verbis-admin/bridgehead
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #51 from samply/refactor/directoryNames

Browse Source 
refactor: Changed Paths for persistent Data
This commit is contained in:
Torben Brenner
2023-02-07 16:27:50 +01:00
committed by GitHub
parent 4efe356005 2445a59785
commit 73b1993628
7 changed files with 53 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@@ -128,8 +128,6 @@ All of the Bridgehead's outgoing connections are secured by transport encryption
- `/etc/bridgehead/traefik-tls` contains your Bridgehead's reverse proxies TLS certificates for [HTTPS access](#https-access). - `/etc/bridgehead/traefik-tls` contains your Bridgehead's reverse proxies TLS certificates for [HTTPS access](#https-access).
- `/etc/bridgehead/pki` contains your Bridgehead's private key (e.g., but not limited to Samply.Beam), generated as part of the [Samply.Beam enrollment](#register-with-samplybeam). - `/etc/bridgehead/pki` contains your Bridgehead's private key (e.g., but not limited to Samply.Beam), generated as part of the [Samply.Beam enrollment](#register-with-samplybeam).
- `/etc/bridgehead/trusted-ca-certs` contains third-party certificates to be trusted by the Bridgehead. For example, you want to place the certificates of your [TLS-terminating proxy](#network) here. - `/etc/bridgehead/trusted-ca-certs` contains third-party certificates to be trusted by the Bridgehead. For example, you want to place the certificates of your [TLS-terminating proxy](#network) here.
- `/var/data/bridgehead` contains persistent data of the bridgehead
- `/var/data/bridgehead/backups` contains automatically created backups of the databases.
Your Bridgehead's actual data is not stored in the above directories, but in named docker volumes, see `docker volume ls` and `docker volume inspect <volume_name>`. Your Bridgehead's actual data is not stored in the above directories, but in named docker volumes, see `docker volume ls` and `docker volume inspect <volume_name>`.
@@ -148,6 +146,8 @@ Some of the components in the bridgehead will store persistent data. For those c
2) Year-KW-XX, were XX represents the calendar week to allow re-import of at least one version per calendar week 2) Year-KW-XX, were XX represents the calendar week to allow re-import of at least one version per calendar week
3) Year-Month, to allow re-import of at least one version per month 3) Year-Month, to allow re-import of at least one version per month
To enable the Auto-Backup feature, please set the Variable `BACKUP_DIRECTORY` in your sites configuration.
### Monitoring ### Monitoring
To keep all Bridgeheads up and working and detect any errors before a user does, a central monitoring To keep all Bridgeheads up and working and detect any errors before a user does, a central monitoring

