diff --git a/openvoxserver/Containerfile.alpine b/openvoxserver/Containerfile.alpine index 8250f07..abd5c4c 100644 --- a/openvoxserver/Containerfile.alpine +++ b/openvoxserver/Containerfile.alpine @@ -1,3 +1,7 @@ +ARG OPENVOXSERVER_VERSION=8.10.0 +ARG OPENVOXDB_VERSION=8.10.0 +ARG R10K_VERSION=5.0.0 + FROM alpine:3.22 AS base # Install JDK @@ -9,8 +13,8 @@ RUN apk update && apk upgrade \ FROM base AS build -ARG OPENVOXSERVER_VERSION=8.10.0 -ARG OPENVOXDB_VERSION=8.10.0 +ARG OPENVOXSERVER_VERSION +ARG OPENVOXDB_VERSION ADD https://artifacts.voxpupuli.org/openvox-server/${OPENVOXSERVER_VERSION}/openvox-server-${OPENVOXSERVER_VERSION}.tar.gz / ADD https://artifacts.voxpupuli.org/openvoxdb/${OPENVOXDB_VERSION}/openvoxdb-${OPENVOXDB_VERSION}.tar.gz / @@ -84,7 +88,9 @@ FROM base AS final ARG vcs_ref ARG build_date -ARG R10K_VERSION=5.0.0 +ARG build_type +ARG R10K_VERSION +ARG OPENVOXSERVER_VERSION LABEL org.label-schema.maintainer="Voxpupuli Team " \ org.label-schema.vendor="OpenVoxProject" \ @@ -105,7 +111,6 @@ ENV AUTOSIGN=true \ CA_PORT=8140 \ CERTNAME="" \ CSR_ATTRIBUTES='{}' \ - DEBIAN_FRONTEND=noninteractive \ DNS_ALT_NAMES="" \ ENVIRONMENTPATH=/etc/puppetlabs/code/environments \ HIERACONFIG='$confdir/hiera.yaml' \ @@ -129,7 +134,6 @@ ENV AUTOSIGN=true \ OPENVOXSERVER_MAX_REQUESTS_PER_INSTANCE=0 \ OPENVOXSERVER_PORT=8140 \ PATH=$PATH:/opt/puppetlabs/server/bin:/opt/puppetlabs/puppet/bin:/opt/puppetlabs/bin \ - SSLDIR=/etc/puppetlabs/puppet/ssl \ USE_OPENVOXDB=true \ ### build variables apps_dir=/opt/puppetlabs/server/apps \ @@ -192,6 +196,15 @@ RUN apk update \ # install puppet gem as library into jruby loadpath && puppetserver gem install --no-document openvox +RUN chown -R puppet:puppet /var/log/puppetlabs/puppetserver/ \ +&& chown -R puppet:puppet /etc/puppetlabs/puppet/ \ +&& chown -R puppet:puppet /opt/puppetlabs/server/data/puppetserver/ \ +&& chown -R puppet:puppet /etc/puppetlabs/puppetserver/ + +USER puppet +RUN install -d -m 0755 ~/.puppetlabs/etc/puppet \ +&& install -d -m 0755 ~/.puppetlabs/etc/puppetserver/ca + # k8s uses livenessProbe, startupProbe, readinessProbe and ignores HEALTHCHECK HEALTHCHECK --interval=20s --timeout=15s --retries=12 --start-period=3m CMD ["/healthcheck.sh"] diff --git a/openvoxserver/container-entrypoint.d/10-sync-nonroot-config.sh b/openvoxserver/container-entrypoint.d/10-sync-nonroot-config.sh new file mode 100644 index 0000000..02c273a --- /dev/null +++ b/openvoxserver/container-entrypoint.d/10-sync-nonroot-config.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +set -e + +if [ "$(id -u)" -ne 0 ]; then + # jruby-puppet's master-conf-dir/server-conf-dir and master-code-dir/server-code-dir + # need to be the same as confdir and codedir from puppet.conf in order to sync `puppetserver` + # and `puppet` defaults. + # See "Overriding Puppet settings in Puppet Server" in: + # https://help.puppet.com/core//8/Content/PuppetCore/server/puppet_conf_setting_diffs.htm + # + # "Any changes made to the master-conf-dir and master-code-dir settings absolutely MUST be made + # to the