From 334f82661b39faa40ee1143d53960c3034299707 Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Mon, 9 May 2022 15:13:38 +0200 Subject: [PATCH 1/2] Housekeeping and script hardening in /srv/docker/bridgehead. Existing installations need to run bridgehead uninstall, bridgehead install. --- bridgehead | 70 +++++++++++++++++++ ccp/docker-compose.yml | 4 +- configure-bridgehead.sh | 3 - lib/functions.sh | 13 ++++ lib/{generate.sh => generate-landingpage.sh} | 0 lib/prerequisites.sh | 54 +++++++------- lib/remove-bridgehead-units.sh | 5 +- lib/setup-bridgehead-units.sh | 5 +- lib/systemd/bridgehead-update@.service | 6 +- lib/systemd/bridgehead@.service | 10 +-- .../update-bridgehead.sh | 5 +- start-bridgehead.sh | 31 -------- stop-bridgehead.sh | 18 ----- 13 files changed, 123 insertions(+), 101 deletions(-) create mode 100755 bridgehead delete mode 100644 configure-bridgehead.sh rename lib/{generate.sh => generate-landingpage.sh} (100%) rename update-bridgehead.sh => lib/update-bridgehead.sh (91%) delete mode 100755 start-bridgehead.sh delete mode 100755 stop-bridgehead.sh diff --git a/bridgehead b/bridgehead new file mode 100755 index 0000000..c9ba952 --- /dev/null +++ b/bridgehead @@ -0,0 +1,70 @@ +#!/bin/bash -e + +baseDir() { + # see https://stackoverflow.com/questions/59895 + SOURCE=${BASH_SOURCE[0]} + while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink + DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd ) + SOURCE=$(readlink "$SOURCE") + [[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located + done + DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd ) + echo $DIR +} + +BASE=$(baseDir) +cd $BASE + +source ./lib/functions.sh + +action=$1 +project=$2 + +if [[ -z $1 || -z $2 ]]; then + printUsage + exit 1 +fi + +case "$project" in + ccp) + #nothing extra to do + ;; + nngm) + #nothing extra to do + ;; + gbn) + #nothing extra to do + ;; + *) + printUsage + exit 1 + ;; +esac + +source /etc/bridgehead/site.conf + +case "$action" in + start) + checkRequirements + ./lib/generate-landingpage.sh + exec docker-compose -f ./$project/docker-compose.yml --env-file /etc/bridgehead/$project.env up + ;; + stop) + exec docker-compose -f ./$project/docker-compose.yml --env-file /etc/bridgehead/$project.env down + ;; + update) + exec ./lib/update-bridgehead.sh $project + ;; + install) + exec ./lib/setup-bridgehead-units.sh $project + ;; + uninstall) + exec ./lib/remove-bridgehead-units.sh $project + ;; + *) + printUsage + exit 1 + ;; +esac + +exit 0 diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index b374ad7..1118e1e 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -41,7 +41,7 @@ services: container_name: bridgehead-landingpage image: nginx:stable volumes: - - ../landing/:/usr/share/nginx/html + - ../landing/:/usr/share/nginx/html:ro labels: - "traefik.enable=true" - "traefik.http.routers.landing.rule=PathPrefix(`/`)" @@ -102,4 +102,4 @@ services: volumes: blaze-data: bridgehead-proxy: - ccp-search-share-db-data: \ No newline at end of file + ccp-search-share-db-data: diff --git a/configure-bridgehead.sh b/configure-bridgehead.sh deleted file mode 100644 index e20dca9..0000000 --- a/configure-bridgehead.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -useradd --home-dir /srv/docker/bridgehead -g docker -N -u 317 -s /sbin/nologin \ No newline at end of file diff --git a/lib/functions.sh b/lib/functions.sh index 4dc30f5..03def34 100755 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -10,3 +10,16 @@ exitIfNotRoot() { log() { echo "$(date +'%Y-%m-%d %T')" "$1:" "$2" } + +printUsage() { + echo "Usage: bridgehead start|stop|update|install|uninstall PROJECTNAME" +} + +checkRequirements() { + if ! lib/prerequisites.sh; then + log ERROR "Validating Prerequisites failed, please fix the error(s) above this line." + exit 1 + else + return 0 + fi +} diff --git a/lib/generate.sh b/lib/generate-landingpage.sh similarity index 100% rename from lib/generate.sh rename to lib/generate-landingpage.sh diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh index e473a16..fc5ab54 100755 --- a/lib/prerequisites.sh +++ b/lib/prerequisites.sh @@ -1,9 +1,20 @@ #!