balena-supervisor/entry.sh

#!/bin/sh

set -o errexit

# Start Avahi to allow MDNS lookups and remove
# any pre-defined services
rm -f /etc/avahi/services/*
mkdir -p /var/run/dbus
rm -f /var/run/avahi-daemon/pid
rm -f /var/run/dbus/pid
/etc/init.d/dbus-1 start
/etc/init.d/avahi-daemon start

# If the legacy /tmp/resin-supervisor exists on the host, a container might
# already be using to take an update lock, so we symlink it to the new
# location so that the supervisor can see it
[ -d /mnt/root/tmp/resin-supervisor ] &&
    ( [ -d /mnt/root/tmp/balena-supervisor ] || ln -s ./resin-supervisor /mnt/root/tmp/balena-supervisor )

# Otherwise, if the lockfiles directory doesn't exist
[ -d /mnt/root/tmp/balena-supervisor ] ||
    mkdir -p /mnt/root/tmp/balena-supervisor

# If DOCKER_ROOT isn't set then default it
if [ -z "${DOCKER_ROOT}" ]; then
	DOCKER_ROOT=/mnt/root/var/lib/rce
fi

# Mount the DOCKER_ROOT path equivalent in the container fs
DOCKER_LIB_PATH=${DOCKER_ROOT#/mnt/root}

if [ ! -d "${DOCKER_LIB_PATH}" ]; then
	ln -s "${DOCKER_ROOT}" "${DOCKER_LIB_PATH}"
fi

if [ -z "$DOCKER_SOCKET" ]; then
	export DOCKER_SOCKET=/run/docker.sock
fi

export DBUS_SYSTEM_BUS_ADDRESS="unix:path=/mnt/root/run/dbus/system_bus_socket"

# Include self-signed CAs, should they exist
if [ ! -z "${BALENA_ROOT_CA}" ]; then
	if [ ! -e '/etc/ssl/certs/balenaRootCA.pem' ]; then
		mkdir -p /usr/local/share/ca-certificates
		echo "${BALENA_ROOT_CA}" > /usr/local/share/ca-certificates/balenaRootCA.crt
		update-ca-certificates
	fi
fi

# Mount the host kernel module path onto the expected location
# We need to do this as busybox doesn't support using a custom location
if [ ! -d /lib/modules ]; then
	ln -s /mnt/root/lib/modules /lib/modules
fi
# Now load the ip6_tables kernel module, so we can do filtering on ipv6 addresses
if [ -z "$(cat /proc/config.gz | gunzip | grep CONFIG_IP6_NF_IPTABLES=y || true)" ]; then
  modprobe ip6_tables
fi

exec node /usr/src/app/dist/app.js
Use buildstep to build the supervisor just like a normal resin app 2014-04-27 21:46:59 +00:00			`#!/bin/sh`
Combine scripts 2014-06-10 00:05:16 +00:00
integrate with busybox init system busybox's init uses /etc/inittab for configuration just like sysvinit, however it doesn't use any runlevels. the tty part of inittab is appended to "/dev/", and it becomes connected to the stdout of the spawned process Signed-off-by: Petros Angelatos <petrosagg@gmail.com> 2016-07-06 08:45:32 +00:00			`set -o errexit`
Use buildstep to build the supervisor just like a normal resin app 2014-04-27 21:46:59 +00:00
avahi: Remove default service definitions Removes default 'example' service definitions that are included by Avahi 0.7+. These conflict with our balenaOS advertised services, causing potential issues. Connects-to: #957 Change-type: patch Signed-off-by: Heds Simons <heds@balena.io> 2019-04-05 11:32:06 +00:00			`# Start Avahi to allow MDNS lookups and remove`
			`# any pre-defined services`
			`rm -f /etc/avahi/services/*`
network: Add MDNS support for `.local` domains This requires the initialisation of both DBus and Avahi in the `entry.sh` script to allow resolution via libc. Due to issues with Avahi's `init.d` script, the previous PIDfile is explicitly removed. Connects-to: #712 Change-type: minor Signed-off-by: Heds Simons <heds@resin.io> 2018-07-27 13:18:13 +00:00			`mkdir -p /var/run/dbus`
			`rm -f /var/run/avahi-daemon/pid`
fix: Clear dbus pid file on startup Change-type: patch Signed-off-by: Cameron Diver <cameron@balena.io> 2019-01-29 13:13:05 +00:00			`rm -f /var/run/dbus/pid`
network: Add MDNS support for `.local` domains This requires the initialisation of both DBus and Avahi in the `entry.sh` script to allow resolution via libc. Due to issues with Avahi's `init.d` script, the previous PIDfile is explicitly removed. Connects-to: #712 Change-type: minor Signed-off-by: Heds Simons <heds@resin.io> 2018-07-27 13:18:13 +00:00			`/etc/init.d/dbus-1 start`
			`/etc/init.d/avahi-daemon start`

