X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/c3c1f4261f61bc52dbc8fadad644520797b3f6a6..a86028d71e9560db5055e4fb8741b65675c9fe4b:/tools/salt-install/provision.sh diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh index a26b3feaa3..3c5fb41e0f 100755 --- a/tools/salt-install/provision.sh +++ b/tools/salt-install/provision.sh @@ -12,6 +12,17 @@ set -o pipefail +_exit_handler() { + local rc="$?" + trap - EXIT + if [ "$rc" -ne 0 ]; then + echo "Error occurred ($rc) while running $0 at line $1 : $BASH_COMMAND" + fi + exit "$rc" +} + +trap '_exit_handler $LINENO' EXIT ERR + # capture the directory that the script is running from SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" @@ -41,13 +52,13 @@ usage() { echo >&2 " -h, --help Display this help and exit" echo >&2 " --dump-config Dumps the pillars and states to a directory" echo >&2 " This parameter does not perform any installation at all. It's" - echo >&2 " intended to give you a parsed sot of configuration files so" + echo >&2 " intended to give you a parsed set of configuration files so" echo >&2 " you can inspect them or use them in you Saltstack infrastructure." echo >&2 " It" echo >&2 " - parses the pillar and states templates," echo >&2 " - downloads the helper formulas with their desired versions," echo >&2 " - prepares the 'top.sls' files both for pillars and states" - echo >&2 " for the selected role/s" + echo >&2 " for the selected role(s)" echo >&2 " - writes the resulting files into " echo >&2 " -v, --vagrant Run in vagrant and use the /vagrant shared dir" echo >&2 " --development Run in dev mode, using snakeoil certs" @@ -189,7 +200,7 @@ WORKBENCH2_EXT_SSL_PORT=3001 SSL_MODE="self-signed" USE_LETSENCRYPT_ROUTE53="no" -CUSTOM_CERTS_DIR="${SCRIPT_DIR}/certs" +CUSTOM_CERTS_DIR="${SCRIPT_DIR}/local_config_dir/certs" ## These are ARVADOS-related parameters # For a stable release, change RELEASE "production" and VERSION to the @@ -251,7 +262,7 @@ if grep -q 'fixme_or_this_wont_work' ${CONFIG_FILE} ; then fi if ! grep -qE '^[[:alnum:]]{5}$' <<<${CLUSTER} ; then - echo >&2 "ERROR: must be exactly 5 alphanumeric characters long" + echo >&2 "ERROR: must be exactly 5 lowercase alphanumeric characters long" echo >&2 "Fix the cluster name in the 'local.params' file and re-run the provision script" exit 1 fi @@ -263,7 +274,7 @@ if [ ! -z "${HOSTNAME_EXT}" ] ; then # Make sure that the value configured as IP_INT is a real IP on the system. # If we don't error out early here when there is a mismatch, the formula will # fail with hard to interpret nginx errors later on. - ip addr list |grep -q "${IP_INT}/" + ip addr list |grep "${IP_INT}/" >/dev/null if [[ $? -ne 0 ]]; then echo "Unable to find the IP_INT address '${IP_INT}' on the system, please correct the value in local.params. Exiting..." exit 1 @@ -291,7 +302,10 @@ else yum install -y curl git jq ;; "debian"|"ubuntu") - DEBIAN_FRONTEND=noninteractive apt update + # Wait 2 minutes for any apt locks to clear + # This option is supported from apt 1.9.1 and ignored in older apt versions. + # Cf. https://blog.sinjakli.co.uk/2021/10/25/waiting-for-apt-locks-without-the-hacky-bash-scripts/ + DEBIAN_FRONTEND=noninteractive apt -o DPkg::Lock::Timeout=120 update