ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-01-19 11:16:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #713 from nsacyber/v3_issue_687

Browse Source 
[#687] Fixed mariadb service stop with ACA RPM install
This commit is contained in:
iadgovuser26 2024-03-14 17:17:43 -04:00 committed by GitHub
commit 442bf93419
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
19 changed files with 433 additions and 300 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
HIRS_AttestationCAPortal/build.gradle
View File

@ -2,7 +2,7 @@ plugins {
id 'application' id 'application'
id 'java' id 'java'
id 'war' id 'war'
id 'com.netflix.nebula.ospackage' version '11.4.0' id 'com.netflix.nebula.ospackage' version '11.8.0'
id 'org.springframework.boot' version '3.0.6' id 'org.springframework.boot' version '3.0.6'
id 'io.spring.dependency-management' version '1.1.0' id 'io.spring.dependency-management' version '1.1.0'
id 'checkstyle' id 'checkstyle'
@ -87,6 +87,13 @@ test {
useJUnitPlatform() useJUnitPlatform()
} }
task buildVersion() {
doLast {
def verFile = new File(projectDir, "build/VERSION")
verFile.write("${jarVersion}")
}
}
ospackage { ospackage {
packageName = 'HIRS_AttestationCA' packageName = 'HIRS_AttestationCA'
os = LINUX os = LINUX
@ -108,10 +115,11 @@ ospackage {
// copy springboot property file // copy springboot property file
into ('/etc/hirs/aca/') { into ('/etc/hirs/aca/') {
from '../HIRS_AttestationCAPortal/src/main/resources/application.properties' from '../HIRS_AttestationCAPortal/src/main/resources/application.properties'
from 'build/VERSION'
} }
// copy setup scripts to /opt/hirs/aca // copy setup scripts to /opt/hirs/aca
into ('/opt/hirs/aca/scripts/') { into ('/opt/hirs/aca/scripts/') {
from '../package/scripts/' from '../package/linux/'
} }
// copy the war file into /opt/hirs/aca // copy the war file into /opt/hirs/aca
into ('/opt/hirs/aca/') { into ('/opt/hirs/aca/') {
@ -120,27 +128,49 @@ ospackage {
fileMode = 0755 fileMode = 0755
} }
// Post Install
postInstall 'bash /opt/hirs/aca/scripts/aca/aca_setup.sh -u'
// add chrontab to run ACA at boot
postInstall 'echo "@reboot root /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w" >> /etc/crontab'
// run ACA after install
postInstall '/opt/hirs/aca/scripts/aca/aca_bootRun.sh -w &'
postInstall 'chmod +x /opt/hirs/aca/scripts/aca/*'
postInstall 'bash /opt/hirs/aca/scripts/aca/check_for_aca.sh'
postInstall 'mkdir -p /etc/hirs/aca && touch /etc/hirs/aca/VERSION'
postInstall "echo ${jarVersion} > /etc/hirs/aca/VERSION"
// Uninstall // Uninstall
preUninstall 'bash /opt/hirs/aca/scripts/aca/aca_remove_setup.sh' preUninstall 'bash /opt/hirs/aca/scripts/aca/aca_remove_setup.sh'
postUninstall 'rm -rf /etc/hirs' postUninstall 'if [ -d /etc/hirs ]; then rm -rf /etc/hirs; fi;'
buildRpm { buildRpm {
dependsOn ':HIRS_AttestationCAPortal:buildVersion'
dependsOn ':HIRS_AttestationCAPortal:bootWar'
arch = X86_64 arch = X86_64
// Required apps will be aut installed by dnf if not present
requires('java-17-openjdk', '17.0', GREATER | EQUAL)
requires('mariadb-server' , '10.3' , GREATER | EQUAL)
requires('procps-ng', '3.3.15', GREATER | EQUAL)
requires('alternatives', '1.19', GREATER | EQUAL)
// Post Trans stage (Occurs after required app and postInstall stage)
// Note postInstall wont wait forrequired apps
postTrans 'update-alternatives --set java java-17-openjdk.x86_64'
postTrans 'firewall-cmd --add-port=8443/tcp --permanent'
postTrans 'firewall-cmd --reload'
postTrans 'bash /opt/hirs/aca/scripts/aca/aca_setup.sh -u'
postTrans 'bash /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w &'
// add chrontab to run ACA at boot
postTrans 'echo "@reboot root /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w" >> /etc/crontab'
postTrans 'chmod +x /opt/hirs/aca/scripts/aca/*'
postTrans 'if [ -f /opt/hirs/aca/VERSION ]; then rm /opt/hirs/aca/VERSION; fi;'
// Wait for ACA to start up before finishing the install
postTrans 'bash /opt/hirs/aca/scripts/aca/check_for_aca.sh'
} }
buildDeb { buildDeb {
dependsOn ':HIRS_AttestationCAPortal:buildVersion'
dependsOn ':HIRS_AttestationCAPortal:bootWar'
packageName = 'hirs-attestationca' packageName = 'hirs-attestationca'
arch = 'amd64' arch = 'amd64'
requires('openjdk-17-jdk', '17.0', GREATER | EQUAL)
requires('mariadb-server' , '10.3' , GREATER | EQUAL)
requires('curl')
// Install after required packages
postInstall 'bash /opt/hirs/aca/scripts/aca/aca_setup.sh -u'
postInstall '/opt/hirs/aca/scripts/aca/aca_bootRun.sh -w &'
postInstall 'echo "@reboot root /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w" >> /etc/crontab'
postInstall 'chmod +x /opt/hirs/aca/scripts/aca/*'
postInstall 'if [ -f /opt/hirs/aca/VERSION ]; then rm /opt/hirs/aca/VERSION; fi;'
// Wait for ACA to start up before finishing the install
postInstall 'bash /opt/hirs/aca/scripts/aca/check_for_aca.sh'
} }
} }