corresponding Puppet settings (confdir and codedir) as well to ensure that Puppet Server + # and the Puppet CLI tools (such as `puppetserver ca` and `puppet module`) use the same directories." + hocon -f /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf set jruby-puppet.master-conf-dir $(puppet config print confdir) + hocon -f /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf set jruby-puppet.master-code-dir $(puppet config print codedir) + + + # Despite setting the above, `puppet` and `puppetserver ca` still resolve to different CA directories when run as nonroot: + # - `puppetserver ca`: defaults to ~/.puppetlabs/etc/puppetserver/ca if run as nonroot and cadir is not set in puppet.conf + # - `puppet`: defaults to /etc/puppetlabs/puppetserver/ca by default + # + # To unify this, explicitly set cadir for nonroot users: + puppet config set cadir ~/.puppetlabs/etc/puppetserver/ca +fi \ No newline at end of file diff --git a/openvoxserver/container-entrypoint.d/20-use-templates-initially.sh b/openvoxserver/container-entrypoint.d/20-use-templates-initially.sh index 390c2f3..b88fd85 100755 --- a/openvoxserver/container-entrypoint.d/20-use-templates-initially.sh +++ b/openvoxserver/container-entrypoint.d/20-use-templates-initially.sh @@ -7,7 +7,7 @@ set -e # default TEMPLATES=/var/tmp/puppet -cd /etc/puppetlabs/puppet +cd "$(puppet config print confdir)" for f in auth.conf hiera.yaml puppet.conf puppetdb.conf; do [ -f "$TEMPLATES/$f" ] && [ ! -f "$f" ] && { echo "Copying template $f from $TEMPLATES" diff --git a/openvoxserver/container-entrypoint.d/30-set-permissions.sh b/openvoxserver/container-entrypoint.d/30-set-permissions.sh deleted file mode 100755 index 9fcf936..0000000 --- a/openvoxserver/container-entrypoint.d/30-set-permissions.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -set -e - -chown -R puppet:puppet /etc/puppetlabs/puppet/ -chown -R puppet:puppet /opt/puppetlabs/server/data/puppetserver/ -chown -R puppet:puppet /etc/puppetlabs/puppetserver/ -chown -R puppet:puppet /var/log/puppetlabs/puppetserver/ diff --git a/openvoxserver/container-entrypoint.d/40-update-puppetdb-conf.sh b/openvoxserver/container-entrypoint.d/40-update-puppetdb-conf.sh index 072ce6f..f460b5c 100755 --- a/openvoxserver/container-entrypoint.d/40-update-puppetdb-conf.sh +++ b/openvoxserver/container-entrypoint.d/40-update-puppetdb-conf.sh @@ -3,5 +3,5 @@ set -e if test -n "${OPENVOXDB_SERVER_URLS}" ; then - sed -i "s@^server_urls.*@server_urls = ${OPENVOXDB_SERVER_URLS}@" /etc/puppetlabs/puppet/puppetdb.conf + sed -i "s@^server_urls.*@server_urls = ${OPENVOXDB_SERVER_URLS}@" $(puppet config print confdir)/puppetdb.conf fi diff --git a/openvoxserver/container-entrypoint.d/70-set-dns-alt-names.sh b/openvoxserver/container-entrypoint.d/70-set-dns-alt-names.sh index 37b14e3..7dc709f 100755 --- a/openvoxserver/container-entrypoint.d/70-set-dns-alt-names.sh +++ b/openvoxserver/container-entrypoint.d/70-set-dns-alt-names.sh @@ -7,9 +7,10 @@ config_section=main # Allow setting dns_alt_names for the compilers certificate. This # setting