X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/89f541d2b534b9cad4ee668f702f1270bf056171..9539317a22d8ea16f94b0e086507ab595d758216:/tools/salt-install/provision.sh diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh index 7ac120e5fd..537f087b62 100755 --- a/tools/salt-install/provision.sh +++ b/tools/salt-install/provision.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env bash +#!/bin/bash # Copyright (C) The Arvados Authors. All rights reserved. # @@ -49,6 +49,7 @@ usage() { echo >&2 " for the selected role/s" echo >&2 " - writes the resulting files into " echo >&2 " -v, --vagrant Run in vagrant and use the /vagrant shared dir" + echo >&2 " --development Run in dev mode, using snakeoil certs" echo >&2 } @@ -60,7 +61,7 @@ arguments() { fi TEMP=$(getopt -o c:dhp:r:tv \ - --long config:,debug,dump-config:,help,roles:,test,vagrant \ + --long config:,debug,development,dump-config:,help,roles:,test,vagrant \ -n "${0}" -- "${@}") if [ ${?} != 0 ]; @@ -98,6 +99,10 @@ arguments() { DUMP_CONFIG="yes" shift 2 ;; + --development) + DEV_MODE="yes" + shift 1 + ;; -r | --roles) for i in ${2//,/ } do @@ -131,6 +136,7 @@ arguments() { done } +DEV_MODE="no" CONFIG_FILE="${SCRIPT_DIR}/local.params" CONFIG_DIR="local_config_dir" DUMP_CONFIG="no" @@ -159,6 +165,9 @@ WEBSOCKET_EXT_SSL_PORT=8002 WORKBENCH1_EXT_SSL_PORT=443 WORKBENCH2_EXT_SSL_PORT=3001 +USE_LETSENCRYPT="no" +CUSTOM_CERTS_DIR="./certs" + ## These are ARVADOS-related parameters # For a stable release, change RELEASE "production" and VERSION to the # package version (including the iteration, e.g. X.Y.Z-1) of the @@ -177,7 +186,7 @@ VERSION="latest" # Other formula versions we depend on POSTGRES_TAG="v0.41.6" NGINX_TAG="temp-fix-missing-statements-in-pillar" -DOCKER_TAG="v1.0.0" +DOCKER_TAG="v2.0.7" LOCALE_TAG="v0.3.4" LETSENCRYPT_TAG="v2.1.0" @@ -232,8 +241,23 @@ fi if [ "${DUMP_CONFIG}" = "yes" ]; then echo "The provision installer will just dump a config under ${DUMP_SALT_CONFIG_DIR} and exit" else - apt-get update - apt-get install -y curl git jq + # Install a few dependency packages + # First, let's figure out the OS we're working on + OS_ID=$(grep ^ID= /etc/os-release |cut -f 2 -d= |cut -f 2 -d \") + echo "Detected distro: ${OS_ID}" + + case ${OS_ID} in + "centos") + echo "WARNING! Disabling SELinux, see https://dev.arvados.org/issues/18019" + sed -i 's/SELINUX=enforcing/SELINUX=permissive' /etc/sysconfig/selinux + setenforce permissive + yum install -y curl git jq + ;; + "debian"|"ubuntu") + DEBIAN_FRONTEND=noninteractive apt update + DEBIAN_FRONTEND=noninteractive apt install -y curl git jq + ;; + esac if which salt-call; then echo "Salt already installed" @@ -246,6 +270,8 @@ else # Set salt to masterless mode cat > /etc/salt/minion << EOFSM +failhard: "True" + file_client: local file_roots: base: @@ -432,9 +458,20 @@ EOFPSLS # States, extra states if [ -d "${F_DIR}"/extra/extra ]; then - for f in $(ls "${F_DIR}"/extra/extra/*.sls); do + if [ "$DEV_MODE" = "yes" ]; then + # In dev mode, we create some snake oil certs that we'll + # use as CUSTOM_CERTS, so we don't skip the states file + SKIP_SNAKE_OIL="dont_snakeoil_certs" + else + SKIP_SNAKE_OIL="snakeoil_certs" + fi + for f in $(ls "${F_DIR}"/extra/extra/*.sls | grep -v ${SKIP_SNAKE_OIL}); do echo " - extra.$(basename ${f} | sed 's/.sls$//g')" >> ${S_DIR}/top.sls done + # Use custom certs + if [ "x${USE_LETSENCRYPT}" != "xyes" ]; then + mkdir -p "${F_DIR}"/extra/extra/files + fi fi # If we want specific roles for a node, just add the desired states @@ -444,11 +481,21 @@ if [ -z "${ROLES}" ]; then echo " - nginx.passenger" >> ${S_DIR}/top.sls # Currently, only available on config_examples/multi_host/aws if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then - if [ "x${USE_LETSENCRYPT_IAM_USER}" = "xyes" ]; then - grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - aws_credentials" >> ${S_DIR}/top.sls + if [ "x${USE_LETSENCRYPT_IAM_USER}" != "xyes" ]; then + grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - extra.aws_credentials" >> ${S_DIR}/top.sls fi grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls + else + # Use custom certs + # Copy certs to formula extra/files + # In dev mode, the files will be created and put in the destination directory by the + # snakeoil_certs.sls state file + mkdir -p /srv/salt/certs + cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/ + # We add the custom_certs state + grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls fi + echo " - postgres" >> ${S_DIR}/top.sls echo " - docker.software" >> ${S_DIR}/top.sls echo " - arvados" >> ${S_DIR}/top.sls @@ -465,12 +512,37 @@ if [ -z "${ROLES}" ]; then echo " - nginx_workbench2_configuration" >> ${P_DIR}/top.sls echo " - nginx_workbench_configuration" >> ${P_DIR}/top.sls echo " - postgresql" >> ${P_DIR}/top.sls + # Currently, only available on config_examples/multi_host/aws if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then - if [ "x${USE_LETSENCRYPT_IAM_USER}" = "xyes" ]; then + if [ "x${USE_LETSENCRYPT_IAM_USER}" != "xyes" ]; then grep -q "aws_credentials" ${P_DIR}/top.sls || echo " - aws_credentials" >> ${P_DIR}/top.sls fi grep -q "letsencrypt" ${P_DIR}/top.sls || echo " - letsencrypt" >> ${P_DIR}/top.sls + + # As the pillar differ whether we use LE or custom certs, we need to do a final edition on them + for c in controller websocket workbench workbench2 webshell download collections keepproxy; do + sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${c}.${CLUSTER}.${DOMAIN}*/g; + s#__CERT_PEM__#/etc/letsencrypt/live/${c}.${CLUSTER}.${DOMAIN}/fullchain.pem#g; + s#__CERT_KEY__#/etc/letsencrypt/live/${c}.${CLUSTER}.${DOMAIN}/privkey.pem#g" \ + ${P_DIR}/nginx_${c}_configuration.sls + done + else + # Use custom certs (either dev mode or prod) + grep -q "extra_custom_certs" ${P_DIR}/top.sls || echo " - extra_custom_certs" >> ${P_DIR}/top.sls + # And add the certs in the custom_certs pillar + echo "extra_custom_certs_dir: /srv/salt/certs" > ${P_DIR}/extra_custom_certs.sls + echo "extra_custom_certs:" >> ${P_DIR}/extra_custom_certs.sls + + for c in controller websocket workbench workbench2 webshell download collections keepproxy; do + grep -q ${c} ${P_DIR}/extra_custom_certs.sls || echo " - ${c}" >> ${P_DIR}/extra_custom_certs.sls + + # As the pillar differ whether we use LE or custom certs, we need to do a final edition on them + sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${c}.pem/g; + s#__CERT_PEM__#/etc/nginx/ssl/arvados-${c}.pem#g; + s#__CERT_KEY__#/etc/nginx/ssl/arvados-${c}.key#g" \ + ${P_DIR}/nginx_${c}_configuration.sls + done fi else # If we add individual roles, make sure we add the repo first @@ -489,13 +561,18 @@ else grep -q "postgres.client" ${S_DIR}/top.sls || echo " - postgres.client" >> ${S_DIR}/top.sls grep -q "nginx.passenger" ${S_DIR}/top.sls || echo " - nginx.passenger" >> ${S_DIR}/top.sls ### If we don't install and run LE before arvados-api-server, it fails and breaks everything - ### after it so we add this here, as we are, after all, sharing the host for api and controller + ### after it. So we add this here as we are, after all, sharing the host for api and controller # Currently, only available on config_examples/multi_host/aws if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then - if [ "x${USE_LETSENCRYPT_IAM_USER}" = "xyes" ]; then + if [ "x${USE_LETSENCRYPT_IAM_USER}" != "xyes" ]; then grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - aws_credentials" >> ${S_DIR}/top.sls fi - grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls + grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls + else + # Use custom certs + cp -v ${CUSTOM_CERTS_DIR}/controller.* "${F_DIR}/extra/extra/files/" + # We add the custom_certs state + grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls fi grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls # Pillars @@ -510,25 +587,76 @@ else grep -q "nginx.passenger" ${S_DIR}/top.sls || echo " - nginx.passenger" >> ${S_DIR}/top.sls # Currently, only available on config_examples/multi_host/aws if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then - if [ "x${USE_LETSENCRYPT_IAM_USER}" = "xyes" ]; then + if [ "x${USE_LETSENCRYPT_IAM_USER}" != "xyes" ]; then grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - aws_credentials" >> ${S_DIR}/top.sls fi grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls + else + # Use custom certs, special case for keepweb + if [ ${R} = "keepweb" ]; then + cp -v ${CUSTOM_CERTS_DIR}/download.* "${F_DIR}/extra/extra/files/" + cp -v ${CUSTOM_CERTS_DIR}/collections.* "${F_DIR}/extra/extra/files/" + else + cp -v ${CUSTOM_CERTS_DIR}/${R}.