Add /tmp/balena lock and handover paths and BALENA_ env vars We change the lockfile to /tmp/balena/updates.lock, and the resin-kill-me file to /tmp/balena/handover-complete. In the host, we change to use /tmp/balena-supervisor instead of /tmp/resin-supervisor. We add BALENA_ env vars in addition to the RESIN_ env vars. We keep backwards compatibility by using both paths for the lockfile and handover, and keeping the RESIN_ env vars. Changelog-entry: Move the handover and lock files to /tmp/balena, rename them, and add BALENA_ env vars Change-type: minor Signed-off-by: Pablo Carranza Velez <pablo@resin.io> 2018-10-15 17:05:23 +00:00			`# If the legacy /tmp/resin-supervisor exists on the host, a container might`
			`# already be using to take an update lock, so we symlink it to the new`
			`# location so that the supervisor can see it`
			`[ -d /mnt/root/tmp/resin-supervisor ] &&`
entry.sh: Use symbolic link to link to legacy lock path The lack of `-s` was a typo. Change-type: patch Signed-off-by: Pablo Carranza Velez <pablo@balena.io> 2018-10-23 15:17:35 +00:00			`( [ -d /mnt/root/tmp/balena-supervisor ] \|\| ln -s ./resin-supervisor /mnt/root/tmp/balena-supervisor )`
Add /tmp/balena lock and handover paths and BALENA_ env vars We change the lockfile to /tmp/balena/updates.lock, and the resin-kill-me file to /tmp/balena/handover-complete. In the host, we change to use /tmp/balena-supervisor instead of /tmp/resin-supervisor. We add BALENA_ env vars in addition to the RESIN_ env vars. We keep backwards compatibility by using both paths for the lockfile and handover, and keeping the RESIN_ env vars. Changelog-entry: Move the handover and lock files to /tmp/balena, rename them, and add BALENA_ env vars Change-type: minor Signed-off-by: Pablo Carranza Velez <pablo@resin.io> 2018-10-15 17:05:23 +00:00
			`# Otherwise, if the lockfiles directory doesn't exist`
			`[ -d /mnt/root/tmp/balena-supervisor ] \|\|`
			`mkdir -p /mnt/root/tmp/balena-supervisor`
Use buildstep to build the supervisor just like a normal resin app 2014-04-27 21:46:59 +00:00
Fix entry.sh when DOCKER_ROOT isn't set 2016-06-23 18:07:18 +00:00			`# If DOCKER_ROOT isn't set then default it`
			`if [ -z "${DOCKER_ROOT}" ]; then`
			`DOCKER_ROOT=/mnt/root/var/lib/rce`
			`fi`
integrate with busybox init system busybox's init uses /etc/inittab for configuration just like sysvinit, however it doesn't use any runlevels. the tty part of inittab is appended to "/dev/", and it becomes connected to the stdout of the spawned process Signed-off-by: Petros Angelatos <petrosagg@gmail.com> 2016-07-06 08:45:32 +00:00
Fix entry.sh when DOCKER_ROOT isn't set 2016-06-23 18:07:18 +00:00			`# Mount the DOCKER_ROOT path equivalent in the container fs`
			`DOCKER_LIB_PATH=${DOCKER_ROOT#/mnt/root}`
integrate with busybox init system busybox's init uses /etc/inittab for configuration just like sysvinit, however it doesn't use any runlevels. the tty part of inittab is appended to "/dev/", and it becomes connected to the stdout of the spawned process Signed-off-by: Petros Angelatos <petrosagg@gmail.com> 2016-07-06 08:45:32 +00:00
Fix entry.sh when DOCKER_ROOT isn't set 2016-06-23 18:07:18 +00:00			`if [ ! -d "${DOCKER_LIB_PATH}" ]; then`
			`ln -s "${DOCKER_ROOT}" "${DOCKER_LIB_PATH}"`
symlink docker root to default path if not already there docker-delta uses the docker API to query the docker root location. However, docker returns the path in the host, not the path that it happens to be bind mounted in the supervisor container. So in order for the deltas to work properly, these paths must be the same. Signed-off-by: Petros Angelatos <petrosagg@gmail.com> 2016-06-09 05:15:24 +00:00			`fi`
Replace the gosuper component with a node module that handles communication with systemd, and stop using an init system in the supervisor container Change-Type: patch Signed-off-by: Pablo Carranza Velez <pablo@resin.io> 2018-03-16 14:01:50 +00:00
			`if [ -z "$DOCKER_SOCKET" ]; then`
			`export DOCKER_SOCKET=/run/docker.sock`
			`fi`

