pki samply/beam-enroll:latest --output-file $PRIVATEKEYFILENAME --proxy-id $MANUAL_PROXY_ID $PARAMS + docker run --rm -v /etc/bridgehead/pki:/etc/bridgehead/pki docker.verbis.dkfz.de/cache/samply/beam-enroll:latest --output-file $PRIVATEKEYFILENAME --proxy-id $MANUAL_PROXY_ID $PARAMS chmod 600 $PRIVATEKEYFILENAME } From 5ca11d1bf5e3738621c46535c84703b53db48f1e Mon Sep 17 00:00:00 2001 From: Martin Lablans <6804500+lablans@users.noreply.github.com> Date: Wed, 27 Sep 2023 10:06:28 +0200 Subject: [PATCH 06/23] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b2aa842..9d50c8a 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,7 @@ The following URLs need to be accessible (prefix with `https://`): * To fetch code and configuration from git repositories * github.com * git.verbis.dkfz.de -* To fetch docker images (📝 Docker URLs are subject to change, see [official list](https://docs.docker.com/desktop/allow-list/)) +* To fetch docker images * docker.verbis.dkfz.de * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/all)) * hub.docker.com From 4bdad68da5e658c16613c38f2d062ad7f1e86ead Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Thu, 5 Oct 2023 09:43:57 +0200 Subject: [PATCH 07/23] Added proxy user + pw detection --- bridgehead | 1 + lib/functions.sh | 11 +++++++++++ lib/monitoring.sh | 4 ++-- lib/prerequisites.sh | 2 +- lib/update-bridgehead.sh | 2 +- 5 files changed, 16 insertions(+), 4 deletions(-) diff --git a/bridgehead b/bridgehead index b937635..8db9735 100755 --- a/bridgehead +++ b/bridgehead @@ -65,6 +65,7 @@ loadVars() { fi detectCompose setHostname + setupProxy } case "$ACTION" in diff --git a/lib/functions.sh b/lib/functions.sh index 82a501d..0163b1c 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -9,6 +9,17 @@ detectCompose() { fi } +setupProxy() { + if [[ ! -z "$HTTP_PROXY_USERNAME" && ! -z "$HTTP_PROXY_PASSWORD" ]]; then + log "INFO" "Detected proxy user and password" + PROTO="$(echo $HTTP_PROXY_URL | grep :// | sed -e's,^\(.*://\).*,\1,g')" + URL="$(echo ${HTTP_PROXY_URL/$PROTO/})" + PROXY="$(echo $PROTO$HTTP_PROXY_USERNAME:$HTTP_PROXY_PASSWORD@$URL)" + else + PROXY=$HTTP_PROXY_URL + fi +} + exitIfNotRoot() { if [ "$EUID" -ne 0 ]; then log "ERROR" "Please run as root" diff --git a/lib/monitoring.sh b/lib/monitoring.sh index c3eb9fc..1b12272 100755 --- a/lib/monitoring.sh +++ b/lib/monitoring.sh @@ -47,8 +47,8 @@ function hc_send(){ if [ -n "$2" ]; then MSG="$2\n\nDocker stats:\n$UPTIME" - echo -e "$MSG" | https_proxy=$HTTPS_PROXY_URL curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null -X POST --data-binary @- "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1" + echo -e "$MSG" | https_proxy=$PROXY curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null -X POST --data-binary @- "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1" else - https_proxy=$HTTPS_PROXY_URL curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1" + https_proxy=$PROXY curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1" fi } diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh index 2665b95..3140a2c 100755 --- a/lib/prerequisites.sh +++ b/lib/prerequisites.sh @@ -68,7 +68,7 @@ source /etc/bridgehead/${PROJECT}.conf source ${PROJECT}/vars set +e -SERVERTIME="$(https_proxy=$HTTPS_PROXY_URL curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')" +SERVERTIME="$(https_proxy=$PROXY curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')" RET=$? set -e if [ $RET -ne 0 ]; then diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 9958eb5..37ac8cd 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -55,7 +55,7 @@ for DIR in /etc/bridgehead $(pwd); do OUT=$(retry 5 git -C $DIR fetch 2>&1 && retry 5 git -C $DIR pull 2>&1) else log "INFO" "Git is using proxy ${HTTP_PROXY_URL} from ${CONFFILE}" - OUT=$(retry 5 git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR fetch 2>&1 && retry 5 git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1) + OUT=$(retry 5 git -c http.proxy=$PROXY -c https.proxy=$PROXY -C $DIR fetch 2>&1 && retry 5 git -c http.proxy=$PROXY -c https.proxy=$PROXY -C $DIR pull 2>&1) fi if [ $? -ne 0 ]; then report_error log "Unable to update git $DIR: $OUT" From 85446b0a3edd4a1ff4e34d9837a8aa52380c5b1f Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Mon, 9 Oct 2023 09:43:30 +0200 Subject: [PATCH 08/23] Added SECURE_PROXY if the https and http proxy are the same --- lib/functions.sh | 7 ++++++- lib/monitoring.sh | 4 ++-- lib/prerequisites.sh | 2 +- lib/update-bridgehead.sh | 2 +- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/lib/functions.sh b/lib/functions.sh index 0163b1c..15d9aed 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -3,7 +3,7 @@ detectCompose() { if [[ "$(docker compose version 2>/dev/null)" == *"Docker Compose version"* ]]; then COMPOSE="docker compose" - else + e COMPOSE="docker-compose" # This is intended to fail on startup in the next prereq check. fi @@ -15,8 +15,13 @@ setupProxy() { PROTO="$(echo $HTTP_PROXY_URL | grep :// | sed -e's,^\(.