30
HIRS_AttestationCAPortal/src/main/resources/application.properties
View File

@ -1,18 +1,16 @@
# Logging Config (tomcat may have further config) # Logging Config (tomcat may have further config)
logging.level.org.springframework=TRACE logging.level.org.springframework=ERROR
logging.level.org.apache.catalina=TRACE logging.level.org.apache.catalina=ERROR
logging.level.org.springframework.web: TRACE logging.level.org.springframework.web=ERROR
logging.level.org.hibernate: ERROR logging.level.org.hibernate=ERROR
logging.file.path=/var/log/hirs logging.file.path=/var/log/hirs
logging.file.name=hirs.spring.log logging.file.name=HIRS_AttestationCA_Portal.log
# Database Config # Database Config
spring.jpa.hibernate.ddl-auto=update spring.jpa.hibernate.ddl-auto=update
jakarta.persistence.sharedCache.mode = UNSPECIFIED jakarta.persistence.sharedCache.mode = UNSPECIFIED
spring.datasource.driver-class-name=org.mariadb.jdbc.Driver spring.datasource.driver-class-name=org.mariadb.jdbc.Driver
#spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
#spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
aca.certificates.validity = 3652
# Tomcat Config # Tomcat Config
server.tomcat.additional-tld-skip-patterns=jakarta.persistence-api*.jar, jakarta.xml.bind-api*.jar, txw2*.jar, *commons*.jar, *annotations*.jar, *checker*.jar, *lombok*.jar, *jsr*.jar, *guava*.jar, *access*.jar, *activation*.jar, *bcprov*.jar, *bcmail*.jar, *bcutil*.jar, *bcpkix*.jar, *json*.jar server.tomcat.additional-tld-skip-patterns=jakarta.persistence-api*.jar, jakarta.xml.bind-api*.jar, txw2*.jar, *commons*.jar, *annotations*.jar, *checker*.jar, *lombok*.jar, *jsr*.jar, *guava*.jar, *access*.jar, *activation*.jar, *bcprov*.jar, *bcmail*.jar, *bcutil*.jar, *bcpkix*.jar, *json*.jar
server.tomcat.basedir=/opt/embeddedtomcat server.tomcat.basedir=/opt/embeddedtomcat
@ -37,16 +35,6 @@ server.ssl.key-store-type=JKS
server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks
server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384 server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384
#--server.ssl.key-store-password=123456 # ACA specific default properties
#--server.ssl.trust-store-password=123456 aca.certificates.validity = 3652
#jdbc.driverClassName = com.mysql.cj.jdbc.Driver
#jdbc.url = jdbc:mysql://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
#jdbc.username = root
#jdbc.password = hirspass
#entitymanager.packagesToScan: hirs.attestationca.portal.page.controllers
#spring.jpa.hibernate.ddl-auto=update
#spring.jpa.show-sql=true
# DB dfault password.
#spring.datasource.password=hirs_db

6
HIRS_AttestationCAPortal/src/main/resources/application.win.properties
View File

@ -1,8 +1,8 @@
# Logging Config (tomcat may have further config) # Logging Config (tomcat may have further config)
logging.level.org.springframework=TRACE logging.level.org.springframework=ERROR
logging.level.org.apache.catalina=TRACE logging.level.org.apache.catalina=ERROR
logging.level.org.springframework.web=TRACE logging.level.org.springframework.web=ERROR
logging.level.org.hibernate=ERROR logging.level.org.hibernate=ERROR
logging.file.path=C:/ProgramData/hirs/log logging.file.path=C:/ProgramData/hirs/log
logging.file.name=hirs.spring.log logging.file.name=hirs.spring.log

14
HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml
View File

@ -5,7 +5,7 @@
<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss} [%C.%M] %-5p : %m%n"/> <PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss} [%C.%M] %-5p : %m%n"/>
</Console> </Console>
<RollingFile name="FILE" fileName="/var/log/hirs/HIRS_AttestationCA_Portal.log" <RollingFile name="FILE" fileName="/var/log/hirs/HIRS_AttestationCA_Portal.log"
filePattern="./logs/HIRS_AttestationCA_Portal.log-%d{yyyy-MM-dd}-%i.log" > filePattern="/var/log/hirs/HIRS_AttestationCA_Portal-%d{yyyy-MM-dd}-%i.log" >
<PatternLayout> <PatternLayout>
<pattern>%d{yyyy-MM-dd HH:mm:ss} [%C.%M] %-5p : %m%n</pattern> <pattern>%d{yyyy-MM-dd HH:mm:ss} [%C.%M] %-5p : %m%n</pattern>
</PatternLayout> </PatternLayout>
@ -18,18 +18,18 @@
<DefaultRolloverStrategy max="10"/> <DefaultRolloverStrategy max="10"/>
</RollingFile> </RollingFile>
</Appenders> </Appenders>
<Loggers> <Loggers>
<Root level = "WARN"> <Root level = "ERROR">
<AppenderRef ref="STDOUT" level="WARN" /> <AppenderRef ref="STDOUT" level="ERROR" />
<AppenderRef ref="FILE"/> <AppenderRef ref="FILE"/>
</Root> </Root>
<SpringProfile name="!development, !production"> <SpringProfile name="!development, !production">
<Logger name="hirs.attestationca" level="trace" /> <Logger name="hirs.attestationca" level="info" />
</SpringProfile> </SpringProfile>
<Logger name="org.hibernate" level="DEBUG" /> <Logger name="org.hibernate" level="ERROR" />
</Loggers> </Loggers>
<!-- prevents an out-of-memory exception caused by the debug logging of very large inserts --> <!-- prevents an out-of-memory exception caused by the debug logging of very large inserts -->
<category name="org.hibernate.event.def.AbstractFlushingEventListener"> <category name="org.hibernate.event.def.AbstractFlushingEventListener">
<priority value="INFO"/> <priority value="ERROR"/>
</category> </category>
</Configuration> </Configuration>

8
package/scripts/aca/aca_bootRun.sh → package/linux/aca/aca_bootRun.sh
View File