			`export DBUS_SYSTEM_BUS_ADDRESS="unix:path=/mnt/root/run/dbus/system_bus_socket"`

Add ability to use self-signed CAs passed via `config.json`. Connects-to: #601 Change-type: minor 2018-03-13 11:41:06 +00:00			`# Include self-signed CAs, should they exist`
			`if [ ! -z "${BALENA_ROOT_CA}" ]; then`
			`if [ ! -e '/etc/ssl/certs/balenaRootCA.pem' ]; then`
			`mkdir -p /usr/local/share/ca-certificates`
			`echo "${BALENA_ROOT_CA}" > /usr/local/share/ca-certificates/balenaRootCA.crt`
			`update-ca-certificates`
			`fi`
			`fi`

Symlink kernel modules and modprobe ip6_tables Change-type: minor Signed-off-by: Cameron Diver <cameron@balena.io> 2019-02-13 10:49:07 +00:00			`# Mount the host kernel module path onto the expected location`
			`# We need to do this as busybox doesn't support using a custom location`
Don't mount /lib/modules if it is already mounted Change-type: patch Signed-off-by: Cameron Diver <cameron@balena.io> 2019-02-14 13:49:03 +00:00			`if [ ! -d /lib/modules ]; then`
			`ln -s /mnt/root/lib/modules /lib/modules`
			`fi`
Symlink kernel modules and modprobe ip6_tables Change-type: minor Signed-off-by: Cameron Diver <cameron@balena.io> 2019-02-13 10:49:07 +00:00			`# Now load the ip6_tables kernel module, so we can do filtering on ipv6 addresses`
Only modprobe ip6_tables if it's necessary If the kernel was built with support for ip6tables, there's no need to load the module. This is the case when running balenaOS in a container in Mac OS, which also can't do modprobes easily. Change-type: patch Signed-off-by: Pablo Carranza Velez <pablo@balena.io> 2019-03-08 01:19:02 +00:00			`if [ -z "$(cat /proc/config.gz \| gunzip \| grep CONFIG_IP6_NF_IPTABLES=y \|\| true)" ]; then`
			`modprobe ip6_tables`
			`fi`
Symlink kernel modules and modprobe ip6_tables Change-type: minor Signed-off-by: Cameron Diver <cameron@balena.io> 2019-02-13 10:49:07 +00:00
Remove node garbage collection flags The introduction of these flags correlates with OOM issues on the supervisor. More investigation is needed into these features before adding them back into production. Change-type: patch Signed-off-by: Cameron Diver <cameron@balena.io> 2018-11-05 12:03:12 +00:00			`exec node /usr/src/app/dist/app.js`