*://\).*,\1,g')" URL="$(echo ${HTTP_PROXY_URL/$PROTO/})" PROXY="$(echo $PROTO$HTTP_PROXY_USERNAME:$HTTP_PROXY_PASSWORD@$URL)" + + SECURE_PROTO="$(echo $HTTPS_PROXY_URL | grep :// | sed -e's,^\(.*://\).*,\1,g')" + SECURE_URL="$(echo ${HTTPS_PROXY_URL/$SECURE_PROTO/})" + SECURE_PROXY="$(echo $SECURE_PROTO$HTTP_PROXY_USERNAME:$HTTP_PROXY_PASSWORD@$SECURE_URL)" else PROXY=$HTTP_PROXY_URL + SECURE_PROXY=$HTTPS_PROXY_URL fi } diff --git a/lib/monitoring.sh b/lib/monitoring.sh index 1b12272..c4b3fad 100755 --- a/lib/monitoring.sh +++ b/lib/monitoring.sh @@ -47,8 +47,8 @@ function hc_send(){ if [ -n "$2" ]; then MSG="$2\n\nDocker stats:\n$UPTIME" - echo -e "$MSG" | https_proxy=$PROXY curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null -X POST --data-binary @- "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1" + echo -e "$MSG" | https_proxy=$SECURE_PROXY curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null -X POST --data-binary @- "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1" else - https_proxy=$PROXY curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1" + https_proxy=$SECURE_PROXY curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1" fi } diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh index 3140a2c..5a9372f 100755 --- a/lib/prerequisites.sh +++ b/lib/prerequisites.sh @@ -68,7 +68,7 @@ source /etc/bridgehead/${PROJECT}.conf source ${PROJECT}/vars set +e -SERVERTIME="$(https_proxy=$PROXY curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')" +SERVERTIME="$(https_proxy=$SECURE_PROXY curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')" RET=$? set -e if [ $RET -ne 0 ]; then diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 37ac8cd..5620261 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -55,7 +55,7 @@ for DIR in /etc/bridgehead $(pwd); do OUT=$(retry 5 git -C $DIR fetch 2>&1 && retry 5 git -C $DIR pull 2>&1) else log "INFO" "Git is using proxy ${HTTP_PROXY_URL} from ${CONFFILE}" - OUT=$(retry 5 git -c http.proxy=$PROXY -c https.proxy=$PROXY -C $DIR fetch 2>&1 && retry 5 git -c http.proxy=$PROXY -c https.proxy=$PROXY -C $DIR pull 2>&1) + OUT=$(retry 5 git -c http.proxy=$PROXY -c https.proxy=$SECURE_PROXY -C $DIR fetch 2>&1 && retry 5 git -c http.proxy=$PROXY -c https.proxy=$SECURE_PROXY -C $DIR pull 2>&1) fi if [ $? -ne 0 ]; then report_error log "Unable to update git $DIR: $OUT" From 68cd62b981396d57b7a387e0bec187b6c52a0742 Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Tue, 10 Oct 2023 10:43:22 +0200 Subject: [PATCH 09/23] reaf: var naming for proxy usage in our bridgehead scripts --- lib/functions.sh | 18 +++++++++--------- lib/monitoring.sh | 4 ++-- lib/prerequisites.sh | 2 +- lib/update-bridgehead.sh | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/lib/functions.sh b/lib/functions.sh index 15d9aed..bc1339e 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -3,7 +3,7 @@ detectCompose() { if [[ "$(docker compose version 2>/dev/null)" == *"Docker Compose version"* ]]; then COMPOSE="docker compose" - e + else COMPOSE="docker-compose" # This is intended to fail on startup in the next prereq check. fi @@ -12,16 +12,16 @@ detectCompose() { setupProxy() { if [[ ! -z "$HTTP_PROXY_USERNAME" && ! -z "$HTTP_PROXY_PASSWORD" ]]; then log "INFO" "Detected proxy user and password" - PROTO="$(echo $HTTP_PROXY_URL | grep :// | sed -e's,^\(.*://\).*,\1,g')" - URL="$(echo ${HTTP_PROXY_URL/$PROTO/})" - PROXY="$(echo $PROTO$HTTP_PROXY_USERNAME:$HTTP_PROXY_PASSWORD@$URL)" + HTTP_PROXY_PROTOCOL="$(echo $HTTP_PROXY_URL | grep :// | sed -e's,^\(.*://\).*,\1,g')" + HTTP_PROXY_FQDN="$(echo ${HTTP_PROXY_URL/$HTTP_PROXY_PROTOCOL/})" + HTTP_PROXY_FULL_URL="$(echo $HTTP_PROXY_PROTOCOL$HTTP_PROXY_USERNAME:$HTTP_PROXY_PASSWORD@$HTTP_PROXY_FQDN)" - SECURE_PROTO="$(echo $HTTPS_PROXY_URL | grep :// | sed -e's,^\(.