@ -87,7 +87,7 @@ if [ $ALG = "RSA" ]; then
ALIAS="hirs_aca_tls_ecc_512_sha384" ALIAS="hirs_aca_tls_ecc_512_sha384"
fi fi
check_for_container check_systemd
start_mysqlsd start_mysqlsd
if [ ! -d "$CERT_PATH" ]; then if [ ! -d "$CERT_PATH" ]; then
@ -122,15 +122,15 @@ keyStore="$CLIENT_DB_P12" "
WEB_TLS_PARAMS="--server.ssl.key-store-password=$hirs_pki_password \ WEB_TLS_PARAMS="--server.ssl.key-store-password=$hirs_pki_password \
--server.ssl.trust-store-password=$hirs_pki_password" --server.ssl.trust-store-password=$hirs_pki_password"
# uncomment to show spring boot and hibernate properties used as gradle argumanets # uncomment to show spring boot and hibernate properties used as gradle arguments
#echo "--args=\"$CONNECTOR_PARAMS $WEB_TLS_PARAMS\"" #echo "--args=\"$CONNECTOR_PARAMS $WEB_TLS_PARAMS\""
if [ -z "$USE_WAR" ]; then if [ -z "$USE_WAR" ]; then
echo "Booting the ACA from local build..." echo "Booting the ACA from local build..."
# ./gradlew bootRun --args="$CONNECTOR_PARAMS$WEB_TLS_PARAMS" # ./gradlew bootRun --args="$CONNECTOR_PARAMS$WEB_TLS_PARAMS"
./gradlew bootRun --args="--spring.config.location=$SPRING_PROP_FILE" ./gradlew bootRun --args="--spring.config.location=$SPRING_PROP_FILE"
else else
echo "Booting the ACA from a war file..." echo "Booting the ACA from a war file..."
# java -jar $WAR_PATH $CONNECTOR_PARAMS$WEB_TLS_PARAMS & # java -jar $WAR_PATH $CONNECTOR_PARAMS$WEB_TLS_PARAMS &
java -jar $WAR_PATH --spring.config.location=$SPRING_PROP_FILE java -jar $WAR_PATH --spring.config.location=$SPRING_PROP_FILE & disown -h
fi fi

51
package/scripts/aca/aca_check_setup.sh → package/linux/aca/aca_check_setup.sh
View File

@ -5,6 +5,7 @@
############################################################################################ ############################################################################################
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
LOG_FILE=/dev/null LOG_FILE=/dev/null
CERT_PATH="/etc/hirs/certificates/HIRS/" CERT_PATH="/etc/hirs/certificates/HIRS/"
RSA_PATH=rsa_3k_sha384_certs RSA_PATH=rsa_3k_sha384_certs
@ -83,8 +84,11 @@ echo "Checking HIRS ACA Setup on this device..."
elif [ $ID = 'ubuntu' ]; then elif [ $ID = 'ubuntu' ]; then
echo "Ubuntu distro detected" echo "Ubuntu distro detected"
dpkg -l "hirs-attestationca" > /dev/null dpkg -l "hirs-attestationca" > /dev/null
elif [ $ID = 'rocky' ]; then
echo "Rocky distro detected"
rpm -q --quiet HIRS_AttestationCA
else else
echo "Unsupported OS Distro encountered" echo "$ID OS distro encountered"
fi fi
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
echo "HIRS ACA was installed via an OS package on this device" echo "HIRS ACA was installed via an OS package on this device"
@ -97,12 +101,14 @@ echo "Checking HIRS ACA Setup on this device..."
echo "HIRS ACA was NOT installed via an OS package on this device" echo "HIRS ACA was NOT installed via an OS package on this device"
fi fi
check_systemd -p
# Check install setup pki files # Check install setup pki files
if [ ! -d $CERT_PATH ]; then if [ ! -d $CERT_PATH ]; then
check_db_cleared check_db_cleared
echo " $CERT_PATH directory does not exist." echo " $CERT_PATH directory does not exist."
echo " Exiting..." echo " Exiting..."
echo "Please run aca_setup.sh and try again" echo "Please run aca_setup.sh or dnf/apt-get install HIRS_AttestationCA* and try again."
exit 1; exit 1;
fi fi
@ -150,6 +156,12 @@ check_mysql_setup () {
fi fi
if [ ! -z $mysql_admin_password ]; then if [ ! -z $mysql_admin_password ]; then
mysql -u root --password=$mysql_admin_password -e "STATUS;" &> /dev/null
if [ $? -eq 0 ]; then
echo "Mysql Root password verified"
else
echo "Mysql Root password verification failed!"
fi
if [ ! -z "${ARG_VERBOSE}" ]; then if [ ! -z "${ARG_VERBOSE}" ]; then
echo "Mysql status:" echo "Mysql status:"
mysql -u root --password=$mysql_admin_password -e "STATUS;" mysql -u root --password=$mysql_admin_password -e "STATUS;"
@ -170,7 +182,7 @@ check_cert () {
ALL_CERTS_PASSED=false ALL_CERTS_PASSED=false
fi fi
if [ ! -z "${ARG_VERBOSE}" ]; then if [ ! -z "${ARG_VERBOSE}" ]; then
echo " "$RESULT echo " "$RESULTACA_PROP_FILE
fi fi
} }
@ -232,7 +244,7 @@ check_db () {
if [ "$RESULT" == "YES" ]; then if [ "$RESULT" == "YES" ]; then
echo " Mysql Server side TLS is enabled:" echo " Mysql Server side TLS is enabled:"
else else
echo " Mysql Sever side TLS is NOT enabled:" echo " Mysql Server side TLS is NOT enabled:"
ALL_CHECKS_PASSED=false ALL_CHECKS_PASSED=false
fi fi
@ -258,7 +270,6 @@ check_db () {
echo "MYSQL Log:" echo "MYSQL Log:"
mysql -u root --password=$mysql_admin_password -e "SHOW GLOBAL VARIABLES LIKE 'log_error'" mysql -u root --password=$mysql_admin_password -e "SHOW GLOBAL VARIABLES LIKE 'log_error'"
fi fi
} }
# Check selinux status and files that require specific contexts # Check selinux status and files that require specific contexts
@ -267,32 +278,36 @@ check_selinux () {
echo "Skipping selinux check on ubuntu" echo "Skipping selinux check on ubuntu"
return return
fi fi
SELINUXSTATUS=$(getenforce) command -v setenforce >> /dev/null
DB_SRV_CONTEXT=$(ls -Z $DB_SRV_CONF) if [ $? -eq 0 ]; then
DB_CLIENT_CONTEXT=$(ls -Z $DB_CLIENT_CONF) SELINUXSTATUS=$(getenforce)
echo "Checking device selinux status..." DB_SRV_CONTEXT=$(ls -Z $DB_SRV_CONF)
if [[ "$SELINUXSTATUS" == *"Enforcing"* ]]; then DB_CLIENT_CONTEXT=$(ls -Z $DB_CLIENT_CONF)
echo " Selinux is in Enforcing mode." echo "Checking device selinux status..."
if [[ "$DB_SRV_CONTEXT" == *"mysqld_etc_t"* && "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then if [[ "$SELINUXSTATUS" == *"Enforcing"* ]]; then
echo " Selinux is in Enforcing mode."
if [[ "$DB_SRV_CONTEXT" == *"mysqld_etc_t"* && "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then
echo " Selinux status is $SELINUXSTATUS and both $DB_SRV_CONF and $DB_CLIENT_CONF contexts are correct" echo " Selinux status is $SELINUXSTATUS and both $DB_SRV_CONF and $DB_CLIENT_CONF contexts are correct"
elif [[ "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then elif [[ "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then
echo " Selinux status is $SELINUXSTATUS and $DB_CLIENT_CONF context is incorrect: $DB_CLIENT_CONTEXT" echo " Selinux status is $SELINUXSTATUS and $DB_CLIENT_CONF context is incorrect: $DB_CLIENT_CONTEXT"
ALL_CHECKS_PASSED=false ALL_CHECKS_PASSED=false
else else
echo " Selinux status is $SELINUXSTATUS and $DB_SRV_CONF context is incorrect: $DB_SRV_CONTEXT" echo " Selinux status is $SELINUXSTATUS and $DB_SRV_CONF context is incorrect: $DB_SRV_CONTEXT"
ALL_CHECKS_PASSED=false ALL_CHECKS_PASSED=false
fi fi
else else
echo " Selinux is in NOT in Enforcing mode." echo " Selinux is in NOT in Enforcing mode."
fi fi
fi
} }
check_fips () { check_fips () {
echo "Checking FIPS mode on this device..." echo "Checking FIPS mode on this device..."
echo " "$(sysctl -a | grep crypto.fips_enabled) fips=$(sysctl -a 2>&1 | grep crypto.fips_enabled)
echo " "$fips
} }
# Run Checks # Run Checks
check_for_container -p
check_pwds check_pwds
check_pki check_pki
check_mysql_setup check_mysql_setup

