bridgehead/lib/update-bridgehead.sh

#!/bin/bash
source lib/functions.sh

AUTO_HOUSEKEEPING=${AUTO_HOUSEKEEPING:-true}

if [ "$AUTO_HOUSEKEEPING" == "true" ]; then
	A="Performing automatic maintenance: "
	if bk_is_running; then
		A="$A Cleaning docker images."
		docker system prune -a -f
	else
		A="$A Not cleaning docker images since BK is not running."
	fi
	hc_send log "$A"
	log INFO "$A"
else
	log WARN "Automatic housekeeping disabled (variable AUTO_HOUSEKEEPING != \"true\")"
fi

hc_send log "Checking for bridgehead updates ..."

CONFFILE=/etc/bridgehead/$PROJECT.conf

if [ ! -e $CONFFILE ]; then
  fail_and_report 1 "Configuration file $CONFFILE not found."
fi

source $CONFFILE

assertVarsNotEmpty SITE_ID || fail_and_report 1 "Update failed: SITE_ID empty"
export SITE_ID

checkOwner /srv/docker/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /srv/docker/bridgehead"
checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /etc/bridgehead"

secret_sync_gitlab_token

CHANGES=""

# Check git updates
git_updated="false"
for DIR in /etc/bridgehead $(pwd); do
  log "INFO" "Checking for updates to git repo $DIR ..."
  OUT="$(git -C $DIR status --porcelain)"
  if [ -n "$OUT" ]; then
    report_error log "The working directory $DIR is modified. Changed files: $OUT"
  fi
  old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
  if [ -z "$HTTPS_PROXY_FULL_URL" ]; then
    log "INFO" "Git is using no proxy!"
    OUT=$(retry 5 git -C $DIR fetch 2>&1 && retry 5 git -C $DIR pull 2>&1)
  else
    log "INFO" "Git is using proxy ${HTTPS_PROXY_URL} from ${CONFFILE}"
    OUT=$(retry 5 git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR fetch 2>&1 && retry 5 git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR pull 2>&1)
  fi
  if [ $? -ne 0 ]; then
    OUT_SAN=$(echo $OUT | sed -E 's|://[^:]+:[^@]+@|://credentials@|g')
    report_error log "Unable to update git $DIR: $OUT_SAN"
  fi

  new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
  if [ "$old_git_hash" != "$new_git_hash" ]; then
    CHANGE="Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash"
    CHANGES+="- $CHANGE\n"
    log "INFO" "$CHANGE"
    # NOTE: Link generation doesn't work on repositories placed at an self-hosted instance of bitbucket.
    # See: https://community.atlassian.com/t5/Bitbucket-questions/BitBucket-4-14-diff-between-any-two-commits/qaq-p/632974
    git_repository_url="$(git -C $DIR remote get-url origin)"
    git_repository_url=${git_repository_url/.git/}
    if [ "$( echo $git_repository_url | grep "github.com")" ]; then
      # Ensure web link even if ssh is used
      git_repository_url="${git_repository_url/git@github.com/https:\/\/github.com\/}"
      log "INFO" "You can review all changes on the repository with $git_repository_url/compare/$old_git_hash...$new_git_hash"
    elif [ "$( echo $git_repository_url | grep "git.verbis.dkfz.de")" ]; then
      git_repository_url="${git_repository_url/ssh:\/\/git@git.verbis.dkfz.de/https:\/\/git.verbis.dkfz.de\/}"
      git_repository_url="https://$(echo $git_repository_url | awk -F '@' '{print $2}')"
      log "INFO" "You can review all changes on the repository with $git_repository_url/compare?from=$old_git_hash&to=$new_git_hash"
    fi
    git_updated="true"
  fi
done

# Check docker updates
log "INFO" "Checking for updates to running docker images ..."
docker_updated="false"
for IMAGE in $($COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE config | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
  log "INFO" "Checking for Updates of Image: $IMAGE"
  if docker pull $IMAGE | grep "Downloaded newer image"; then
    CHANGE="Image $IMAGE updated."
    CHANGES+="- $CHANGE\n"
    log "INFO" "$CHANGE"
    docker_updated="true"
  fi
done

# If anything is updated, restart service
if [ $git_updated = "true" ] || [ $docker_updated = "true" ]; then
  RES="Updates detected, now restarting bridgehead:\n$CHANGES"
  log "INFO" "$RES"
  hc_send log "$RES"
  sudo /bin/systemctl restart bridgehead@*.service
else
  RES="Nothing updated, nothing to restart."
  log "INFO" "$RES"
  hc_send log "$RES"
fi

if [ -n "${BACKUP_DIRECTORY}" ]; then
  if [ ! -d "$BACKUP_DIRECTORY" ]; then
    message="Performing automatic maintenance: Attempting to create backup directory $BACKUP_DIRECTORY."
    hc_send log "$message"
    log INFO "$message"
    mkdir -p "$BACKUP_DIRECTORY"
    chown -R "$BACKUP_DIRECTORY" bridgehead;
  fi
  checkOwner "$BACKUP_DIRECTORY" bridgehead || fail_and_report 1 "Automatic maintenance failed: Wrong permissions for backup directory $BACKUP_DIRECTORY"
  # Collect all container names that contain '-db'
  BACKUP_SERVICES="$(docker ps --filter name=-db --format "{{.Names}}" | tr "\n" "\ ")"
  log INFO "Performing automatic maintenance: Creating Backups for $BACKUP_SERVICES";
  for service in $BACKUP_SERVICES; do
    if [ ! -d "$BACKUP_DIRECTORY/$service" ]; then
      message="Performing automatic maintenance: Attempting to create backup directory for $service in $BACKUP_DIRECTORY."
      hc_send log "$message"
      log INFO "$message"
      mkdir -p "$BACKUP_DIRECTORY/$service"
    fi
    if createEncryptedPostgresBackup "$BACKUP_DIRECTORY" "$service"; then
      message="Performing automatic maintenance: Stored encrypted backup for $service in $BACKUP_DIRECTORY."
      hc_send log "$message"
      log INFO "$message"
    else
      fail_and_report 5 "Failed to create encrypted update for $service"
    fi
  done
else
  log WARN "Automated backups are disabled (variable AUTO_BACKUPS != \"true\")"
fi

#TODO: the following block can be deleted after successful update at all sites
if [ ! -z "$LDM_PASSWORD" ]; then
  FILE="/etc/bridgehead/$PROJECT.local.conf"
  log "INFO" "Migrating LDM_PASSWORD to encrypted credentials in $FILE"
  add_basic_auth_user $PROJECT $LDM_PASSWORD "LDM_AUTH" $PROJECT
  add_basic_auth_user $PROJECT $LDM_PASSWORD "NNGM_AUTH" $PROJECT
  sed -i "/LDM_PASSWORD/{d;}" $FILE
fi

exit 0

# TODO: Print last commit explicit