*://\).*,\1,g')" - SECURE_URL="$(echo ${HTTPS_PROXY_URL/$SECURE_PROTO/})" - SECURE_PROXY="$(echo $SECURE_PROTO$HTTP_PROXY_USERNAME:$HTTP_PROXY_PASSWORD@$SECURE_URL)" + HTTPS_PROXY_PROTOCOL="$(echo $HTTPS_PROXY_URL | grep :// | sed -e's,^\(.*://\).*,\1,g')" + HTTPS_PROXY_FQDN="$(echo ${HTTPS_PROXY_URL/$HTTPS_PROXY_PROTOCOL/})" + HTTPS_PROXY_FULL_URL="$(echo $HTTPS_PROXY_PROTOCOL$HTTP_PROXY_USERNAME:$HTTP_PROXY_PASSWORD@$HTTPS_PROXY_FQDN)" else - PROXY=$HTTP_PROXY_URL - SECURE_PROXY=$HTTPS_PROXY_URL + HTTP_PROXY_FULL_URL=$HTTP_PROXY_URL + HTTPS_PROXY_FULL_URL=$HTTPS_PROXY_URL fi } diff --git a/lib/monitoring.sh b/lib/monitoring.sh index c4b3fad..b5466a5 100755 --- a/lib/monitoring.sh +++ b/lib/monitoring.sh @@ -47,8 +47,8 @@ function hc_send(){ if [ -n "$2" ]; then MSG="$2\n\nDocker stats:\n$UPTIME" - echo -e "$MSG" | https_proxy=$SECURE_PROXY curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null -X POST --data-binary @- "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1" + echo -e "$MSG" | https_proxy=$HTTPS_PROXY_FULL_URL curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null -X POST --data-binary @- "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1" else - https_proxy=$SECURE_PROXY curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1" + https_proxy=$HTTPS_PROXY_FULL_URL curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1" fi } diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh index 5a9372f..10166e0 100755 --- a/lib/prerequisites.sh +++ b/lib/prerequisites.sh @@ -68,7 +68,7 @@ source /etc/bridgehead/${PROJECT}.conf source ${PROJECT}/vars set +e -SERVERTIME="$(https_proxy=$SECURE_PROXY curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')" +SERVERTIME="$(https_proxy=$HTTPS_PROXY_FULL_URL curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')" RET=$? set -e if [ $RET -ne 0 ]; then diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 5620261..0af9ce3 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -55,7 +55,7 @@ for DIR in /etc/bridgehead $(pwd); do OUT=$(retry 5 git -C $DIR fetch 2>&1 && retry 5 git -C $DIR pull 2>&1) else log "INFO" "Git is using proxy ${HTTP_PROXY_URL} from ${CONFFILE}" - OUT=$(retry 5 git -c http.proxy=$PROXY -c https.proxy=$SECURE_PROXY -C $DIR fetch 2>&1 && retry 5 git -c http.proxy=$PROXY -c https.proxy=$SECURE_PROXY -C $DIR pull 2>&1) + OUT=$(retry 5 git -c http.proxy=$HTTP_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR fetch 2>&1 && retry 5 git -c http.proxy=$HTTP_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR pull 2>&1) fi if [ $? -ne 0 ]; then report_error log "Unable to update git $DIR: $OUT" From 93026d2d8953f6bb210904e84bacd38b91b3e8ea Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Fri, 20 Oct 2023 13:58:46 +0200 Subject: [PATCH 10/23] Change tag for bridgehead-landingpage --- minimal/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/minimal/docker-compose.yml b/minimal/docker-compose.yml index c0eb353..1769054 100644 --- a/minimal/docker-compose.yml +++ b/minimal/docker-compose.yml @@ -45,7 +45,7 @@ services: landing: container_name: bridgehead-landingpage - image: docker.verbis.dkfz.de/cache/samply/bridgehead-landingpage:master + image: docker.verbis.dkfz.de/cache/samply/bridgehead-landingpage:main labels: - "traefik.enable=true" - "traefik.http.routers.landing.rule=PathPrefix(`/`)" From 87cc0acecc6a9b18730d63eb8e63b18979276a98 Mon Sep 17 00:00:00 2001 From: Torben Brenner <76154651+torbrenner@users.noreply.github.com> Date: Fri, 20 Oct 2023 14:18:56 +0200 Subject: [PATCH 11/23] Corrected Link to Docker Daemon Proxy Configuration (#129) --- README.md | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9d50c8a..69f037f 100644 --- a/README.md +++ b/README.md @@ -354,8 +354,28 @@ Installation under WSL ought to work, but we have not tested this. ### Docker Daemon Proxy Configuration -Docker has a background daemon, responsible for downloading images and starting them. Sometimes, proxy configuration from your system won't carry over and it will fail to download images. In that case, configure the proxy for this daemon as described in the [official documentation](https://docs.docker.com). +Docker has a background daemon, responsible for downloading images and starting them. Sometimes, proxy configuration