31
package/scripts/aca/aca_remove_setup.sh → package/linux/aca/aca_remove_setup.sh
View File

@ -8,16 +8,28 @@
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
LOG_FILE=/dev/null LOG_FILE=/dev/null
LOG_DIR="/var/log/hirs/"
# Check for Admin privileges # Check for Admin privileges
if [ "$EUID" -ne 0 ]; then if [ "$EUID" -ne 0 ]; then
echo "This script requires root. ACA setup not removed. Please run as root." echo "This script requires root. ACA setup not removed. Please run as root."
exit 1 exit 1
fi fi
if [ ! -d "/etc/hirs" ]; then
echo "/etc/hirs does not exist, aborting removal."
exit 1
fi
if [ ! -d "/opt/hirs" ]; then
echo "/opt/hirs does not exist, aborting removal."
exit 1
fi
source $SCRIPT_DIR/../db/mysql_util.sh source $SCRIPT_DIR/../db/mysql_util.sh
# Make sure myswl root password is available and set $DB_ADIM_PWD before continuing... # Make sure mysql root password is available before continuing...
check_mariadb_install
check_mysql_root check_mysql_root
# remove the hrs-db and hirs_db user # remove the hrs-db and hirs_db user
@ -27,8 +39,19 @@ popd &>/dev/null
# remove pki files and config files if not installed by rpm # remove pki files and config files if not installed by rpm
echo "Removing certificates and config files..." echo "Removing certificates and config files..."
if [ ! -d /opt/hirs/aca ]; then
rm -rf /etc/hirs # Remove /opt/hirs only if not configured by a package based install:
if [ -f /opt/hirs/aca/VERSION ]; then
if [ -d "/etc/hirs" ]; then
rm -rf /etc/hirs >/dev/null 2>&1
fi
if [ -d "/opt/hirs" ]; then
rm -rf /opt/hirs >/dev/null 2>&1
fi
fi
if [ -d $LOG_DIR ]; then
rm -rf $LOG_DIR;
fi fi
# Remove crontab and current ACA process # Remove crontab and current ACA process

22
package/scripts/aca/aca_setup.sh → package/linux/aca/aca_setup.sh
View File

@ -31,8 +31,6 @@ help () {
} }
# Process parameters Argument handling # Process parameters Argument handling
POSITIONAL_ARGS=()
ORIGINAL_ARGS=("$@")
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
case $1 in case $1 in
-sd|--skip-db) -sd|--skip-db)
@ -59,13 +57,23 @@ while [[ $# -gt 0 ]]; do
;; ;;
*) *)
POSITIONAL_ARGS+=("$1") # save positional arg POSITIONAL_ARGS+=("$1") # save positional arg
# shift # past argument # shift # past argumfrom 'build/VERSION'ent
break break
;; ;;
esac esac
done done
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters # Check for existing installation folders and exist if found
if [ -z $ARG_UNATTEND ]; then
if [ -d "/etc/hirs" ]; then
echo "/etc/hirs exists, aborting install."
exit 1
fi
if [ -d "/opt/hirs" ]; then
echo "/opt/hirs exists, aborting install."
exit 1
fi
fi
mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_JSON_DIR $ACA_OPT_DIR mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_JSON_DIR $ACA_OPT_DIR
touch "$LOG_FILE" touch "$LOG_FILE"
@ -88,8 +96,10 @@ fi
echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" >> "$LOG_FILE" echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" >> "$LOG_FILE"
# Create a version file for bootRun to use # Create a version file for bootRun to use
jarVersion=$(cat '../../../VERSION').$(date +%s).$(git rev-parse --short HEAD) if command -v git ; then
echo $jarVersion > $ACA_VERSION_FILE jarVersion=$(cat '../../../VERSION').$(date +%s).$(git rev-parse --short HEAD)
echo $jarVersion > $ACA_VERSION_FILE
fi
# Set HIRS PKI password # Set HIRS PKI password
if [ -z $HIRS_PKI_PWD ]; then if [ -z $HIRS_PKI_PWD ]; then

0
package/scripts/aca/check_for_aca.sh → package/linux/aca/check_for_aca.sh
View File