will only have an effect when the container is started without # an existing certificate on the /etc/puppetlabs/puppet volume + if [ -n "${DNS_ALT_NAMES}" ]; then certname=$(puppet config print certname) - if test ! -f "${SSLDIR}/certs/$certname.pem" ; then + if test ! -f "$(puppet config print ssldir)/certs/$certname.pem" ; then puppet config set dns_alt_names "${DNS_ALT_NAMES}" --section "${config_section}" else actual=$(puppet config print dns_alt_names --section "${config_section}") diff --git a/openvoxserver/container-entrypoint.d/89-csr_attributes.rb b/openvoxserver/container-entrypoint.d/89-csr_attributes.rb index 3109f31..2a3e5d5 100755 --- a/openvoxserver/container-entrypoint.d/89-csr_attributes.rb +++ b/openvoxserver/container-entrypoint.d/89-csr_attributes.rb @@ -3,9 +3,10 @@ require 'json' require 'yaml' +target_path = ARGV[0] || '/etc/puppetlabs/puppet/csr_attributes.yaml' begin csr_yaml = YAML.dump(JSON.load(ENV['CSR_ATTRIBUTES'])) - File.write('/etc/puppetlabs/puppet/csr_attributes.yaml', csr_yaml) + File.write(target_path, csr_yaml) rescue => error puts "Error on reading JSON env. Terminating" puts "Malformed JSON: #{ENV['CSR_ATTRIBUTES']}" diff --git a/openvoxserver/container-entrypoint.d/89-csr_attributes.sh b/openvoxserver/container-entrypoint.d/89-csr_attributes.sh index 08cab7a..0873783 100755 --- a/openvoxserver/container-entrypoint.d/89-csr_attributes.sh +++ b/openvoxserver/container-entrypoint.d/89-csr_attributes.sh @@ -5,8 +5,9 @@ set -e # determine script location readonly SCRIPT_FILENAME=$(readlink -f "${BASH_SOURCE[0]}") readonly SCRIPT_PATH=$(dirname "$SCRIPT_FILENAME") +readonly CSR_PATH=$(puppet config print csr_attributes) if [ -n "${CSR_ATTRIBUTES}" ]; then echo "CSR Attributes: ${CSR_ATTRIBUTES}" - /opt/puppetlabs/puppet/bin/ruby "$SCRIPT_PATH/89-csr_attributes.rb" + /opt/puppetlabs/puppet/bin/ruby "$SCRIPT_PATH/89-csr_attributes.rb" "$CSR_PATH" fi diff --git a/openvoxserver/container-entrypoint.d/90-ca.sh b/openvoxserver/container-entrypoint.d/90-ca.sh index 23e79ef..939bb34 100755 --- a/openvoxserver/container-entrypoint.d/90-ca.sh +++ b/openvoxserver/container-entrypoint.d/90-ca.sh @@ -20,7 +20,6 @@ EOF ssl_ca_cert=$(puppet config print localcacert) ssl_crl_path=$(puppet config print hostcrl) - cd /etc/puppetlabs/puppetserver/conf.d/ hocon -f webserver.conf set webserver.ssl-cert $ssl_cert hocon -f webserver.conf set webserver.ssl-key $ssl_key @@ -59,7 +58,8 @@ else exit 99 fi - if [[ -f /etc/puppetlabs/puppetserver/ca/ca_crt.pem ]]; then + ca_cert=$(puppet config print cacert) + if [[ -f "$ca_cert" ]]; then echo "CA already imported." else puppetserver ca import \ @@ -68,9 +68,10 @@ else --private-key $INTERMEDIATE_CA_KEY fi else - new_cadir=/etc/puppetlabs/puppetserver/ca + new_cadir=$(puppet config print cadir) + ssl_dir=$(puppet config print ssldir) - if [ ! -f "$new_cadir/ca_crt.pem" ] && [ ! -f "$SSLDIR/ca/ca_crt.pem" ]; then + if [ ! -f "$new_cadir/ca_crt.pem" ] && [ ! -f "$ssl_dir/ca/ca_crt.pem" ]; then # There is no existing CA # Append user-supplied DNS Alt Names @@ -87,13 +88,11 @@ else # See puppet.conf file for relevant settings puppetserver ca setup \ - --ca-name "$ca_name" \ - --config /etc/puppetlabs/puppet/puppet.conf + --ca-name "$ca_name" - elif [ ! -f "$new_cadir/ca_crt.pem" ] && [ -f "$SSLDIR/ca/ca_crt.pem" ]; then + elif [ ! -f "$new_cadir/ca_crt.pem" ] && [ -f "$ssl_dir/ca/ca_crt.pem" ]; then # Legacy CA upgrade - puppetserver ca migrate \ - --config /etc/puppetlabs/puppet/puppet.conf - fi + puppetserver ca migrate + fi fi -fi +fi \ No newline at end of file diff --git a/openvoxserver/container-entrypoint.d/99-log-config.sh b/openvoxserver/container-entrypoint.d/99-log-config.sh index 0b60df8..8c58677 100755 --- a/openvoxserver/container-entrypoint.d/99-log-config.sh +++ b/openvoxserver/container-entrypoint.d/99-log-config.sh @@ -8,18 +8,20 @@ echo "System configuration values:" echo "* HOSTNAME: '${HOSTNAME}'" echo "* hostname -f: '$(hostname -f)'" +ssl_dir=$(puppet config print ssldir) + if [ -n "${CERTNAME}" ]; then echo "* CERTNAME: '${CERTNAME}'" certname=${CERTNAME}.pem else echo "* CERTNAME: unset, try to use the oldest certificate in the certs directory, because this might be the one that was used initially." - if [ ! -d "${SSLDIR}/certs" ]; then + if [ ! -d "${ssl_dir}/certs" ]; then certname="Not-Found" - echo "WARNING: No certificates directory found in ${SSLDIR}!" + echo "WARNING: No certificates directory found in ${ssl_dir}!" else - certname=$(cd "${SSLDIR}/certs" && find * -type f -name '*.pem' ! -name ca.pem -print0 | xargs -0 ls -1tr | head -n 1) + certname=$(cd "${ssl_dir}/certs" && find * -type f -name '*.pem' ! -name ca.pem -print0 | xargs -0 ls -1tr | head -n 1) if [ -z "${certname}" ]; then - echo "WARNING: No certificates found in ${SSLDIR}/certs! Please set CERTNAME!" + echo "WARNING: No certificates found in ${ssl_dir}/certs! Please set CERTNAME!" fi fi fi @@ -27,22 +29,22 @@ fi echo "* OPENVOXSERVER_PORT: '${OPENVOXSERVER_PORT:-8140}'" echo "* Certname: '${certname}'" echo "* DNS_ALT_NAMES: '${DNS_ALT_NAMES}'" -echo "* SSLDIR: '${SSLDIR}'" +echo "* SSLDIR: '${ssl_dir}'" altnames="-certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_issuer,no_pubkey,no_sigdump,no_aux" -if [ -f "${SSLDIR}/certs/ca.pem" ]; then +if [ -f "${ssl_dir}/certs/ca.pem" ]; then echo "CA Certificate:" # shellcheck disable=SC2086 # $altnames shouldn't be quoted - openssl x509 -subject -issuer -text -noout -in "${SSLDIR}/certs/ca.pem" $altnames + openssl x509 -subject -issuer -text -noout -in "${ssl_dir}/certs/ca.pem" $altnames fi if [ -n "${certname}" ]; then - if [ -f "${SSLDIR}/certs/${certname}" ]; then + if [ -f "${ssl_dir}/certs/${certname}" ]; then echo "Certificate ${certname}:" # shellcheck disable=SC2086 # $altnames shouldn't be quoted - openssl x509 -subject -issuer -text -noout -in "${SSLDIR}/certs/${certname}" $altnames + openssl x509 -subject -issuer -text -noout -in "${ssl_dir}/certs/${certname}" $altnames else - echo "WARNING: Certificate ${certname} not found in ${SSLDIR}/certs!" + echo "WARNING: Certificate ${certname} not found in ${ssl_dir}/certs!" fi fi