diff --git a/bridgehead b/bridgehead index c39e1ae..20616e6 100755 --- a/bridgehead +++ b/bridgehead @@ -44,7 +44,7 @@ esac case "$ACTION" in start) checkRequirements - fetchVarsFromVault /etc/bridgehead/$PROJECT.conf || exit 1 + fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || exit 1 exec docker-compose -f ./$PROJECT/docker-compose.yml --env-file /etc/bridgehead/$PROJECT.conf up ;; stop) diff --git a/lib/functions.sh b/lib/functions.sh index e2db02c..3d5a88f 100755 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -7,6 +7,15 @@ exitIfNotRoot() { fi } +checkOwner(){ + COUNT=$(find $1 ! -user $2 |wc -l) + if [ $COUNT -gt 0 ]; then + log ERROR "$COUNT files in $1 are not owned by user $2. Run find $1 ! -user $2 to see them, chown -R $2 $1 to correct this issue." + return 1 + fi + return 0 +} + log() { echo -e "$(date +'%Y-%m-%d %T')" "$1:" "$2" } @@ -26,20 +35,6 @@ checkRequirements() { } fetchVarsFromVault() { - VARS_TO_FETCH="" - - for line in $(cat $@); do - if [[ $line =~ .*=\.* ]]; then - VARS_TO_FETCH+="$(echo -n $line | sed 's/=.*//') " - fi - done - - if [ -z "$VARS_TO_FETCH" ]; then - return 0 - fi - - log "INFO" "Fetching secrets from vault ..." - [ -e /etc/bridgehead/vault.conf ] && source /etc/bridgehead/vault.conf if [ -z "$BW_MASTERPASS" ] || [ -z "$BW_CLIENTID" ] || [ -z "$BW_CLIENTSECRET" ]; then @@ -49,7 +44,7 @@ fetchVarsFromVault() { set +e - PASS=$(BW_MASTERPASS="$BW_MASTERPASS" BW_CLIENTID="$BW_CLIENTID" BW_CLIENTSECRET="$BW_CLIENTSECRET" docker run --rm -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET -e http_proxy samply/bridgehead-vaultfetcher $VARS_TO_FETCH) + PASS=$(BW_MASTERPASS="$BW_MASTERPASS" BW_CLIENTID="$BW_CLIENTID" BW_CLIENTSECRET="$BW_CLIENTSECRET" docker run --rm -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET -e http_proxy samply/bridgehead-vaultfetcher $@) RET=$? if [ $RET -ne 0 ]; then @@ -65,6 +60,43 @@ fetchVarsFromVault() { return 0 } +fetchVarsFromVaultByFile() { + VARS_TO_FETCH="" + + for line in $(cat $@); do + if [[ $line =~ .*=[\"]*\[\"]*.* ]]; then + VARS_TO_FETCH+="$(echo -n $line | sed 's/=.*//') " + fi + done + + if [ -z "$VARS_TO_FETCH" ]; then + return 0 + fi + + log INFO "Fetching $(echo $VARS_TO_FETCH | wc -w) secrets from Vault ..." + + fetchVarsFromVault $VARS_TO_FETCH + + return 0 +} + +assertVarsNotEmpty() { + MISSING_VARS="" + + for VAR in $@; do + if [ -z "${!VAR}" ]; then + MISSING_VARS+="$VAR " + fi + done + + if [ -n "$MISSING_VARS" ]; then + log "ERROR" "Mandatory variables not defined: $MISSING_VARS" + return 1 + fi + + return 0 +} + ##Setting Network properties export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}'); export HOST=$(hostname) diff --git a/lib/gitpassword.sh b/lib/gitpassword.sh new file mode 100755 index 0000000..25eb9ce --- /dev/null +++ b/lib/gitpassword.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +if [ "$1" != "get" ]; then + echo "Usage: $0 get" + exit 1 +fi + +baseDir() { + # see https://stackoverflow.com/questions/59895 + SOURCE=${BASH_SOURCE[0]} + while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink + DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd ) + SOURCE=$(readlink "$SOURCE") + [[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located + done + DIR=$( cd -P "$( dirname "$SOURCE" )/.." >/dev/null 2>&1 && pwd ) + echo $DIR +} + +BASE=$(baseDir) +cd $BASE + +source lib/functions.sh + +assertVarsNotEmpty SITE_ID || exit 1 + +PARAMS="$(cat)" +GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g') + +fetchVarsFromVault GIT_PASSWORD + +if [ -z "${GIT_PASSWORD}" ]; then + log ERROR "Git password not found." + exit 1 +fi + +cat </dev/null; then log ERROR "User bridgehead does not exist. Please consult readme for installation." exit 1 fi -checkOwner . bridgehead -checkOwner /etc/bridgehead bridgehead +checkOwner . bridgehead || exit 1 +checkOwner /etc/bridgehead bridgehead || exit 1 ## Check if user is a su log INFO "Checking if all prerequisites are met ..." diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 2b06687..b6cd317 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -1,10 +1,30 @@ #!/bin/bash source lib/functions.sh -log "INFO" "Checking for updates of services" +CONFFILE=/etc/bridgehead/$1.conf + +if [ ! -e $CONFFILE ]; then + log ERROR "Configuration file $CONFFILE not found." + exit 1 +fi + +source $CONFFILE + +assertVarsNotEmpty SITE_ID || exit 1 +export SITE_ID + +checkOwner . bridgehead || exit 1 +checkOwner /etc/bridgehead bridgehead || exit 1 + +CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh" # Check git updates for DIR in /etc/bridgehead $(pwd); do + log "INFO" "Checking for updates to git repo $DIR ..." + if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then + log "INFO" "Configuring repo to use bridgehead git credential helper." + git -C $DIR config credential.helper "$CREDHELPER" + fi old_git_hash="$(git -C $DIR rev-parse --verify HEAD)" git -C $DIR fetch 2>&1 git -C $DIR pull 2>&1 @@ -30,6 +50,7 @@ for DIR in /etc/bridgehead $(pwd); do done # Check docker updates +log "INFO" "Checking for updates to running docker images ..." docker_updated="false" for IMAGE in $(docker ps --filter "name=bridgehead" --format {{.Image}}); do log "INFO" "Checking for Updates of Image: $IMAGE" @@ -41,10 +62,12 @@ done # If anything is updated, restart service if [ $git_updated = "true" ] || [ $docker_updated = "true" ]; then - log "INFO" "Due to previous updates now restarting bridgehead" + log "INFO" "Update detected, now restarting bridgehead" systemctl restart 'bridgehead@*' +else + log "INFO" "Nothing updated, nothing to restart." fi -log "INFO" "checking updates finished" + exit 0 # TODO: Print last commit explicit