from your system won't carry over and it will fail to download images. In that case, you'll need to configure the proxy inside the system unit of docker by creating the file `/etc/systemd/system/docker.service.d/proxy.conf` with the following content: +``` ini +[Service] +Environment="HTTP_PROXY=http://proxy.example.com:3128" +Environment="HTTPS_PROXY=https://proxy.example.com:3128" +Environment="NO_PROXY=localhost,127.0.0.1,some-local-docker-registry.example.com,.corp" +``` + +After saving the configuration file, you'll need to reload the system daemon for the changes to take effect: + +``` shell +sudo systemctl daemon-reload +``` + +and restart the docker daemon: + +``` shell +sudo systemctl restart docker +``` + +For more information, please consult the [official documentation](https://docs.docker.com/config/daemon/systemd/#httphttps-proxy). ### Monitoring From 74817a21da95e5d9ef362d96c95a41e054205e37 Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Fri, 20 Oct 2023 15:59:24 +0200 Subject: [PATCH 12/23] Rewrote proxy detection logic to deal with all combinations of no/authenticated/unauthenticated proxy servers --- lib/functions.sh | 39 +++++++++++++++++++++++++++------------ lib/update-bridgehead.sh | 3 +-- 2 files changed, 28 insertions(+), 14 deletions(-) diff --git a/lib/functions.sh b/lib/functions.sh index bc1339e..1dce2c6 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -10,19 +10,34 @@ detectCompose() { } setupProxy() { - if [[ ! -z "$HTTP_PROXY_USERNAME" && ! -z "$HTTP_PROXY_PASSWORD" ]]; then - log "INFO" "Detected proxy user and password" - HTTP_PROXY_PROTOCOL="$(echo $HTTP_PROXY_URL | grep :// | sed -e's,^\(.*://\).*,\1,g')" - HTTP_PROXY_FQDN="$(echo ${HTTP_PROXY_URL/$HTTP_PROXY_PROTOCOL/})" - HTTP_PROXY_FULL_URL="$(echo $HTTP_PROXY_PROTOCOL$HTTP_PROXY_USERNAME:$HTTP_PROXY_PASSWORD@$HTTP_PROXY_FQDN)" - - HTTPS_PROXY_PROTOCOL="$(echo $HTTPS_PROXY_URL | grep :// | sed -e's,^\(.*://\).*,\1,g')" - HTTPS_PROXY_FQDN="$(echo ${HTTPS_PROXY_URL/$HTTPS_PROXY_PROTOCOL/})" - HTTPS_PROXY_FULL_URL="$(echo $HTTPS_PROXY_PROTOCOL$HTTP_PROXY_USERNAME:$HTTP_PROXY_PASSWORD@$HTTPS_PROXY_FQDN)" - else - HTTP_PROXY_FULL_URL=$HTTP_PROXY_URL - HTTPS_PROXY_FULL_URL=$HTTPS_PROXY_URL + http="no" + if [ $HTTP_PROXY_URL ]; then + if [[ ! -z "$HTTP_PROXY_USERNAME" && ! -z "$HTTP_PROXY_PASSWORD" ]]; then + proto="$(echo $HTTP_PROXY_URL | grep :// | sed -e's,^\(.*://\).*,\1,g')" + fqdn="$(echo ${HTTP_PROXY_URL/$proto/})" + HTTP_PROXY_FULL_URL="$(echo $proto$HTTP_PROXY_USERNAME:$HTTP_PROXY_PASSWORD@$fqdn)" + http="authenticated" + else + HTTP_PROXY_FULL_URL=$HTTP_PROXY_URL + http="unauthenticated" + fi fi + + https="no" + if [ $HTTPS_PROXY_URL ]; then + if [[ ! -z "$HTTPS_PROXY_USERNAME" && ! -z "$HTTPS_PROXY_PASSWORD" ]]; then + proto="$(echo $HTTPS_PROXY_URL | grep :// | sed -e's,^\(.*://\).*,\1,g')" + fqdn="$(echo ${HTTPS_PROXY_URL/$proto/})" + HTTPS_PROXY_FULL_URL="$(echo $proto$HTTPS_PROXY_USERNAME:$HTTPS_PROXY_PASSWORD@$fqdn)" + https="authenticated" + else + HTTPS_PROXY_FULL_URL=$HTTPS_PROXY_URL + https="unauthenticated" + fi + fi + + log INFO "Configuring proxy servers: $http http proxy, $https https proxy" + unset http https fqdn proto } exitIfNotRoot() { diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 0af9ce3..c50b31e 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -50,8 +50,7 @@ for DIR in /etc/bridgehead $(pwd); do git -C $DIR config credential.helper "$CREDHELPER" fi old_git_hash="$(git -C $DIR rev-parse --verify HEAD)" - if [ -z "$HTTP_PROXY_URL" ]; then - log "INFO" "Git is using no proxy!" + if [ -z "$HTTP_PROXY_FULL_URL" ]; then OUT=$(retry 5 git -C $DIR fetch 2>&1 && retry 5 git -C $DIR pull 2>&1) else log "INFO" "Git is using proxy ${HTTP_PROXY_URL} from ${CONFFILE}" From 9fc8564e4ef280403deb472a40eda255e02d740e Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Fri, 20 Oct 2023 16:47:15 +0200 Subject: [PATCH 13/23] Fixed git proxy check --- lib/update-bridgehead.