60
package/scripts/db/db_create.sh → package/linux/db/db_create.sh
View File

@ -34,8 +34,8 @@ SSL_DB_CLIENT_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_clien
mkdir -p /etc/hirs/aca/ mkdir -p /etc/hirs/aca/
mkdir -p /var/log/hirs/ mkdir -p /var/log/hirs/
source $SCRIPT_DIR/mysql_util.sh
source $ACA_PROP_FILE source $ACA_PROP_FILE
source $SCRIPT_DIR/mysql_util.sh
source /etc/os-release source /etc/os-release
# Setup distro specifc paths and variables # Setup distro specifc paths and variables
@ -60,7 +60,6 @@ check_mysql_root_pwd () {
if [ -z "$HIRS_MYSQL_ROOT_PWD" ]; then if [ -z "$HIRS_MYSQL_ROOT_PWD" ]; then
# Check if property file exists and look for properties # Check if property file exists and look for properties
if [ -f $ACA_PROP_FILE ]; then if [ -f $ACA_PROP_FILE ]; then
echo "Found existing aca.properties, using existing variables..."
source $ACA_PROP_FILE source $ACA_PROP_FILE
if [ ! -z $hirs_pki_password ]; then PKI_PASS=$hirs_pki_password; fi if [ ! -z $hirs_pki_password ]; then PKI_PASS=$hirs_pki_password; fi
if [ ! -z $mysql_admin_password ]; then HIRS_MYSQL_ROOT_PWD=$mysql_admin_password; fi if [ ! -z $mysql_admin_password ]; then HIRS_MYSQL_ROOT_PWD=$mysql_admin_password; fi
@ -91,6 +90,7 @@ check_mysql_root_pwd () {
DB_ADMIN_PWD=$HIRS_MYSQL_ROOT_PWD DB_ADMIN_PWD=$HIRS_MYSQL_ROOT_PWD
echo "Using system variable supplied password" | tee -a "$LOG_FILE" echo "Using system variable supplied password" | tee -a "$LOG_FILE"
fi fi
# Make sure root password is correct # Make sure root password is correct
$(mysql -u root -p$DB_ADMIN_PWD -e 'quit' &> /dev/null); $(mysql -u root -p$DB_ADMIN_PWD -e 'quit' &> /dev/null);
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
@ -114,12 +114,15 @@ set_mysql_server_tls () {
# Make sure mysql can access them # Make sure mysql can access them
chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY
# Make selinux contexts for config files, if selinux is enabled # Make selinux contexts for config files, if selinux is enabled
if [ $ID = "rhel" ]; then if [[ $ID = "rhel" ]] || [[ $ID = "rocky" ]] ||[[ $ID = "fedora" ]]; then
selinuxenabled command -v selinuxenabled > /dev/null
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF > /dev/null #adds the context type to file selinuxenabled
restorecon -v -F $DB_SRV_CONF > /dev/null # changes the file's context type if [ $? -eq 0 ]; then
fi #semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF > /dev/null #adds the context type to file
restorecon -v -F $DB_SRV_CONF > /dev/null # changes the file's context type
fi
fi
fi fi
else else
echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE" echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE"
@ -135,11 +138,14 @@ if [[ $(cat "$DB_CLIENT_CONF" | grep -c "HIRS") < 1 ]]; then
echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $DB_CLIENT_CONF echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $DB_CLIENT_CONF
chown mysql:mysql $SSL_DB_CLIENT_CHAIN $SSL_DB_CLIENT_CERT $SSL_DB_CLIENT_KEY chown mysql:mysql $SSL_DB_CLIENT_CHAIN $SSL_DB_CLIENT_CERT $SSL_DB_CLIENT_KEY
# Make selinux contexts for config files, if selinux is enabled # Make selinux contexts for config files, if selinux is enabled
if [ $ID = "rhel" ]; then if [[ $ID = "rhel" ]] || [[ $ID = "rocky" ]] ||[[ $ID = "fedora" ]]; then
selinuxenabled command -v selinuxenabled > /dev/null
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONFf > /dev/null #adds the context type to file selinuxenabled
if [ $? -eq 0 ]; then
#semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONF > /dev/null #adds the context type to file
restorecon -F $DB_CLIENT_CONF > /dev/null #changes the file's context type restorecon -F $DB_CLIENT_CONF > /dev/null #changes the file's context type
fi
fi fi
fi fi
fi fi
@ -158,25 +164,31 @@ set_hirs_db_pwd () {
if [ -z $HIRS_DB_PWD ]; then if [ -z $HIRS_DB_PWD ]; then
HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
fi fi
# Add key/values only if they dont exist
echo "hirs_db_username=hirs_db" >> $ACA_PROP_FILE if [[ $(grep -c "hirs_db_username" $ACA_PROP_FILE) -eq 0 ]]; then
echo "hirs_db_password=$HIRS_DB_PWD" >> $ACA_PROP_FILE echo "hirs_db_username=hirs_db" >> $ACA_PROP_FILE
echo "hibernate.connection.username=hirs_db" >> $SPRING_PROP_FILE fi
echo "hibernate.connection.password=$HIRS_DB_PWD" >> $SPRING_PROP_FILE if [[ $(grep -c "hirs_db_password" $ACA_PROP_FILE) -eq 0 ]]; then
echo "hirs_db_password=$HIRS_DB_PWD" >> $ACA_PROP_FILE
fi
if [[ $(grep -c "hibernate.connection.username" $SPRING_PROP_FILE) -eq 0 ]]; then
echo "hibernate.connection.username=hirs_db" >> $SPRING_PROP_FILE
fi
if [[ $(grep -c "hibernate.connection.password" $SPRING_PROP_FILE) -eq 0 ]]; then
echo "hibernate.connection.password=$HIRS_DB_PWD" >> $SPRING_PROP_FILE
fi
fi fi
} }
# Create a hirs_db with client side TLS enabled # Create a hirs_db with client side TLS enabled
create_hirs_db_with_tls () { create_hirs_db_with_tls () {
# Check if hirs_db not created and create it if it wasn't # Check if hirs_db not created and create it if it wasn't
mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" > /dev/null 2>&1 mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" >> $LOG_FILE 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
echo "hirs_db exists, skipping hirs_db create" echo "hirs_db exists, skipping hirs_db create"
else else
mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_create.sql mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_create.sql
mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql
# mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;";
mysql -u root --password=$DB_ADMIN_PWD -e "SET PASSWORD FOR 'hirs_db'@'localhost' = PASSWORD('"$HIRS_DB_PWD"'); FLUSH PRIVILEGES;"; mysql -u root --password=$DB_ADMIN_PWD -e "SET PASSWORD FOR 'hirs_db'@'localhost' = PASSWORD('"$HIRS_DB_PWD"'); FLUSH PRIVILEGES;";
fi fi
} }
@ -207,18 +219,22 @@ keyStoreType=PKCS12&\
keyStorePassword=$PKI_PASS&\ keyStorePassword=$PKI_PASS&\
keyStore="$CLIENT_DB_P12" " keyStore="$CLIENT_DB_P12" "
echo $CONNECTOR_URL >> $SPRING_PROP_FILE if [[ $(grep -c "hibernate.connection.url" $SPRING_PROP_FILE) -eq 0 ]]; then
echo $CONNECTOR_URL >> $SPRING_PROP_FILE
fi
} }
# HIRS ACA Mysqld processing ... # HIRS ACA Mysqld processing ...
check_systemd -p
check_mariadb_install check_mariadb_install
check_for_container -p
set_mysql_server_tls
set_mysql_client_tls
start_mysqlsd start_mysqlsd
check_mysql check_mysql
check_mysql_root_pwd check_mysql_root_pwd
clear_hirs_user
set_hirs_db_pwd set_hirs_db_pwd
set_mysql_server_tls
set_mysql_client_tls
create_hirs_db_with_tls create_hirs_db_with_tls
create_hibernate_url "RSA" "hirs_db" create_hibernate_url "RSA" "hirs_db"
mysqld_reboot mysqld_reboot

