Merge pull request #6 from samply/martinsFixes

Housekeeping and script hardening in /srv/docker/bridgehead
This commit is contained in:
patrickskowronekdkfz 2022-05-10 09:17:25 +02:00 committed by GitHub
commit 95b2fdae08
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 122 additions and 99 deletions

70
bridgehead Executable file
View File

@ -0,0 +1,70 @@
#!/bin/bash -e
baseDir() {
# see https://stackoverflow.com/questions/59895
SOURCE=${BASH_SOURCE[0]}
while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
SOURCE=$(readlink "$SOURCE")
[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
done
DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
echo $DIR
}
BASE=$(baseDir)
cd $BASE
source ./lib/functions.sh
action=$1
project=$2
if [[ -z $1 || -z $2 ]]; then
printUsage
exit 1
fi
case "$project" in
ccp)
#nothing extra to do
;;
nngm)
#nothing extra to do
;;
gbn)
#nothing extra to do
;;
*)
printUsage
exit 1
;;
esac
source /etc/bridgehead/site.conf
case "$action" in
start)
checkRequirements
./lib/generate-landingpage.sh
exec docker-compose -f ./$project/docker-compose.yml --env-file /etc/bridgehead/$project.env up
;;
stop)
exec docker-compose -f ./$project/docker-compose.yml --env-file /etc/bridgehead/$project.env down
;;
update)
exec ./lib/update-bridgehead.sh $project
;;
install)
exec ./lib/setup-bridgehead-units.sh $project
;;
uninstall)
exec ./lib/remove-bridgehead-units.sh $project
;;
*)
printUsage
exit 1
;;
esac
exit 0

View File

@ -41,7 +41,7 @@ services:
container_name: bridgehead-landingpage
image: nginx:stable
volumes:
- ../landing/:/usr/share/nginx/html
- ../landing/:/usr/share/nginx/html:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.landing.rule=PathPrefix(`/`)"
@ -68,7 +68,7 @@ services:
- "traefik.http.routers.blaze_ccp.tls=true"
ccp-search-share:
image: "ghcr.io/samply/dktk-fed-search-share:main"
image: "samply/dktk-fed-search-share"
container_name: bridgehead-ccp-share
environment:
APP_BASE_URL: "http://dktk-fed-search-share:8080"
@ -102,4 +102,4 @@ services:
volumes:
blaze-data:
bridgehead-proxy:
ccp-search-share-db-data:
ccp-search-share-db-data:

View File

@ -1,3 +0,0 @@
#!/bin/bash
useradd --home-dir /srv/docker/bridgehead -g docker -N -u 317 -s /sbin/nologin

View File

@ -10,3 +10,16 @@ exitIfNotRoot() {
log() {
echo "$(date +'%Y-%m-%d %T')" "$1:" "$2"
}
printUsage() {
echo "Usage: bridgehead start|stop|update|install|uninstall PROJECTNAME"
}
checkRequirements() {
if ! lib/prerequisites.sh; then
log ERROR "Validating Prerequisites failed, please fix the error(s) above this line."
exit 1
else
return 0
fi
}

View File

@ -2,9 +2,19 @@
source lib/functions.sh
## Check for file permissions
if ! id "bridgehead" &>/dev/null; then
log ERROR "User bridgehead does not exist. Please consult readme for installation."
exit 1
fi
COUNT=$(find . ! -user bridgehead |wc -l)
if [ $COUNT -gt 0 ]; then
log ERROR "$COUNT files in $(pwd) are not owned by user bridgehead. Run find $(pwd) ! -user bridgehead to see them, chown -R bridgehead $(pwd) to correct this issue."
exit 1
fi
## Check if user is a su
log "Welcome to the starting a bridgehead. We will get your instance up and running in no time"
log "First we will check if all prerequisites are met ..."
log INFO "Checking if all prerequisites are met ..."
prerequisites="git docker docker-compose"
for prerequisite in $prerequisites; do
$prerequisite --version 2>&1
@ -16,54 +26,49 @@ for prerequisite in $prerequisites; do
# TODO: Check for specific version
done
log "Checking /etc/bridgehead/"
log INFO "Checking configuration ..."
## Download submodule
if [ ! -d "/etc/bridgehead/" ]; then
log "Please set up the config folder. Instruction are in the readme."
log ERROR "Please set up the config folder at /etc/bridgehead. Instruction are in the readme."
exit 1
else
log "Done"
fi
log "Checking /etc/bridgehead/site.conf"
#check if site.conf is created
if [ ! -f /etc/bridgehead/site.conf ]; then
log "Please create your specific site.conf file from the site.dev.conf"
log ERROR "Please create your specific site.conf file from the site.dev.conf"
exit 1
else
log "Done"
fi
#Load site specific variables
source /etc/bridgehead/site.conf
# TODO: Check all required variables here in a generic loop
if [ -z "$site_name" ]; then
log "Please set site_name"
log ERROR "Please set site_name."
exit 1
fi
log "Checking project config"
#check if project env is present
if [ -d "/etc/bridgehead/${project}.env" ]; then
log "Please copy the tempalte from ${project} and put it in the /etc/bridgehead-config/ folder"
log ERROR "Project config not found. Please copy the template from ${project} and put it under /etc/bridgehead-config/${project}.env."
exit 1
else
log "Done"
fi
log "Checking ssl cert"
# TODO: Make sure you're in the right directory, or, even better, be independent from the working directory.
## Create SSL Cert
if [ ! -d "/certs" ]; then
log "SSL cert missing, now we create one. Please consider getting a signed one"
mkdir certs
log INFO "Checking ssl cert"
if [ ! -d "certs" ]; then
log WARN "TLS cert missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...)"
mkdir -p certs
fi
if [ -d "certs/traefik.crt" ]; then
if [ -e "/etc/bridgehead/traefik.crt" ]; then
openssl req -x509 -newkey rsa:4096 -nodes -keyout certs/traefik.key -out certs/traefik.crt -days 365
fi
log "All prerequisites are met!"
log INFO "Success - all prerequisites are met!"
exit 0

