Merge pull request from samply/martinsFixes

Housekeeping and script hardening in /srv/docker/bridgehead
This commit is contained in:
patrickskowronekdkfz 2022-05-10 09:17:25 +02:00 committed by GitHub
commit 95b2fdae08
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 122 additions and 99 deletions

70
bridgehead Executable file
View File

@ -0,0 +1,70 @@
#!/bin/bash -e
baseDir() {
# see https://stackoverflow.com/questions/59895
SOURCE=${BASH_SOURCE[0]}
while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
SOURCE=$(readlink "$SOURCE")
[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
done
DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
echo $DIR
}
BASE=$(baseDir)
cd $BASE
source ./lib/functions.sh
action=$1
project=$2
if [[ -z $1 || -z $2 ]]; then
printUsage
exit 1
fi
case "$project" in
ccp)
#nothing extra to do
;;
nngm)
#nothing extra to do
;;
gbn)
#nothing extra to do
;;
*)
printUsage
exit 1
;;
esac
source /etc/bridgehead/site.conf
case "$action" in
start)
checkRequirements
./lib/generate-landingpage.sh
exec docker-compose -f ./$project/docker-compose.yml --env-file /etc/bridgehead/$project.env up
;;
stop)
exec docker-compose -f ./$project/docker-compose.yml --env-file /etc/bridgehead/$project.env down
;;
update)
exec ./lib/update-bridgehead.sh $project
;;
install)
exec ./lib/setup-bridgehead-units.sh $project
;;
uninstall)
exec ./lib/remove-bridgehead-units.sh $project
;;
*)
printUsage
exit 1
;;
esac
exit 0

View File

@ -41,7 +41,7 @@ services:
container_name: bridgehead-landingpage container_name: bridgehead-landingpage
image: nginx:stable image: nginx:stable
volumes: volumes:
- ../landing/:/usr/share/nginx/html - ../landing/:/usr/share/nginx/html:ro
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.routers.landing.rule=PathPrefix(`/`)" - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
@ -68,7 +68,7 @@ services:
- "traefik.http.routers.blaze_ccp.tls=true" - "traefik.http.routers.blaze_ccp.tls=true"
ccp-search-share: ccp-search-share:
image: "ghcr.io/samply/dktk-fed-search-share:main" image: "samply/dktk-fed-search-share"
container_name: bridgehead-ccp-share container_name: bridgehead-ccp-share
environment: environment:
APP_BASE_URL: "http://dktk-fed-search-share:8080" APP_BASE_URL: "http://dktk-fed-search-share:8080"

View File

@ -1,3 +0,0 @@
#!/bin/bash
useradd --home-dir /srv/docker/bridgehead -g docker -N -u 317 -s /sbin/nologin

View File

@ -10,3 +10,16 @@ exitIfNotRoot() {
log() { log() {
echo "$(date +'%Y-%m-%d %T')" "$1:" "$2" echo "$(date +'%Y-%m-%d %T')" "$1:" "$2"
} }
printUsage() {
echo "Usage: bridgehead start|stop|update|install|uninstall PROJECTNAME"
}
checkRequirements() {
if ! lib/prerequisites.sh; then
log ERROR "Validating Prerequisites failed, please fix the error(s) above this line."
exit 1
else
return 0
fi
}

View File

@ -2,9 +2,19 @@
source lib/functions.sh source lib/functions.sh
## Check for file permissions
if ! id "bridgehead" &>/dev/null; then
log ERROR "User bridgehead does not exist. Please consult readme for installation."
exit 1
fi
COUNT=$(find . ! -user bridgehead |wc -l)
if [ $COUNT -gt 0 ]; then
log ERROR "$COUNT files in $(pwd) are not owned by user bridgehead. Run find $(pwd) ! -user bridgehead to see them, chown -R bridgehead $(pwd) to correct this issue."
exit 1
fi
## Check if user is a su ## Check if user is a su
log "Welcome to the starting a bridgehead. We will get your instance up and running in no time" log INFO "Checking if all prerequisites are met ..."
log "First we will check if all prerequisites are met ..."
prerequisites="git docker docker-compose" prerequisites="git docker docker-compose"
for prerequisite in $prerequisites; do for prerequisite in $prerequisites; do
$prerequisite --version 2>&1 $prerequisite --version 2>&1
@ -16,54 +26,49 @@ for prerequisite in $prerequisites; do
# TODO: Check for specific version # TODO: Check for specific version
done done
log "Checking /etc/bridgehead/" log INFO "Checking configuration ..."
## Download submodule ## Download submodule
if [ ! -d "/etc/bridgehead/" ]; then if [ ! -d "/etc/bridgehead/" ]; then
log "Please set up the config folder. Instruction are in the readme." log ERROR "Please set up the config folder at /etc/bridgehead. Instruction are in the readme."
exit 1 exit 1
else
log "Done"
fi fi
log "Checking /etc/bridgehead/site.conf"
#check if site.conf is created #check if site.conf is created
if [ ! -f /etc/bridgehead/site.conf ]; then if [ ! -f /etc/bridgehead/site.conf ]; then
log "Please create your specific site.conf file from the site.dev.conf" log ERROR "Please create your specific site.conf file from the site.dev.conf"
exit 1 exit 1
else
log "Done"
fi fi
#Load site specific variables #Load site specific variables
source /etc/bridgehead/site.conf source /etc/bridgehead/site.conf
# TODO: Check all required variables here in a generic loop
if [ -z "$site_name" ]; then if [ -z "$site_name" ]; then
log "Please set site_name" log ERROR "Please set site_name."
exit 1 exit 1
fi fi
log "Checking project config"
#check if project env is present #check if project env is present
if [ -d "/etc/bridgehead/${project}.env" ]; then if [ -d "/etc/bridgehead/${project}.env" ]; then
log "Please copy the tempalte from ${project} and put it in the /etc/bridgehead-config/ folder" log ERROR "Project config not found. Please copy the template from ${project} and put it under /etc/bridgehead-config/${project}.env."
exit 1 exit 1
else
log "Done"
fi fi
log "Checking ssl cert" # TODO: Make sure you're in the right directory, or, even better, be independent from the working directory.
## Create SSL Cert log INFO "Checking ssl cert"
if [ ! -d "/certs" ]; then
log "SSL cert missing, now we create one. Please consider getting a signed one" if [ ! -d "certs" ]; then
mkdir certs log WARN "TLS cert missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...)"
mkdir -p certs
fi fi
if [ -d "certs/traefik.crt" ]; then if [ -e "/etc/bridgehead/traefik.crt" ]; then
openssl req -x509 -newkey rsa:4096 -nodes -keyout certs/traefik.key -out certs/traefik.crt -days 365 openssl req -x509 -newkey rsa:4096 -nodes -keyout certs/traefik.key -out certs/traefik.crt -days 365
fi fi
log "All prerequisites are met!" log INFO "Success - all prerequisites are met!"
exit 0