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index c50b31e..1f311c2 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -50,7 +50,8 @@ for DIR in /etc/bridgehead $(pwd); do git -C $DIR config credential.helper "$CREDHELPER" fi old_git_hash="$(git -C $DIR rev-parse --verify HEAD)" - if [ -z "$HTTP_PROXY_FULL_URL" ]; then + if [ -z "$HTTPS_PROXY_FULL_URL" ]; then + log "INFO" "Git is using no proxy!" OUT=$(retry 5 git -C $DIR fetch 2>&1 && retry 5 git -C $DIR pull 2>&1) else log "INFO" "Git is using proxy ${HTTP_PROXY_URL} from ${CONFFILE}" From e0990d99cb63130b2edb6798ed3a571339d2896e Mon Sep 17 00:00:00 2001 From: Tobias Kussel Date: Mon, 23 Oct 2023 11:06:59 +0000 Subject: [PATCH 14/23] Comment out HTTP proxy parsing --- lib/functions.sh | 25 ++++++++++++++----------- lib/update-bridgehead.sh | 4 ++-- 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/lib/functions.sh b/lib/functions.sh index 1dce2c6..1dec95b 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -10,18 +10,21 @@ detectCompose() { } setupProxy() { + ### Note: As the current data protection concepts do not allow communication via HTTP, this + ### handling of a proxy for HTTP requests is commented out and will not be used + # http="no" - if [ $HTTP_PROXY_URL ]; then - if [[ ! -z "$HTTP_PROXY_USERNAME" && ! -z "$HTTP_PROXY_PASSWORD" ]]; then - proto="$(echo $HTTP_PROXY_URL | grep :// | sed -e's,^\(.*://\).*,\1,g')" - fqdn="$(echo ${HTTP_PROXY_URL/$proto/})" - HTTP_PROXY_FULL_URL="$(echo $proto$HTTP_PROXY_USERNAME:$HTTP_PROXY_PASSWORD@$fqdn)" - http="authenticated" - else - HTTP_PROXY_FULL_URL=$HTTP_PROXY_URL - http="unauthenticated" - fi - fi + # if [ $HTTP_PROXY_URL ]; then + # if [[ ! -z "$HTTP_PROXY_USERNAME" && ! -z "$HTTP_PROXY_PASSWORD" ]]; then + # proto="$(echo $HTTP_PROXY_URL | grep :// | sed -e's,^\(.*://\).*,\1,g')" + # fqdn="$(echo ${HTTP_PROXY_URL/$proto/})" + # HTTP_PROXY_FULL_URL="$(echo $proto$HTTP_PROXY_USERNAME:$HTTP_PROXY_PASSWORD@$fqdn)" + # http="authenticated" + # else + # HTTP_PROXY_FULL_URL=$HTTP_PROXY_URL + # http="unauthenticated" + # fi + # fi https="no" if [ $HTTPS_PROXY_URL ]; then diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 1f311c2..6c84960 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -54,8 +54,8 @@ for DIR in /etc/bridgehead $(pwd); do log "INFO" "Git is using no proxy!" OUT=$(retry 5 git -C $DIR fetch 2>&1 && retry 5 git -C $DIR pull 2>&1) else - log "INFO" "Git is using proxy ${HTTP_PROXY_URL} from ${CONFFILE}" - OUT=$(retry 5 git -c http.proxy=$HTTP_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR fetch 2>&1 && retry 5 git -c http.proxy=$HTTP_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR pull 2>&1) + log "INFO" "Git is using proxy ${HTTPS_PROXY_URL} from ${CONFFILE}" + OUT=$(retry 5 git -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR fetch 2>&1 && retry 5 git-c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR pull 2>&1) fi if [ $? -ne 0 ]; then report_error log "Unable to update git $DIR: $OUT" From 262b9bd62e84571be2d61c21c4a50aed48e99cd2 Mon Sep 17 00:00:00 2001 From: "p.delpy@dkfz-heidelberg.de" Date: Wed, 11 Oct 2023 08:09:49 +0200 Subject: [PATCH 15/23] add adt2fhir-rest service --- ccp/modules/adt2fhir-rest-compose.yml | 18 ++++++++++++++++++ ccp/modules/adt2fhir-rest-setup.sh | 11 +++++++++++ ccp/modules/id-management-setup.sh | 1 + ccp/modules/mtba-setup.sh | 17 ++++++++--------- ccp/modules/nngm-setup.sh | 2 +- ccp/vars | 3 ++- 6 files changed, 41 insertions(+), 11 deletions(-) create mode 100644 ccp/modules/adt2fhir-rest-compose.yml create mode 100644 ccp/modules/adt2fhir-rest-setup.sh diff --git a/ccp/modules/adt2fhir-rest-compose.yml b/ccp/modules/adt2fhir-rest-compose.yml new file mode 100644 index 0000000..bba8163 --- /dev/null +++ b/ccp/modules/adt2fhir-rest-compose.yml @@ -0,0 +1,18 @@ +version: "3.7" + +services: + adt2fhir-rest: + container_name: bridgehead-adt2fhir-rest + image: docker.verbis.dkfz.de/ccp/adt2fhir-rest:main + environment: + IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID + MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} + SALT: ${LOCAL_SALT} + restart: always + labels: + - "traefik.enable=true" + - "traefik.http.routers.adt2fhir-rest.rule=PathPrefix(`/adt2fhir-rest`)" + - "traefik.http.middlewares.adt2fhir-rest_strip.stripprefix.prefixes=/adt2fhir-rest" + - "traefik.http.services.adt2fhir-rest.loadbalancer.server.port=8080" + - "traefik.http.routers.adt2fhir-rest.tls=true" + - "traefik.http.routers.adt2fhir-rest.middlewares=adt2fhir-rest_strip,auth" \ No newline at end of file diff --git a/ccp/modules/adt2fhir-rest-setup.sh b/ccp/modules/adt2fhir-rest-setup.sh new file mode 100644 index 0000000..5003bd3 --- /dev/null +++ b/ccp/modules/adt2fhir-rest-setup.