0
package/scripts/db/db_create.sql → package/linux/db/db_create.sql
View File

21
package/scripts/db/db_drop.sh → package/linux/db/db_drop.sh
View File

@ -10,6 +10,8 @@ DB_ADMIN_PWD=$1
source $SCRIPT_DIR/mysql_util.sh source $SCRIPT_DIR/mysql_util.sh
source /etc/os-release source /etc/os-release
check_systemd
# Check for sudo or root user, not actually needed but a good idea # Check for sudo or root user, not actually needed but a good idea
if [ "$EUID" -ne 0 ] if [ "$EUID" -ne 0 ]
then echo "This script requires root. Please run as root" then echo "This script requires root. Please run as root"
@ -30,14 +32,11 @@ fi
echo "dropping hirs_db database" echo "dropping hirs_db database"
if pgrep mysqld >/dev/null 2>&1; then mysql -u root --password=$DB_ADMIN_PWD -e "FLUSH HOSTS; FLUSH LOGS; FLUSH STATUS; FLUSH PRIVILEGES; FLUSH USER_RESOURCES"
mysql -u root --password=$DB_ADMIN_PWD -e "FLUSH HOSTS; FLUSH LOGS; FLUSH STATUS; FLUSH PRIVILEGES; FLUSH USER_RESOURCES" mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost';"
mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost';" mysql -u root --password=$DB_ADMIN_PWD -e "DROP DATABASE IF EXISTS hirs_db;"
mysql -u root --password=$DB_ADMIN_PWD -e "DROP DATABASE IF EXISTS hirs_db;" echo "hirs_db database and hirs_db user removed"
echo "hirs_db database and hirs_db user removed"
else
echo "mysql is not running. DB was not removed."
fi
# reset the mysql root if the password was left in the properties fiel # reset the mysql root if the password was left in the properties fiel
if [ ! -z $DB_ADMIN_PWD ]; then if [ ! -z $DB_ADMIN_PWD ]; then
@ -56,7 +55,5 @@ grep -v "hirs" $DB_CLIENT_CONF > tmpfile && mv tmpfile $DB_CLIENT_CONF
echo "restarting mariadb" echo "restarting mariadb"
mysql -u root -e "SHUTDOWN" mysqld_reboot
sleep 2
check_for_container
start_mysqlsd