/bin/bash +source lib/functions.sh + +## Check for file permissions +if ! id "bridgehead" &>/dev/null; then + log ERROR "User bridgehead does not exist. Please consult readme for installation." + exit 1 +fi +COUNT=$(find . ! -user bridgehead |wc -l) +if [ $COUNT -gt 0 ]; then + log ERROR "$COUNT files in $(pwd) are not owned by user bridgehead. Run find $(pwd) ! -user bridgehead to see them, chown -R bridgehead $(pwd) to correct this issue." + exit 1 +fi ## Check if user is a su -echo "Welcome to the starting a bridgehead. We will get your instance up and running in no time" -echo "First we will check if all prerequisites are met ..." +log INFO "Checking if all prerequisites are met ..." prerequisites="git docker docker-compose" for prerequisite in $prerequisites; do $prerequisite --version 2>&1 @@ -15,54 +26,49 @@ for prerequisite in $prerequisites; do # TODO: Check for specific version done -echo "Checking /etc/bridgehead/" +log INFO "Checking configuration ..." ## Download submodule if [ ! -d "/etc/bridgehead/" ]; then - echo "Please set up the config folder. Instruction are in the readme." + log ERROR "Please set up the config folder at /etc/bridgehead. Instruction are in the readme." exit 1 -else - echo "Done" fi -echo "Checking /etc/bridgehead/site.conf" - #check if site.conf is created if [ ! -f /etc/bridgehead/site.conf ]; then - echo "Please create your specific site.conf file from the site.dev.conf" + log ERROR "Please create your specific site.conf file from the site.dev.conf" exit 1 -else - echo "Done" fi #Load site specific variables source /etc/bridgehead/site.conf +# TODO: Check all required variables here in a generic loop + if [ -z "$site_name" ]; then - echo "Please set site_name" + log ERROR "Please set site_name." exit 1 fi -echo "Checking project config" - #check if project env is present if [ -d "/etc/bridgehead/${project}.env" ]; then - echo "Please copy the tempalte from ${project} and put it in the /etc/bridgehead-config/ folder" + log ERROR "Project config not found. Please copy the template from ${project} and put it under /etc/bridgehead-config/${project}.env." exit 1 -else - echo "Done" fi -echo "Checking ssl cert" +# TODO: Make sure you're in the right directory, or, even better, be independent from the working directory. -## Create SSL Cert -if [ ! -d "/certs" ]; then - echo "SSL cert missing, now we create one. Please consider getting a signed one" - mkdir certs +log INFO "Checking ssl cert" + +if [ ! -d "certs" ]; then + log WARN "TLS cert missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...)" + mkdir -p certs fi -if [ -d "/etc/bridgehead/traefik.crt" ]; then +if [ -e "/etc/bridgehead/traefik.crt" ]; then openssl req -x509 -newkey rsa:4096 -nodes -keyout certs/traefik.key -out certs/traefik.crt -days 365 fi -echo "All prerequisites are met!" +log INFO "Success - all prerequisites are met!" + +exit 0 diff --git a/lib/remove-bridgehead-units.sh b/lib/remove-bridgehead-units.sh index b8c34a2..ac951d0 100755 --- a/lib/remove-bridgehead-units.sh +++ b/lib/remove-bridgehead-units.sh @@ -14,10 +14,7 @@ fi export project=$1 -if ! ./lib/prerequisites.sh; then - log "Prerequisites failed, exiting" - exit 1 -fi +#checkRequirements // not needed when uninstalling echo "Stopping systemd services and removing bridgehead ..." diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh index cd37a6c..9cf24ad 100755 --- a/lib/setup-bridgehead-units.sh +++ b/lib/setup-bridgehead-units.sh @@ -16,10 +16,7 @@ fi export project=$1 -if ! ./lib/prerequisites.sh; then - log "Prerequisites failed, exiting" - exit 1 -fi +checkRequirements echo -e "\nInstalling systemd units ..." cp -v \ diff --git a/lib/systemd/bridgehead-update@.service b/lib/systemd/bridgehead-update@.service index 98b9387..f41ae98 100644 --- a/lib/systemd/bridgehead-update@.service +++ b/lib/systemd/bridgehead-update@.service @@ -4,9 +4,7 @@ Description=Bridgehead (%i) Update Service [Service] Type=oneshot User=bridgehead -WorkingDirectory=/srv/docker/bridgehead/ - -ExecStart=/srv/docker/bridgehead/update-bridgehead.sh %i +ExecStart=/srv/docker/bridgehead/bridgehead update %i [Install] -WantedBy=multi-user.target +WantedBy=multi-user.target diff --git a/lib/systemd/bridgehead@.service b/lib/systemd/bridgehead@.service index 12b069a..99cb7ea 100644 --- a/lib/systemd/bridgehead@.service +++ b/lib/systemd/bridgehead@.service @@ -5,12 +5,8 @@ Description=Bridgehead (%i) Service User=bridgehead Restart=always RestartSec=30 - -WorkingDirectory=/srv/docker/bridgehead/ - -ExecStart=/srv/docker/bridgehead/start-bridgehead.sh %i -RemainAfterExit=true -ExecStop=/srv/docker/bridgehead/stop-bridgehead.sh %i +ExecStart=/srv/docker/bridgehead/bridgehead start %i +ExecStop=/srv/docker/bridgehead/bridgehead stop %i [Install] -WantedBy=multi-user.target +WantedBy=multi-user.target diff --git a/update-bridgehead.sh b/lib/update-bridgehead.sh similarity index 91% rename from update-bridgehead.sh rename to lib/update-bridgehead.sh index fdd9a9f..b6a7f56 100755 --- a/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -3,10 +3,7 @@ service="bridgehead" source lib/functions.sh -if ! lib/prerequisites.sh; then - log "Prerequisites failed, exiting" - exit -fi +#checkRequirements // not required for mere update log "INFO" "Checking for updates of $service" # check prerequisites diff --git a/start-bridgehead.sh b/start-bridgehead.sh deleted file mode 100755 index ce59651..0000000 --- a/start-bridgehead.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash -### Note: Currently not complete, needs some features before useable for production - -if [ $# -eq 0 ]; then - echo "Please provide a Project as argument" - exit 1 -fi - -if [ $1 != "ccp" ] && [ $1 != "nngm" ] && [ $1 != "gbn" ]; then - echo "Please provide a supported project like ccp, gbn or nngm" - exit 1 -fi - -export project=$1 - -source lib/functions.sh - -if ! lib/prerequisites.sh; then - log "Validating Prerequisites failed, please fix the occurring error" - exit 1 -fi - -source /etc/bridgehead/site.conf - -./lib/generate.sh - -log "Starting bridgehead" - -docker-compose -f $1/docker-compose.yml --env-file /etc/bridgehead/$1.env up -d - -log "The bridgehead should be in online in a few seconds" diff --git a/stop-bridgehead.sh b/stop-bridgehead.sh deleted file mode 100755 index 33b1e54..0000000 --- a/stop-bridgehead.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash -e - -source lib/functions.sh - -if [ $# -eq 0 ]; then - echo "Please provide a Project as argument" - exit 1 -fi - -if [ $1 != "ccp" ] && [$1 != "nngm"] && [ $1 != "gbn" ]; then - echo "Please provide a supported project like ccp, gbn or nngm" - exit 1 -fi - -log "Stopping bridgehead" - -# TODO: Check $1 for proper values -docker-compose -f $1/docker-compose.yml --env-file /etc/bridgehead/$1.env down From acd6b94df6d68c1e66393eff8f2a96eea55b3356 Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Tue, 10 May 2022 09:09:58 +0200 Subject: [PATCH 2/2] Use correct link to dockerhub --- ccp/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index 826906b..c67e302 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -68,7 +68,7 @@ services: - "traefik.http.routers.blaze_ccp.tls=true" ccp-search-share: - image: "ghcr.io/samply/dktk-fed-search-share:main" + image: "samply/dktk-fed-search-share" container_name: bridgehead-ccp-share environment: APP_BASE_URL: "http://dktk-fed-search-share:8080"