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +if [ -n "$ENABLE_ADT2FHIR_REST" ]; then + log INFO "ADT2FHIR-REST setup detected -- will start adt2fhir-rest API." + if [ ! -n "$IDMANAGER_LOCAL_PATIENTLIST_APIKEY" ]; then + log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:" + exit 1; + fi + OVERRIDE+=" -f ./$PROJECT/modules/adt2fhir-rest-compose.yml" + LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" +fi diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh index 1e24891..1b347e7 100644 --- a/ccp/modules/id-management-setup.sh +++ b/ccp/modules/id-management-setup.sh @@ -39,6 +39,7 @@ function applySpecialCases() { result="$1"; result="${result/Lmu/LMU}"; result="${result/Tum/TUM}"; + result="${result/Dktk Test/Teststandort}"; echo "$result"; } diff --git a/ccp/modules/mtba-setup.sh b/ccp/modules/mtba-setup.sh index c0834b9..ac050e0 100644 --- a/ccp/modules/mtba-setup.sh +++ b/ccp/modules/mtba-setup.sh @@ -1,13 +1,12 @@ #!/bin/bash function mtbaSetup() { - # TODO: Check if ID-Management Module is activated! - if [ -n "$ENABLE_MTBA" ];then - log INFO "MTBA setup detected -- will start MTBA Service and CBioPortal." - if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then - log ERROR "Detected MTBA Module configuration but ID-Management Module seems not to be configured!" - exit 1; - fi - OVERRIDE+=" -f ./$PROJECT/modules/mtba-compose.yml" - fi + if [ -n "$ENABLE_MTBA" ];then + log INFO "MTBA setup detected -- will start MTBA Service and CBioPortal." + if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then + log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:" + exit 1; + fi + OVERRIDE+=" -f ./$PROJECT/modules/mtba-compose.yml" + fi } \ No newline at end of file diff --git a/ccp/modules/nngm-setup.sh b/ccp/modules/nngm-setup.sh index 3e31f59..3a0432f 100644 --- a/ccp/modules/nngm-setup.sh +++ b/ccp/modules/nngm-setup.sh @@ -5,4 +5,4 @@ function nngmSetup() { log INFO "nNGM setup detected -- will start nNGM Connector." OVERRIDE+=" -f ./$PROJECT/modules/nngm-compose.yml" fi - } +} diff --git a/ccp/vars b/ccp/vars index 0c80e8a..9a0dbeb 100644 --- a/ccp/vars +++ b/ccp/vars @@ -17,4 +17,5 @@ done idManagementSetup nngmSetup -mtbaSetup \ No newline at end of file +mtbaSetup +adt2fhirRestSetup \ No newline at end of file From 0555786435bc68786f6112fd4807797c7f6af85e Mon Sep 17 00:00:00 2001 From: "p.delpy@dkfz-heidelberg.de" Date: Tue, 24 Oct 2023 07:41:17 +0200 Subject: [PATCH 16/23] fix bash logic --- ccp/modules/adt2fhir-rest-setup.sh | 18 ++++++++++-------- ccp/modules/nngm-setup.sh | 10 ++++------ ccp/vars | 1 - 3 files changed, 14 insertions(+), 15 deletions(-) diff --git a/ccp/modules/adt2fhir-rest-setup.sh b/ccp/modules/adt2fhir-rest-setup.sh index 5003bd3..707d9c5 100644 --- a/ccp/modules/adt2fhir-rest-setup.sh +++ b/ccp/modules/adt2fhir-rest-setup.sh @@ -1,11 +1,13 @@ #!/bin/bash -if [ -n "$ENABLE_ADT2FHIR_REST" ]; then - log INFO "ADT2FHIR-REST setup detected -- will start adt2fhir-rest API." - if [ ! -n "$IDMANAGER_LOCAL_PATIENTLIST_APIKEY" ]; then - log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:" - exit 1; +function adt2fhirRestSetup() { + if [ -n "$ENABLE_ADT2FHIR_REST" ]; then + log INFO "ADT2FHIR-REST setup detected -- will start adt2fhir-rest API." + if [ ! -n "$IDMANAGER_LOCAL_PATIENTLIST_APIKEY" ]; then + log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:" + exit 1; + fi + OVERRIDE+=" -f ./$PROJECT/modules/adt2fhir-rest-compose.yml" + LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" fi - OVERRIDE+=" -f ./$PROJECT/modules/adt2fhir-rest-compose.yml" - LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" -fi +} diff --git a/ccp/modules/nngm-setup.sh b/ccp/modules/nngm-setup.sh index 3a0432f..56be949 100644 --- a/ccp/modules/nngm-setup.sh +++ b/ccp/modules/nngm-setup.sh @@ -1,8 +1,6 @@ #!