DEBIAN_FRONTEND=noninteractive apt install -y curl git jq ;; esac @@ -350,9 +364,9 @@ echo "...arvados" git clone --quiet https://git.arvados.org/arvados-formula.git ${F_DIR}/arvados # If we want to try a specific branch of the formula -if [ "x${BRANCH}" != "x" ]; then +if [ "x${BRANCH}" != "x" -a $(git rev-parse --abbrev-ref HEAD) != "${BRANCH}" ]; then ( cd ${F_DIR}/arvados && git checkout --quiet -t origin/"${BRANCH}" -b "${BRANCH}" ) -elif [ "x${ARVADOS_TAG}" != "x" ]; then +elif [ "x${ARVADOS_TAG}" != "x" -a $(git rev-parse --abbrev-ref HEAD) != "${ARVADOS_TAG}" ]; then ( cd ${F_DIR}/arvados && git checkout --quiet tags/"${ARVADOS_TAG}" -b "${ARVADOS_TAG}" ) fi @@ -518,7 +532,7 @@ if [ -d "${F_DIR}"/extra/extra ]; then # Same when using self-signed certificates. SKIP_SNAKE_OIL="dont_add_snakeoil_certs" fi - for f in $(ls "${F_DIR}"/extra/extra/*.sls | egrep -v "${SKIP_SNAKE_OIL}|shell_sudo_passwordless"); do + for f in $(ls "${F_DIR}"/extra/extra/*.sls | egrep -v "${SKIP_SNAKE_OIL}|shell_"); do echo " - extra.$(basename ${f} | sed 's/.sls$//g')" >> ${S_DIR}/top.sls done # Use byo or self-signed certificates @@ -538,20 +552,23 @@ if [ -z "${ROLES}" ]; then fi grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls else - # Use custom certs, as both bring-your-own and self-signed are copied using this state - # Copy certs to formula extra/files - # In dev mode, the files will be created and put in the destination directory by the - # snakeoil_certs.sls state file mkdir -p /srv/salt/certs - cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/ - # We add the custom_certs state - grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls + if [ "${SSL_MODE}" = "bring-your-own" ]; then + # Copy certs to formula extra/files + cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/ + # We add the custom_certs state + grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls + fi + # In self-signed mode, the certificate files will be created and put in the + # destination directory by the snakeoil_certs.sls state file fi - echo " - extra.shell_sudo_passwordless" >> ${S_DIR}/top.sls echo " - postgres" >> ${S_DIR}/top.sls echo " - docker.software" >> ${S_DIR}/top.sls echo " - arvados" >> ${S_DIR}/top.sls + echo " - extra.shell_sudo_passwordless" >> ${S_DIR}/top.sls + echo " - extra.shell_cron_add_login_sync" >> ${S_DIR}/top.sls + echo " - extra.passenger_rvm" >> ${S_DIR}/top.sls # Pillars echo " - docker" >> ${P_DIR}/top.sls @@ -576,11 +593,27 @@ if [ -z "${ROLES}" ]; then fi grep -q "letsencrypt" ${P_DIR}/top.sls || echo " - letsencrypt" >> ${P_DIR}/top.sls - # As the pillar differ whether we use LE or custom certs, we need to do a final edition on them - for c in controller websocket workbench workbench2 webshell download collections keepproxy; do - sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${c}.${CLUSTER}.${DOMAIN}*/g; - s#__CERT_PEM__#/etc/letsencrypt/live/${c}.${CLUSTER}.${DOMAIN}/fullchain.pem#g; - s#__CERT_KEY__#/etc/letsencrypt/live/${c}.${CLUSTER}.