View File

@ -14,10 +14,7 @@ fi
export project=$1
if ! ./lib/prerequisites.sh; then
log "Prerequisites failed, exiting"
exit 1
fi
#checkRequirements // not needed when uninstalling
log "Stopping systemd services and removing bridgehead ..."

View File

@ -16,10 +16,7 @@ fi
export project=$1
if ! ./lib/prerequisites.sh; then
log "Prerequisites failed, exiting"
exit 1
fi
checkRequirements
echo -e "\nInstalling systemd units ..."
cp -v \

View File

@ -4,9 +4,7 @@ Description=Bridgehead (%i) Update Service
[Service]
Type=oneshot
User=bridgehead
WorkingDirectory=/srv/docker/bridgehead/
ExecStart=/srv/docker/bridgehead/update-bridgehead.sh %i
ExecStart=/srv/docker/bridgehead/bridgehead update %i
[Install]
WantedBy=multi-user.target
WantedBy=multi-user.target

View File

@ -5,12 +5,8 @@ Description=Bridgehead (%i) Service
User=bridgehead
Restart=always
RestartSec=30
WorkingDirectory=/srv/docker/bridgehead/
ExecStartPre=exec /srv/docker/bridgehead/stop-bridgehead.sh %i
ExecStart=exec /srv/docker/bridgehead/start-bridgehead.sh %i
ExecStop=exec /srv/docker/bridgehead/stop-bridgehead.sh %i
ExecStart=/srv/docker/bridgehead/bridgehead start %i
ExecStop=/srv/docker/bridgehead/bridgehead stop %i
[Install]
WantedBy=multi-user.target

View File

@ -3,10 +3,7 @@ service="bridgehead"
source lib/functions.sh
if ! lib/prerequisites.sh; then
log "Prerequisites failed, exiting"
exit
fi
#checkRequirements // not required for mere update
log "INFO" "Checking for updates of $service"
# check prerequisites

View File

@ -1,29 +0,0 @@
#!/bin/bash
source lib/functions.sh
if [ $# -eq 0 ]; then
log "Please provide a Project as argument"
exit 1
fi
if [ $1 != "ccp" ] && [ $1 != "nngm" ] && [ $1 != "gbn" ]; then
log "Please provide a supported project like ccp, gbn or nngm"
exit 1
fi
export project=$1
if ! lib/prerequisites.sh; then
log "Validating Prerequisites failed, please fix the occurring error"
exit 1
fi
source /etc/bridgehead/site.conf
####./lib/generate.sh
log "Starting bridgehead"
docker-compose -f $1/docker-compose.yml --env-file /etc/bridgehead/$1.env up -d
log "The bridgehead should be in online in a few seconds"

View File

@ -1,18 +0,0 @@
#!/bin/bash -e
source lib/functions.sh
if [ $# -eq 0 ]; then
log "Please provide a Project as argument"
exit 1
fi
if [ $1 != "ccp" ] && [$1 != "nngm"] && [ $1 != "gbn" ]; then
log "Please provide a supported project like ccp, gbn or nngm"
exit 1
fi
log "Stopping bridgehead"
# TODO: Check $1 for proper values
docker-compose -f $1/docker-compose.yml --env-file /etc/bridgehead/$1.env down