/bin/bash -function nngmSetup() { - if [ -n "$NNGM_CTS_APIKEY" ]; then - log INFO "nNGM setup detected -- will start nNGM Connector." - OVERRIDE+=" -f ./$PROJECT/modules/nngm-compose.yml" - fi -} +if [ -n "$NNGM_CTS_APIKEY" ]; then + log INFO "nNGM setup detected -- will start nNGM Connector." + OVERRIDE+=" -f ./$PROJECT/modules/nngm-compose.yml" +fi diff --git a/ccp/vars b/ccp/vars index 9a0dbeb..7cfb7db 100644 --- a/ccp/vars +++ b/ccp/vars @@ -16,6 +16,5 @@ do done idManagementSetup -nngmSetup mtbaSetup adt2fhirRestSetup \ No newline at end of file From f008b18760cee01a22eaf904921c587346deb5cf Mon Sep 17 00:00:00 2001 From: lablans Date: Tue, 24 Oct 2023 07:01:22 +0000 Subject: [PATCH 17/23] Redo proxy, set HTTPS_PROXY_HOST and HTTPS_PROXY_PORT --- lib/functions.sh | 32 ++++++++++++-------------------- 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/lib/functions.sh b/lib/functions.sh index 1dec95b..6168440 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -10,28 +10,21 @@ detectCompose() { } setupProxy() { - ### Note: As the current data protection concepts do not allow communication via HTTP, this - ### handling of a proxy for HTTP requests is commented out and will not be used - # - http="no" - # if [ $HTTP_PROXY_URL ]; then - # if [[ ! -z "$HTTP_PROXY_USERNAME" && ! -z "$HTTP_PROXY_PASSWORD" ]]; then - # proto="$(echo $HTTP_PROXY_URL | grep :// | sed -e's,^\(.*://\).*,\1,g')" - # fqdn="$(echo ${HTTP_PROXY_URL/$proto/})" - # HTTP_PROXY_FULL_URL="$(echo $proto$HTTP_PROXY_USERNAME:$HTTP_PROXY_PASSWORD@$fqdn)" - # http="authenticated" - # else - # HTTP_PROXY_FULL_URL=$HTTP_PROXY_URL - # http="unauthenticated" - # fi - # fi + ### Note: As the current data protection concepts do not allow communication via HTTP, + ### we are not setting a proxy for HTTP requests. - https="no" + local http="no" + local https="no" if [ $HTTPS_PROXY_URL ]; then if [[ ! -z "$HTTPS_PROXY_USERNAME" && ! -z "$HTTPS_PROXY_PASSWORD" ]]; then - proto="$(echo $HTTPS_PROXY_URL | grep :// | sed -e's,^\(.*://\).*,\1,g')" - fqdn="$(echo ${HTTPS_PROXY_URL/$proto/})" + local proto="$(echo $HTTPS_PROXY_URL | grep :// | sed -e's,^\(.*://\).*,\1,g')" + local fqdn="$(echo ${HTTPS_PROXY_URL/$proto/})" HTTPS_PROXY_FULL_URL="$(echo $proto$HTTPS_PROXY_USERNAME:$HTTPS_PROXY_PASSWORD@$fqdn)" + + local hostport=$(echo $HTTPS_PROXY_URL | sed -e s,$proto,,g | cut -d/ -f1) + HTTPS_PROXY_HOST="$(echo $hostport | sed -e 's,:.*,,g')" + HTTPS_PROXY_PORT="$(echo $hostport | sed -e 's,^.*:,:,g' -e 's,.*:\([0-9]*\).*,\1,g' -e 's,[^0-9],,g')" + https="authenticated" else HTTPS_PROXY_FULL_URL=$HTTPS_PROXY_URL @@ -39,8 +32,7 @@ setupProxy() { fi fi - log INFO "Configuring proxy servers: $http http proxy, $https https proxy" - unset http https fqdn proto + log INFO "Configuring proxy servers: $http http proxy (we're not supporting unencrypted comms), $https https proxy" } exitIfNotRoot() { From bbfc607104c79e7fb681a8bffa9a58729b4974d9 Mon Sep 17 00:00:00 2001 From: lablans Date: Tue, 24 Oct 2023 07:07:06 +0000 Subject: [PATCH 18/23] Always define new vars --- lib/functions.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/lib/functions.sh b/lib/functions.sh index 6168440..68cd36f 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -16,15 +16,14 @@ setupProxy() { local http="no" local https="no" if [ $HTTPS_PROXY_URL ]; then + local hostport=$(echo $HTTPS_PROXY_URL | sed -e s,$proto,,g | cut -d/ -f1) + HTTPS_PROXY_HOST="$(echo $hostport | sed -e 's,:.*,,g')" + HTTPS_PROXY_PORT="$(echo $hostport | sed -e 's,^.*:,:,g' -e 's,.*:\([0-9]*\).*,\1,g' -e 's,[^0-9],,g')" if [[ ! -z "$HTTPS_PROXY_USERNAME" && ! -z "$HTTPS_PROXY_PASSWORD" ]]; then local proto="$(echo $HTTPS_PROXY_URL | grep :// | sed -e's,^\(.*://\).*,\1,g')" local fqdn="$(echo ${HTTPS_PROXY_URL/$proto/})" HTTPS_PROXY_FULL_URL="$(echo $proto$HTTPS_PROXY_USERNAME:$HTTPS_PROXY_PASSWORD@$fqdn)" - local hostport=$(echo $HTTPS_PROXY_URL | sed -e s,$proto,,g | cut -d/ -f1) - HTTPS_PROXY_HOST="$(echo $hostport | sed -e 's,:.*,,g')" - HTTPS_PROXY_PORT="$(echo $hostport | sed -e 's,^.*:,:,g' -e 's,.*:\([0-9]*\).*,\1,g' -e 's,[^0-9],,g')" - https="authenticated" else HTTPS_PROXY_FULL_URL=$HTTPS_PROXY_URL From f855a198655196d030a08458d1d1037b7b236d09 Mon Sep 17 00:00:00 2001 From: lablans Date: Tue, 24 Oct 2023 07:12:18 +0000 Subject: [PATCH 19/23] Fix sed (?) --- lib/functions.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/functions.sh b/lib/functions.sh index 68cd36f..2e6a144 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -16,11 +16,11 @@ setupProxy() { local http="no" local https="no" if [ $HTTPS_PROXY_URL ]; then - local hostport=$(echo $HTTPS_PROXY_URL | sed -e s,$proto,,g | cut -d/ -f1) + local hostport=$(echo $HTTPS_PROXY_URL | sed -e "s,$proto,,g" | cut -d/ -f1) HTTPS_PROXY_HOST="$(echo $hostport | sed -e 's,:.*,,g')" HTTPS_PROXY_PORT="$(echo $hostport | sed -e 's,^.*:,:,g' -e 's,.*:\([0-9]*\).