${DOMAIN}/privkey.pem#g" \ + hosts=("controller" "websocket" "workbench" "workbench2" "webshell" "keepproxy") + if [ ${USE_SINGLE_HOSTNAME} = "no" ]; then + hosts+=("download" "collections") + else + hosts+=("keepweb") + fi + + for c in "${hosts[@]}"; do + # Are we in a single-host-single-hostname env? + if [ "${USE_SINGLE_HOSTNAME}" = "yes" ]; then + # Are we in a single-host-single-hostname env? + CERT_NAME=${HOSTNAME_EXT} + else + # We are in a multiple-hostnames env + CERT_NAME=${c}.${CLUSTER}.${DOMAIN} + fi + + # As the pillar differs whether we use LE or custom certs, we need to do a final edition on them + sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${CERT_NAME}*/g; + s#__CERT_PEM__#/etc/letsencrypt/live/${CERT_NAME}/fullchain.pem#g; + s#__CERT_KEY__#/etc/letsencrypt/live/${CERT_NAME}/privkey.pem#g" \ ${P_DIR}/nginx_${c}_configuration.sls done else @@ -644,6 +677,7 @@ else else echo " - nginx.passenger" >> ${S_DIR}/top.sls fi + echo " - extra.passenger_rvm" >> ${S_DIR}/top.sls ### If we don't install and run LE before arvados-api-server, it fails and breaks everything ### after it. So we add this here as we are, after all, sharing the host for api and controller if [ "${SSL_MODE}" = "lets-encrypt" ]; then @@ -670,6 +704,7 @@ else sed -i "s/__NGINX_INSTALL_SOURCE__/${NGINX_INSTALL_SOURCE}/g" ${P_DIR}/nginx_passenger.sls ;; "controller" | "websocket" | "workbench" | "workbench2" | "webshell" | "keepweb" | "keepproxy") + NGINX_INSTALL_SOURCE="install_from_repo" # States if [ "${R}" = "workbench" ]; then NGINX_INSTALL_SOURCE="install_from_phusionpassenger" @@ -750,7 +785,7 @@ else s#__CERT_PEM__#/etc/nginx/ssl/arvados-${R}.pem#g; s#__CERT_KEY__#/etc/nginx/ssl/arvados-${R}.key#g" \ ${P_DIR}/nginx_${R}_configuration.sls - grep -q ${R} ${P_DIR}/extra_custom_certs.sls || echo " - ${R}" >> ${P_DIR}/extra_custom_certs.sls + grep -q ${R}$ ${P_DIR}/extra_custom_certs.sls || echo " - ${R}" >> ${P_DIR}/extra_custom_certs.sls fi fi # We need to tweak the Nginx's pillar depending whether we want plain nginx or nginx+passenger @@ -759,6 +794,7 @@ else "shell") # States echo " - extra.shell_sudo_passwordless" >> ${S_DIR}/top.sls + echo " - extra.shell_cron_add_login_sync" >> ${S_DIR}/top.sls grep -q "docker" ${S_DIR}/top.sls || echo " - docker.software" >> ${S_DIR}/top.sls grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls # Pillars @@ -794,15 +830,17 @@ fi # Leave a copy of the Arvados CA so the user can copy it where it's required if [ "$DEV_MODE" = "yes" ]; then - echo "Copying the Arvados CA certificate to the installer dir, so you can import it" + ARVADOS_SNAKEOIL_CA_DEST_FILE="${SCRIPT_DIR}/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.pem" + # If running in a vagrant VM, also add default user to docker group if [ "x${VAGRANT}" = "xyes" ]; then - cp /etc/ssl/certs/arvados-snakeoil-ca.pem /vagrant/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.pem - echo "Adding the vagrant user to the docker group" usermod -a -G docker vagrant - else - cp /etc/ssl/certs/arvados-snakeoil-ca.pem ${SCRIPT_DIR}/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.pem + ARVADOS_SNAKEOIL_CA_DEST_FILE="/vagrant/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.pem" + fi + if [ -f /etc/ssl/certs/arvados-snakeoil-ca.pem ]; then + echo "Copying the Arvados CA certificate to the installer dir, so you can import it" + cp /etc/ssl/certs/arvados-snakeoil-ca.pem ${ARVADOS_SNAKEOIL_CA_DEST_FILE} fi fi