0
package/scripts/db/db_drop.sql → package/linux/db/db_drop.sql
View File

236
package/linux/db/mysql_util.sh Executable file
View File

@ -0,0 +1,236 @@
#!/bin/bash
#####################################################################################
#
# Functions to check mysql and start if not running.
# Also a function for checking if running in a container
#
#####################################################################################
SQL_SERVICE="mariadb"
# Checks to see if systemctl is available
# -p to print status
check_systemd () {
DB_SERVICE=false
PRINT_STATUS=$1
# Check if systemctl is present (not present in a Docker container)
if [[ $(ps --no-headers -o comm 1) == "systemd" ]]; then
systemctl is-active --quiet mariadb
if [[ $? -eq 0 ]]; then
DB_SERVICE=true
fi
fi
if [[ $PRINT_STATUS == "-p" ]] && [[ $DB_SERVICE == "true" ]]; then echo "Systemd:MariaDB service is available" | tee -a "$LOG_FILE"; fi
if [[ $PRINT_STATUS == "-p" ]] && [[ $DB_SERVICE == "false" ]]; then echo "Systemd:MariaDB service is NOT available" | tee -a "$LOG_FILE"; fi
if [ -d /opt/hirs/aca/scripts/db ]; then
MYSQL_DIR="/opt/hirs/aca/scripts/db"
else
MYSQL_DIR="$SCRIPT_DIR/../db"
fi
}
# Check for mysql command line
check_mariadb_install () {
type mysql >/dev/null 2>&1 && installed=true || installed=false
if [ $installed = true ]; then
echo "mysql has been installed"
else
echo "mysql has NOT been installed, aborting install"
exit 1;
fi
}
# Starts mariadb during intial install
start_mysqlsd () {
PRINT_STATUS=$1
PROCESS="mysqld"
source /etc/os-release
if [ $ID = "ubuntu" ]; then
PROCESS="mariadb"
fi
# Make sure log file has correct permissions
chown -R mysql:mysql /var/lib/mysql/ >> "$LOG_FILE"
if [ $DB_SERVICE = true ]; then
systemctl is-active --quiet mariadb
if [[ $? -ne 0 ]]; then
echo "mariadb service not running , attempting to restart"
systemctl start mariadb >> "$LOG_FILE";
sleep 2
fi
else # Not using Systemd
# Check if mysql is already running, if not initialize
if [[ $(pgrep -c $PROCESS) -eq 0 ]]; then
# Check if mariadb is setup
if [ ! -d "/var/lib/mysql/mysql/" ]; then
echo "Installing mariadb" | tee -a "$LOG_FILE";
/usr/bin/mysql_install_db >> "$LOG_FILE"
chown -R mysql:mysql /var/log/mariadb/
fi
if [[ $PRINT_STATUS == "-p" ]]; then echo "Starting mysql..."; fi
/usr/bin/mysqld_safe --skip-syslog >> "$LOG_FILE" &
chown -R mysql:mysql /var/lib/mysql/ >> "$LOG_FILE"
echo "Attempting to start mariadb process..." | tee -a "$LOG_FILE";
fi
fi
}
# Basic check for marai db status, attempts restart if not running
check_mysql () {
PROCESS="mysqld"
source /etc/os-release
if [ $ID = "ubuntu" ]; then
PROCESS="mariadb"
fi
echo "Checking mysqld status..."
if [ $DB_SERVICE = true ]; then
systemctl is-active --quiet mariadb
if [[ $? -ne 0 ]]; then
echo "mariadb service not running , attempting to restart"
systemctl start mariadb
fi
else # No systemctl
if [[ $(pgrep -c $PROCESS ) -eq 0 ]]; then
echo "mariadb process not running , attempting to restart"
chown mysql:mysql /var/log/mariadb/mariadb.log >> "$LOG_FILE";
/usr/bin/mysqld_safe --skip-syslog >> "$LOG_FILE" &
fi
fi
if [ $DB_SERVICE = true ]; then
systemctl is-active --quiet mariadb
if [[ $? -eq 0 ]]; then
echo "mariadb service started" | tee -a "$LOG_FILE";
fi
else
# Wait for mysql to start before continuing.
count=1;
if [[ $PRINT_STATUS == "-p" ]]; then echo "Testing mysqld connection..."| tee -a "$LOG_FILE"; fi
until mysqladmin ping -h "localhost" --silent ; do
((count++))
if [[ $count -gt 20 ]]; then
break;
fi
sleep 1;
done
if [[ $count -gt 20 ]]; then
echo "Timed out waiting for Mariadb to respond" | tee -a "$LOG_FILE";
exit 1;
else
echo "Mariadb started" | tee -a "$LOG_FILE";
fi
fi
}
# Check for mysql root password , abort if not available
check_mysql_root () {
if [ -z $HIRS_MYSQL_ROOT_PWD ]; then
if [ ! -f /etc/hirs/aca/aca.properties ]; then
echo "aca.properties does not exist." | tee -a "$LOG_FILE";
else
source /etc/hirs/aca/aca.properties;
DB_ADMIN_PWD=$mysql_admin_password
fi
else #HIRS_MYSQL_ROOT_PWD set
DB_ADMIN_PWD=$HIRS_MYSQL_ROOT_PWD
fi
# Allow user to enter password if not using env variabel or file
if [ -z $DB_ADMIN_PWD ]; then
read -p "Enter mysql root password" DB_ADMIN_PWD
else
DB_ADMIN_PWD=$mysql_admin_password
fi
# Make sure root password is correct
$(mysql -u root -p$DB_ADMIN_PWD -e 'quit' &> /dev/null);
if [ $? -eq 0 ]; then
echo "root password verified" | tee -a "$LOG_FILE"
else
echo "MYSQL root password was not the default, not supplied, or was incorrect"
echo " please set the HIRS_MYSQL_ROOT_PWD system variable and retry."
echo " ********** ACA Mysql setup aborted ********" ;
exit 1;
fi
}
check_db_cleared () {
$(mysql -u root -e 'quit' &> /dev/null);
if [ $? -eq 0 ]; then
echo " Empty Mysql root password verified" | tee -a "$LOG_FILE"
else
echo " Mysql Root password is not empty" | tee -a "$LOG_FILE";
fi
HIRS_DB_USER_EXISTS="$(mysql -uroot -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
if [[ $HIRS_DB_USER_EXISTS == 1 ]]; then
echo " hirs_db user exists" | tee -a "$LOG_FILE";
else
echo " hirs_db user does not exist" | tee -a "$LOG_FILE";
fi
HIRS_DB_EXISTS=`mysql -uroot -e "SHOW DATABASES" | grep hirs_db`
if [[ $HIRS_DB_EXISTS == "hirs_db" ]]; then
echo " hirs_db databse exists" | tee -a "$LOG_FILE";
else
echo " hirs_db database does not exists" | tee -a "$LOG_FILE";
fi
}
clear_hirs_user () {
$(mysql -u root -e 'quit' &> /dev/null);
if [ $? -eq 0 ]; then
HIRS_DB_USER_EXISTS="$(mysql -uroot -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
if [[ $HIRS_DB_USER_EXISTS == 1 ]]; then
mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost';"
echo "hirs_db user found and deleted"
fi
fi
}
clear_hirs_db () {
$(mysql -u root -e 'quit' &> /dev/null);
if [ $? -eq 0 ]; then
mysql -u root --password=$DB_ADMIN_PWD -e "DROP DATABASE IF EXISTS hirs_db;"
fi
}
wait_for_mysql () {
echo "Waiting for Mariadb..." | tee -a "$LOG_FILE";
count=0
until [ "mysqladmin ping -h localhost --silent" ] || [ "$count" -gt 20 ]; do
((count++))
sleep 1
done
if [[ $count -gt 20 ]]; then
echo "Timed out waiting for Mysqld to respond" | tee -a "$LOG_FILE";
else
echo "Mariadb started" | tee -a "$LOG_FILE";
fi
}
# restart maraidb
mysqld_reboot () {
# reboot mysql server
PROCESS="mysqld"
source /etc/os-release
if [ $ID = "ubuntu" ]; then
PROCESS="mariadb"
fi
echo "Restarting Mariadb ...." | tee -a "$LOG_FILE";
if [ $DB_SERVICE = true ]; then
echo "Shutting down and restarting mysql service" | tee -a "$LOG_FILE";
systemctl stop mariadb >> "$LOG_FILE";
sleep 2
systemctl start mariadb >> "$LOG_FILE";
else # No systemd
echo "Shutting down and restarting mysql process" | tee -a "$LOG_FILE";
mysql -u root --password=$DB_ADMIN_PWD -e "SHUTDOWN"
sleep 1
# Make sure mysql has stopped
if [[ $(pgrep -c $PROCESS) -ne 0 ]]; then
pkill $PROCESS
fi
chown mysql:mysql /var/log/mariadb/mariadb.log >> "$LOG_FILE";
/usr/bin/mysqld_safe --skip-syslog >> "$LOG_FILE" &
sleep 1
check_mysql
wait_for_mysql
fi
}

0
package/scripts/db/secure_mysql.sql → package/linux/db/secure_mysql.sql
View File

0
package/scripts/pki/ca.conf → package/linux/pki/ca.conf
View File

0
package/scripts/pki/pki_chain_gen.sh → package/linux/pki/pki_chain_gen.sh
View File