*,\1,g' -e 's,[^0-9],,g')" if [[ ! -z "$HTTPS_PROXY_USERNAME" && ! -z "$HTTPS_PROXY_PASSWORD" ]]; then - local proto="$(echo $HTTPS_PROXY_URL | grep :// | sed -e's,^\(.*://\).*,\1,g')" + local proto="$(echo $HTTPS_PROXY_URL | grep :// | sed -e 's,^\(.*://\).*,\1,g')" local fqdn="$(echo ${HTTPS_PROXY_URL/$proto/})" HTTPS_PROXY_FULL_URL="$(echo $proto$HTTPS_PROXY_USERNAME:$HTTPS_PROXY_PASSWORD@$fqdn)" From 392afb6410d10fa77db554051bde18fe87ca83a3 Mon Sep 17 00:00:00 2001 From: lablans Date: Tue, 24 Oct 2023 07:23:24 +0000 Subject: [PATCH 20/23] Fix code --- lib/functions.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/functions.sh b/lib/functions.sh index 2e6a144..4d2bb2f 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -16,6 +16,8 @@ setupProxy() { local http="no" local https="no" if [ $HTTPS_PROXY_URL ]; then + local proto="$(echo $HTTPS_PROXY_URL | grep :// | sed -e 's,^\(.*://\).*,\1,g')" + local fqdn="$(echo ${HTTPS_PROXY_URL/$proto/})" local hostport=$(echo $HTTPS_PROXY_URL | sed -e "s,$proto,,g" | cut -d/ -f1) HTTPS_PROXY_HOST="$(echo $hostport | sed -e 's,:.*,,g')" HTTPS_PROXY_PORT="$(echo $hostport | sed -e 's,^.*:,:,g' -e 's,.*:\([0-9]*\).*,\1,g' -e 's,[^0-9],,g')" @@ -23,7 +25,6 @@ setupProxy() { local proto="$(echo $HTTPS_PROXY_URL | grep :// | sed -e 's,^\(.*://\).*,\1,g')" local fqdn="$(echo ${HTTPS_PROXY_URL/$proto/})" HTTPS_PROXY_FULL_URL="$(echo $proto$HTTPS_PROXY_USERNAME:$HTTPS_PROXY_PASSWORD@$fqdn)" - https="authenticated" else HTTPS_PROXY_FULL_URL=$HTTPS_PROXY_URL @@ -32,6 +33,7 @@ setupProxy() { fi log INFO "Configuring proxy servers: $http http proxy (we're not supporting unencrypted comms), $https https proxy" + export HTTPS_PROXY_HOST HTTPS_PROXY_PORT HTTPS_PROXY_FULL_URL } exitIfNotRoot() { From 699d8d6398b941dfc44a8804d6e0854d2c779b9c Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Tue, 24 Oct 2023 10:42:36 +0200 Subject: [PATCH 21/23] fix: git call --- lib/update-bridgehead.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 6c84960..bc6a5f6 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -55,7 +55,7 @@ for DIR in /etc/bridgehead $(pwd); do OUT=$(retry 5 git -C $DIR fetch 2>&1 && retry 5 git -C $DIR pull 2>&1) else log "INFO" "Git is using proxy ${HTTPS_PROXY_URL} from ${CONFFILE}" - OUT=$(retry 5 git -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR fetch 2>&1 && retry 5 git-c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR pull 2>&1) + OUT=$(retry 5 git -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR fetch 2>&1 && retry 5 git -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR pull 2>&1) fi if [ $? -ne 0 ]; then report_error log "Unable to update git $DIR: $OUT" From d16eb6c94df3d0053a7d90c1f03e3a781a98e6c0 Mon Sep 17 00:00:00 2001 From: Tobias Kussel Date: Wed, 25 Oct 2023 08:47:02 +0000 Subject: [PATCH 22/23] git requires http proxy config even vor https connections --- lib/update-bridgehead.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index bc6a5f6..4a77e24 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -55,7 +55,7 @@ for DIR in /etc/bridgehead $(pwd); do OUT=$(retry 5 git -C $DIR fetch 2>&1 && retry 5 git -C $DIR pull 2>&1) else log "INFO" "Git is using proxy ${HTTPS_PROXY_URL} from ${CONFFILE}" - OUT=$(retry 5 git -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR fetch 2>&1 && retry 5 git -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR pull 2>&1) + OUT=$(retry 5 git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR fetch 2>&1 && retry 5 git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR pull 2>&1) fi if [ $? -ne 0 ]; then report_error log "Unable to update git $DIR: $OUT" From 90248b331ff18f3a04e8879057fa108d8099084f Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Wed, 25 Oct 2023 15:22:08 +0200 Subject: [PATCH 23/23] fix: adjusted the forwarding of env vars to forward proxy --- minimal/docker-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/minimal/docker-compose.yml b/minimal/docker-compose.yml index c0eb353..07bd4c5 100644 --- a/minimal/docker-compose.yml +++ b/minimal/docker-compose.yml @@ -35,8 +35,8 @@ services: image: docker.verbis.dkfz.de/cache/samply/bridgehead-forward-proxy:latest environment: HTTPS_PROXY: ${HTTPS_PROXY_URL} - USERNAME: ${HTTPS_PROXY_USERNAME} - PASSWORD: ${HTTPS_PROXY_PASSWORD} + HTTPS_PROXY_USERNAME: ${HTTPS_PROXY_USERNAME} + HTTPS_PROXY_PASSWORD: ${HTTPS_PROXY_PASSWORD} tmpfs: - /var/log/squid - /var/spool/squid