View File

@ -14,10 +14,7 @@ fi
export project=$1 export project=$1
if ! ./lib/prerequisites.sh; then #checkRequirements // not needed when uninstalling
log "Prerequisites failed, exiting"
exit 1
fi
log "Stopping systemd services and removing bridgehead ..." log "Stopping systemd services and removing bridgehead ..."

View File

@ -16,10 +16,7 @@ fi
export project=$1 export project=$1
if ! ./lib/prerequisites.sh; then checkRequirements
log "Prerequisites failed, exiting"
exit 1
fi
echo -e "\nInstalling systemd units ..." echo -e "\nInstalling systemd units ..."
cp -v \ cp -v \

View File

@ -4,9 +4,7 @@ Description=Bridgehead (%i) Update Service
[Service] [Service]
Type=oneshot Type=oneshot
User=bridgehead User=bridgehead
WorkingDirectory=/srv/docker/bridgehead/ ExecStart=/srv/docker/bridgehead/bridgehead update %i
ExecStart=/srv/docker/bridgehead/update-bridgehead.sh %i
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

View File

@ -5,12 +5,8 @@ Description=Bridgehead (%i) Service
User=bridgehead User=bridgehead
Restart=always Restart=always
RestartSec=30 RestartSec=30
ExecStart=/srv/docker/bridgehead/bridgehead start %i
WorkingDirectory=/srv/docker/bridgehead/ ExecStop=/srv/docker/bridgehead/bridgehead stop %i
ExecStartPre=exec /srv/docker/bridgehead/stop-bridgehead.sh %i
ExecStart=exec /srv/docker/bridgehead/start-bridgehead.sh %i
ExecStop=exec /srv/docker/bridgehead/stop-bridgehead.sh %i
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

View File

@ -3,10 +3,7 @@ service="bridgehead"
source lib/functions.sh source lib/functions.sh
if ! lib/prerequisites.sh; then #checkRequirements // not required for mere update
log "Prerequisites failed, exiting"
exit
fi
log "INFO" "Checking for updates of $service" log "INFO" "Checking for updates of $service"
# check prerequisites # check prerequisites

View File

@ -1,29 +0,0 @@
#!/bin/bash
source lib/functions.sh
if [ $# -eq 0 ]; then
log "Please provide a Project as argument"
exit 1
fi
if [ $1 != "ccp" ] && [ $1 != "nngm" ] && [ $1 != "gbn" ]; then
log "Please provide a supported project like ccp, gbn or nngm"
exit 1
fi
export project=$1
if ! lib/prerequisites.sh; then
log "Validating Prerequisites failed, please fix the occurring error"
exit 1
fi
source /etc/bridgehead/site.conf
####./lib/generate.sh
log "Starting bridgehead"
docker-compose -f $1/docker-compose.yml --env-file /etc/bridgehead/$1.env up -d
log "The bridgehead should be in online in a few seconds"

View File

@ -1,18 +0,0 @@
#!/bin/bash -e
source lib/functions.sh
if [ $# -eq 0 ]; then
log "Please provide a Project as argument"
exit 1
fi
if [ $1 != "ccp" ] && [$1 != "nngm"] && [ $1 != "gbn" ]; then
log "Please provide a supported project like ccp, gbn or nngm"
exit 1
fi
log "Stopping bridgehead"
# TODO: Check $1 for proper values
docker-compose -f $1/docker-compose.yml --env-file /etc/bridgehead/$1.env down