0
package/scripts/pki/pki_setup.sh → package/linux/pki/pki_setup.sh
View File

182
package/scripts/db/mysql_util.sh
View File

@ -1,182 +0,0 @@
#!/bin/bash
#####################################################################################
#
# Functions to check mysql and start if not running.
# Also a function for checking if running in a container
#
#####################################################################################
SQL_SERVICE="mariadb"
# Checks to see if running in a container
# -p to print status
check_for_container () {
PRINT_STATUS=$1
# Check if we're in a Docker container
if [[ $(cat /proc/1/cgroup | head -n 1) == *"docker"* ]] || [ -f /.dockerenv ]; then
DOCKER_CONTAINER=true
if [[ $PRINT_STATUS == "-p" ]]; then echo "ACA is running in a container..." | tee -a "$LOG_FILE"; fi
else
DOCKER_CONTAINER=false
if [[ $PRINT_STATUS == "-p" ]]; then echo "ACA is not running in a container..." | tee -a "$LOG_FILE"; fi
fi
if [ -d /opt/hirs/scripts/db ]; then
MYSQL_DIR="/opt/hirs/scripts/db"
else
MYSQL_DIR="$SCRIPT_DIR/../db"
fi
}
# Check for mysql command line
check_mariadb_install () {
type mysql >/dev/null 2>&1 && installed=true || installed=false
if [ $installed = true ]; then
echo "mysql has been installed"
else
echo "mysql has NOT been installed, aborting install"
exit 1;
fi
}
# Starts mariadb during intial install
start_mysqlsd () {
PRINT_STATUS=$1
PROCESS="mysqld"
source /etc/os-release
if [ $ID = "ubuntu" ]; then
PROCESS="mariadb"
fi
# Check if mysql is already running, if not initialize
if [[ $(pgrep -c -u mysql $PROCESS) -eq 0 ]]; then
# Check if running in a container
if [ $DOCKER_CONTAINER = true ]; then
# if in Docker container, avoid services that invoke the D-Bus
# Check if mariadb is setup
if [ ! -d "/var/lib/mysql/mysql/" ]; then
echo "Installing mariadb"
/usr/bin/mysql_install_db >> "$LOG_FILE"
chown -R mysql:mysql /var/lib/mysql/ >> "$LOG_FILE"
fi
if [[ $PRINT_STATUS == "-p" ]]; then echo "Starting mysql..."; fi
/usr/bin/mysqld_safe --skip-syslog >> "$LOG_FILE" &
chown -R mysql:mysql /var/lib/mysql/ >> "$LOG_FILE"
echo "Attempting to start mariadb"
else #not a container
systemctl enable $SQL_SERVICE & >> "$LOG_FILE";
systemctl start $SQL_SERVICE & >> "$LOG_FILE";
fi
else # mysql process is running
# check if mysql service is running
if [ ! $DOCKER_CONTAINER = true ]; then
DB_STATUS=$(systemctl status mysql |grep 'running' | wc -l )
if [ $DB_STATUS -eq 0 ]; then
echo "mariadb not running , attempting to restart"
systemctl start mariadb >> "$LOG_FILE";
fi
fi # non container mysql start
fi
}
# Basic check for maria db status, attempts restart if not running
check_mysql () {
PROCESS="mysqld"
source /etc/os-release
if [ $ID = "ubuntu" ]; then
PROCESS="mariadb"
fi
echo "Checking mysqld status..."
if [ $DOCKER_CONTAINER = true ]; then
if [[ $(pgrep -c -u mysql $PROCESS ) -eq 0 ]]; then
echo "mariadb not running , attempting to restart"
chown mysql:mysql /var/log/mariadb/mariadb.log >> "$LOG_FILE";
/usr/bin/mysqld_safe --skip-syslog >> "$LOG_FILE" &
fi
else # not in a container
DB_STATUS=$(systemctl status mysql |grep 'running' | wc -l )
if [ $DB_STATUS -eq 0 ]; then
echo "mariadb not running , attempting to restart"
systemctl start mariadb
fi
fi
# Wait for mysql to start before continuing.
count=1;
if [[ $PRINT_STATUS == "-p" ]]; then echo "Testing mysqld connection..."| tee -a "$LOG_FILE"; fi
until mysqladmin ping -h "localhost" --silent ; do
((count++))
if [[ $count -gt 20 ]]; then
break;
fi
sleep 1;
done
if [[ $count -gt 20 ]]; then
echo "Timed out waiting for Mariadb to respond"
exit 1;
else
echo "Mariadb started"
fi
}
# Check for mysql root password, abort if not available
check_mysql_root () {
if [ -z $HIRS_MYSQL_ROOT_PWD ]; then
if [ ! -f /etc/hirs/aca/aca.properties ]; then
echo "aca.properties does not exist."
else
source /etc/hirs/aca/aca.properties;
DB_ADMIN_PWD=$mysql_admin_password
fi
else #HIRS_MYSQL_ROOT_PWD set
DB_ADMIN_PWD=$HIRS_MYSQL_ROOT_PWD
fi
# Allow user to enter password if not using env variable or file
if [ -z $DB_ADMIN_PWD ]; then
read -p "Enter mysql root password" DB_ADMIN_PWD
else
DB_ADMIN_PWD=$mysql_admin_password
fi
# Make sure root password is correct
$(mysql -u root -p$DB_ADMIN_PWD -e 'quit' &> /dev/null);
if [ $? -eq 0 ]; then
echo "root password verified" | tee -a "$LOG_FILE"
else
echo "MYSQL root password was not the default, not supplied, or was incorrect"
echo " please set the HIRS_MYSQL_ROOT_PWD system variable and retry."
echo " ********** ACA Mysql setup aborted ********" ;
exit 1;
fi
}
check_db_cleared () {
$(mysql -u root -e 'quit' &> /dev/null);
if [ $? -eq 0 ]; then
echo " Empty root password verified" | tee -a "$LOG_FILE"
else
echo " Mysql Root password is not empty"
fi
HIRS_DB_USER_EXISTS="$(mysql -uroot -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
if [[ $HIRS_DB_USER_EXISTS == 1 ]]; then
echo " hirs_db user exists"
else
echo " hirs_db user does not exist"
fi
HIRS_DB_EXISTS=`mysql -uroot -e "SHOW DATABASES" | grep hirs_db`
if [[ $HIRS_DB_EXISTS == "hirs_db" ]]; then
echo " hirs_db databse exists"
else
echo " hirs_db database does not exists"
fi
}
# restart mariadb
mysqld_reboot () {
# reboot mysql server
mysql -u root --password=$DB_ADMIN_PWD -e "SHUTDOWN"
sleep 2
check_for_container
start_mysqlsd >> "$LOG_FILE";
}