32
ccp/modules/id-management-compose.yml
View File

@@ -31,30 +31,7 @@ services:
- ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD} - ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD}
- ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} - ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
# Add Variables from /etc/patientlist-id-generators.env # Add Variables from /etc/patientlist-id-generators.env
- ML_BK_IDGENERATOR_RANDOM_1 - PATIENTLIST_SEEDS_TRANSFORMED
- ML_BK_IDGENERATOR_RANDOM_2
- ML_BK_IDGENERATOR_RANDOM_3
- ML_MDS_IDGENERATOR_RANDOM_1
- ML_MDS_IDGENERATOR_RANDOM_2
- ML_MDS_IDGENERATOR_RANDOM_3
- ML_DKTK000001985_IDGENERATOR_RANDOM_1
- ML_DKTK000001985_IDGENERATOR_RANDOM_2
- ML_DKTK000001985_IDGENERATOR_RANDOM_3
- ML_DKTK000001986_IDGENERATOR_RANDOM_1
- ML_DKTK000001986_IDGENERATOR_RANDOM_2
- ML_DKTK000001986_IDGENERATOR_RANDOM_3
- ML_DKTK000001950_IDGENERATOR_RANDOM_1
- ML_DKTK000001950_IDGENERATOR_RANDOM_2
- ML_DKTK000001950_IDGENERATOR_RANDOM_3
- ML_DKTK000001951_IDGENERATOR_RANDOM_1
- ML_DKTK000001951_IDGENERATOR_RANDOM_2
- ML_DKTK000001951_IDGENERATOR_RANDOM_3
- ML_DKTK999999999_IDGENERATOR_RANDOM_1
- ML_DKTK999999999_IDGENERATOR_RANDOM_2
- ML_DKTK999999999_IDGENERATOR_RANDOM_3
- ML_DKTK000002089_IDGENERATOR_RANDOM_1
- ML_DKTK000002089_IDGENERATOR_RANDOM_2
- ML_DKTK000002089_IDGENERATOR_RANDOM_3
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.routers.patientlist.rule=PathPrefix(`/patientlist`)" - "traefik.http.routers.patientlist.rule=PathPrefix(`/patientlist`)"
@@ -71,6 +48,9 @@ services:
POSTGRES_DB: "mainzelliste" POSTGRES_DB: "mainzelliste"
POSTGRES_PASSWORD: ${PATIENTLIST_POSTGRES_PASSWORD} POSTGRES_PASSWORD: ${PATIENTLIST_POSTGRES_PASSWORD}
volumes: volumes:
- "/var/data/bridgehead/patientlist:/var/lib/postgresql/data" - "patientlist-db-data:/var/lib/postgresql/data"
# NOTE: Add backups here. This is only imported if /var/data/bridgehead/patientlist/ is empty!!! # NOTE: Add backups here. This is only imported if /var/lib/bridgehead/data/patientlist/ is empty!!!
- "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/" - "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/"
volumes:
patientlist-db-data:

6
ccp/modules/id-management-setup.sh
View File

@@ -6,11 +6,11 @@ function idManagementSetup() {
OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml" OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml"
# Auto Generate local Passwords # Auto Generate local Passwords
PATIENTLIST_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" PATIENTLIST_POSTGRES_PASSWORD="$(echo \"id-management-module-db-password-salt\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
IDMANAGER_LOCAL_PATIENTLIST_APIKEY="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" IDMANAGER_LOCAL_PATIENTLIST_APIKEY="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
# Source the ID Generators Configuration # Transform Seeds Configuration to pass it to the Mainzelliste Container
source /etc/bridgehead/patientlist-id-generators.env PATIENTLIST_SEEDS_TRANSFORMED="$(declare -p PATIENTLIST_SEEDS | tr -d '\"' | sed 's/\[/\[\"/g' | sed 's/\]/\"\]/g')"
# Ensure old ids are working !!! # Ensure old ids are working !!!
legacyIdMapping legacyIdMapping