* "${F_DIR}/extra/extra/files/" + fi + # We add the custom_certs state + grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls + fi # webshell role is just a nginx vhost, so it has no state if [ "${R}" != "webshell" ]; then - grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls + grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls fi # Pillars grep -q "nginx_passenger" ${P_DIR}/top.sls || echo " - nginx_passenger" >> ${P_DIR}/top.sls grep -q "nginx_${R}_configuration" ${P_DIR}/top.sls || echo " - nginx_${R}_configuration" >> ${P_DIR}/top.sls + # Special case for keepweb + if [ ${R} = "keepweb" ]; then + grep -q "nginx_download_configuration" ${P_DIR}/top.sls || echo " - nginx_download_configuration" >> ${P_DIR}/top.sls + grep -q "nginx_collections_configuration" ${P_DIR}/top.sls || echo " - nginx_collections_configuration" >> ${P_DIR}/top.sls + fi + # Currently, only available on config_examples/multi_host/aws if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then - if [ "x${USE_LETSENCRYPT_IAM_USER}" = "xyes" ]; then + if [ "x${USE_LETSENCRYPT_IAM_USER}" != "xyes" ]; then grep -q "aws_credentials" ${P_DIR}/top.sls || echo " - aws_credentials" >> ${P_DIR}/top.sls fi grep -q "letsencrypt" ${P_DIR}/top.sls || echo " - letsencrypt" >> ${P_DIR}/top.sls grep -q "letsencrypt_${R}_configuration" ${P_DIR}/top.sls || echo " - letsencrypt_${R}_configuration" >> ${P_DIR}/top.sls + + # As the pillar differ whether we use LE or custom certs, we need to do a final edition on them + # Special case for keepweb + if [ ${R} = "keepweb" ]; then + for kwsub in download collections; do + sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${kwsub}.${CLUSTER}.${DOMAIN}*/g; + s#__CERT_PEM__#/etc/letsencrypt/live/${kwsub}.${CLUSTER}.${DOMAIN}/fullchain.pem#g; + s#__CERT_KEY__#/etc/letsencrypt/live/${kwsub}.${CLUSTER}.${DOMAIN}/privkey.pem#g" \ + ${P_DIR}/nginx_${kwsub}_configuration.sls + done + else + sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${R}.${CLUSTER}.${DOMAIN}*/g; + s#__CERT_PEM__#/etc/letsencrypt/live/${R}.${CLUSTER}.${DOMAIN}/fullchain.pem#g; + s#__CERT_KEY__#/etc/letsencrypt/live/${R}.${CLUSTER}.${DOMAIN}/privkey.pem#g" \ + ${P_DIR}/nginx_${R}_configuration.sls + fi + else + grep -q ${R} ${P_DIR}/extra_custom_certs.sls || echo " - ${R}" >> ${P_DIR}/extra_custom_certs.sls + + # As the pillar differ whether we use LE or custom certs, we need to do a final edition on them + # Special case for keepweb + if [ ${R} = "keepweb" ]; then + for kwsub in download collections; do + sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${kwsub}.pem/g; + s#__CERT_PEM__#/etc/nginx/ssl/arvados-${kwsub}.pem#g; + s#__CERT_KEY__#/etc/nginx/ssl/arvados-${kwsub}.key#g" \ + ${P_DIR}/nginx_${kwsub}_configuration.sls + done + else + sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${R}.pem/g; + s#__CERT_PEM__#/etc/nginx/ssl/arvados-${R}.pem#g; + s#__CERT_KEY__#/etc/nginx/ssl/arvados-${R}.key#g" \ + ${P_DIR}/nginx_${R}_configuration.sls + fi fi ;; "shell") @@ -593,19 +721,26 @@ fi # END FIXME! #16992 Temporary fix for psql call in arvados-api-server # Leave a copy of the Arvados CA so the user can copy it where it's required -echo "Copying the Arvados CA certificate to the installer dir, so you can import it" -# If running in a vagrant VM, also add default user to docker group -if [ "x${VAGRANT}" = "xyes" ]; then - cp /etc/ssl/certs/arvados-snakeoil-ca.pem /vagrant/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.pem - - echo "Adding the vagrant user to the docker group" - usermod -a -G docker vagrant -else - cp /etc/ssl/certs/arvados-snakeoil-ca.pem ${SCRIPT_DIR}/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.pem +if [ "$DEV_MODE" = "yes" ]; then + echo "Copying the Arvados CA certificate to the installer dir, so you can import it" + # If running in a vagrant VM, also add default user to docker group + if [ "x${VAGRANT}" = "xyes" ]; then + cp /etc/ssl/certs/arvados-snakeoil-ca.pem /vagrant/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.pem + + echo "Adding the vagrant user to the docker group" + usermod -a -G docker vagrant + else + cp /etc/ssl/certs/arvados-snakeoil-ca.pem ${SCRIPT_DIR}/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.pem + fi fi # Test that the installation finished correctly if [ "x${TEST}" = "xyes" ]; then cd ${T_DIR} - ./run-test.sh + # If we use RVM, we need to run this with it, or most ruby commands will fail + RVM_EXEC="" + if [ -x /usr/local/rvm/bin/rvm-exec ]; then + RVM_EXEC="/usr/local/rvm/bin/rvm-exec" + fi + ${RVM_EXEC} ./run-test.sh fi