8
ccp/modules/id-management.md
View File

@@ -16,17 +16,19 @@ IDMANAGER_SEEDS_BK="<three-numbers>"
IDMANAGER_SEEDS_MDS="<three-numbers>" IDMANAGER_SEEDS_MDS="<three-numbers>"
IDMANAGER_SEEDS_DKTK000001985="<three-numbers>" IDMANAGER_SEEDS_DKTK000001985="<three-numbers>"
``` ```
> NOTE: Additionally, the CCP-IT adds lines declaring the `PATIENTLIST_SEEDS` array in your site configuration. This will contain the seeds for the different id-generators used in all projects.
Once your Bridgehead is updated and restarted, you're all set! Once your Bridgehead is updated and restarted, you're all set!
## Additional information you may want to know ## Additional information you may want to know
### Services ### Services
Upon configuration, the Bridgehead will spawn the following services: Upon configuration, the Bridgehead will spawn the following services:
- The `bridgehead-id-manager` at https://bridgehead.local/id-manager, provides a common interface for creating pseudonyms in the bridgehead. - The `bridgehead-id-manager` at https://bridgehead.local/id-manager, provides a common interface for creating pseudonyms in the bridgehead.
- The `bridgehead-patientlist` at https://bridgehead.local/patientlist is a local instance of the open-source software [Mainzelliste](https://mainzelliste.de). This service's primary task is to map patients IDAT to pseudonyms identifying them along the different CCP projects. - The `bridgehead-patientlist` at https://bridgehead.local/patientlist is a local instance of the open-source software [Mainzelliste](https://mainzelliste.de). This service's primary task is to map patients IDAT to pseudonyms identifying them along the different CCP projects.
- The `bridgehead-patientlist-db` is only accessible within the Bridgehead itself. This is a local postgresql instance storing the database for `bridgehead-patientlist`. The data is persisted in `/var/data/bridgehead/patientlist` and backups are automatically created in `/var/data/bridgehead/backups/bridgehead-patientlist-db`. - The `bridgehead-patientlist-db` is only accessible within the Bridgehead itself. This is a local postgresql instance storing the database for `bridgehead-patientlist`. The data is persisted as a named volume `patientlist-db-data`.
### How to import an existing database (e.g from Legacy Windows or from Backups) ### How to import an existing database (e.g from Legacy Windows or from Backups)
First you must shutdown your local bridgehead instance: First you must shutdown your local bridgehead instance:
@@ -36,10 +38,10 @@ systemctl stop bridgehead@ccp
Next you need to remove the current patientlist database: Next you need to remove the current patientlist database:
``` ```
rm -rf /var/data/bridgehead/patientlist docker volume rm patientlist-db-data;
``` ```
Third, you need to place your postgres dump in the import directory `/tmp/bridgehead/patientlist/some-dump.sql`. This will only be imported, then /var/data/bridgehead/patientlist is empty. Third, you need to place your postgres dump in the import directory `/tmp/bridgehead/patientlist/some-dump.sql`. This will only be imported, then the volume `patientlist-db-data` was removed previously.
> NOTE: Please create the postgres dump with the options "--no-owner" and "--no-privileges". Additionally ensure the dump is created in the plain format (SQL). > NOTE: Please create the postgres dump with the options "--no-owner" and "--no-privileges". Additionally ensure the dump is created in the plain format (SQL).
After this, you can restart your bridgehead and the dump will be imported: After this, you can restart your bridgehead and the dump will be imported:

5
ccp/mtba-compose.yml
View File

@@ -24,10 +24,13 @@ services:
- "traefik.http.routers.mtba.tls=true" - "traefik.http.routers.mtba.tls=true"
volumes: volumes:
# This directory persists the FHIR Resources that are needed to import data into blaze. # This directory persists the FHIR Resources that are needed to import data into blaze.
- /var/data/bridgehead/mtba:/app/mtba-files/persist - mtba-data:/app/mtba-files/persist
# Place new import files in this directory # Place new import files in this directory
- /tmp/bridgehead/mtba/:/app/mtba-files/input - /tmp/bridgehead/mtba/:/app/mtba-files/input
# TODO: Include CBioPortal in Deployment ... # TODO: Include CBioPortal in Deployment ...
# NOTE: CBioPortal can't load data while the system is running. So after import of data bridgehead needs to be restarted! # NOTE: CBioPortal can't load data while the system is running. So after import of data bridgehead needs to be restarted!
# TODO: Find a trigger to let mtba signal a restart for CBioPortal # TODO: Find a trigger to let mtba signal a restart for CBioPortal
volumes:
mtba-data:

8
lib/install-bridgehead.sh
View File

@@ -22,8 +22,8 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\
/bin/systemctl stop bridgehead@${PROJECT}.service, \\ /bin/systemctl stop bridgehead@${PROJECT}.service, \\
/bin/systemctl restart bridgehead@${PROJECT}.service, \\ /bin/systemctl restart bridgehead@${PROJECT}.service, \\
/bin/systemctl restart bridgehead@*.service, \\ /bin/systemctl restart bridgehead@*.service, \\
/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/data/bridgehead, \\ /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead, \\
/usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/data/bridgehead /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead
bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^} bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
EOF EOF
@@ -37,10 +37,6 @@ if [ -z "$LDM_PASSWORD" ]; then
echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf; echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf;
fi fi
log "INFO" "Creating directory /var/data/bridgehead for storage of persistent data."
mkdir -p /var/data/bridgehead
chown -R bridgehead /var/data/bridgehead
log "INFO" "Registering system units for bridgehead and bridgehead-update" log "INFO" "Registering system units for bridgehead and bridgehead-update"
cp -v \ cp -v \
lib/systemd/bridgehead\@.service \ lib/systemd/bridgehead\@.service \

70
lib/update-bridgehead.sh
View File

@@ -1,45 +1,6 @@
#!/bin/bash #!/bin/bash
source lib/functions.sh source lib/functions.sh
AUTO_BACKUP=${AUTO_BACKUP:-true}
if [ "$AUTO_BACKUP" == "true" ]; then
BACKUP_DIRECTORY="/var/data/bridgehead/backups"
if [ ! -d /var/data ]; then
log DEBUG "Created /var/data"
mkdir /var/data
fi
if [ ! -d /var/data/bridgehead ]; then
log DEBUG "Created /var/data/bridgehead"
mkdir /var/data/bridgehead
fi
if [ ! -d $BACKUP_DIRECTORY ]; then
message="Performing automatic maintenance: Creating Backup directory $BACKUP_DIRECTORY."
hc_send log "$message"
log INFO "$message"
mkdir -p $BACKUP_DIRECTORY
fi
BACKUP_SERVICES="$(docker ps --filter ancestor=postgres:14-alpine --format "{{.Names}}" | tr "\n" "\ ")"
log INFO "Performing automatic maintenance: Creating Backups for $BACKUP_SERVICES";
for service in $BACKUP_SERVICES; do
if [ ! -d $BACKUP_DIRECTORY/$service ]; then
message="Performing automatic maintenance: Creating Backup directory for $service in $BACKUP_DIRECTORY."
hc_send log "$message"
log INFO "$message"
mkdir -p $BACKUP_DIRECTORY/$service
fi
if createEncryptedPostgresBackup "$BACKUP_DIRECTORY" "$service"; then
message="Performing automatic maintenance: Stored encrypted Backup for $service in $BACKUP_DIRECTORY."
hc_send log "$message"
log INFO "$message"
else
fail_and_report 5 "Failed to create encrypted update for $service"
fi
done
else
log WARN "Automated backups are disabled (variable AUTO_BACKUPS != \"true\")"
fi
AUTO_HOUSEKEEPING=${AUTO_HOUSEKEEPING:-true} AUTO_HOUSEKEEPING=${AUTO_HOUSEKEEPING:-true}
if [ "$AUTO_HOUSEKEEPING" == "true" ]; then if [ "$AUTO_HOUSEKEEPING" == "true" ]; then
@@ -142,6 +103,37 @@ else
hc_send log "$RES" hc_send log "$RES"
fi fi
if [ -z "${BACKUP_DIRECTORY}" ]; then
if [ ! -d "$BACKUP_DIRECTORY" ]; then
message="Performing automatic maintenance: Attempting to create backup directory $BACKUP_DIRECTORY."
hc_send log "$message"
log INFO "$message"
mkdir -p "$BACKUP_DIRECTORY"
chown -R "$BACKUP_DIRECTORY" bridgehead;
fi
checkOwner "$BACKUP_DIRECTORY" bridgehead || fail_and_report 1 "Automatic maintenance failed: Wrong permissions for backup directory $(pwd)"
# Collect all container names that contain '-db'
BACKUP_SERVICES="$(docker ps --filter name=-db --format "{{.Names}}" | tr "\n" "\ ")"
log INFO "Performing automatic maintenance: Creating Backups for $BACKUP_SERVICES";
for service in $BACKUP_SERVICES; do
if [ ! -d "$BACKUP_DIRECTORY/$service" ]; then
message="Performing automatic maintenance: Attempting to create backup directory for $service in $BACKUP_DIRECTORY."
hc_send log "$message"
log INFO "$message"
mkdir -p "$BACKUP_DIRECTORY/$service"
fi
if createEncryptedPostgresBackup "$BACKUP_DIRECTORY" "$service"; then
message="Performing automatic maintenance: Stored encrypted backup for $service in $BACKUP_DIRECTORY."
hc_send log "$message"
log INFO "$message"
else
fail_and_report 5 "Failed to create encrypted update for $service"
fi
done
else
log WARN "Automated backups are disabled (variable AUTO_BACKUPS != \"true\")"
fi
exit 0 exit 0
# TODO: Print last commit explicit # TODO: Print last commit explicit