feat(storage-server): add packaging services
arcad/edge/pipeline/pr-master This commit looks good
Details
arcad/edge/pipeline/pr-master This commit looks good
Details
This commit is contained in:
parent
d2472623f2
commit
9f89c89fb9
|
|
@ -84,20 +84,39 @@ nfpms:
|
|||
formats:
|
||||
- apk
|
||||
- deb
|
||||
# contents:
|
||||
# - src: misc/packaging/common/config-agent.yml
|
||||
# dst: /etc/emissary/agent.yml
|
||||
# type: config
|
||||
# - src: misc/packaging/systemd/emissary-agent.systemd.service
|
||||
# dst: /usr/lib/systemd/system/emissary-agent.service
|
||||
# packager: deb
|
||||
# - src: misc/packaging/systemd/emissary-agent.systemd.service
|
||||
# dst: /usr/lib/systemd/system/emissary-agent.service
|
||||
# packager: rpm
|
||||
# - src: misc/packaging/openrc/emissary-agent.openrc.sh
|
||||
# dst: /etc/init.d/emissary-agent
|
||||
# file_info:
|
||||
# mode: 0755
|
||||
# packager: apk
|
||||
# scripts:
|
||||
# postinstall: "misc/packaging/common/postinstall-agent.sh"
|
||||
contents:
|
||||
# Deb
|
||||
- src: misc/packaging/systemd/storage-server.systemd.service
|
||||
dst: /usr/lib/systemd/system/storage-server.service
|
||||
packager: deb
|
||||
- src: misc/packaging/systemd/storage-server.env
|
||||
dst: /etc/storage-server/environ
|
||||
type: config|noreplace
|
||||
file_info:
|
||||
mode: 0640
|
||||
packager: deb
|
||||
|
||||
# APK
|
||||
- src: misc/packaging/openrc/storage-server.openrc.sh
|
||||
dst: /etc/init.d/storage-server
|
||||
file_info:
|
||||
mode: 0755
|
||||
packager: apk
|
||||
- src: misc/packaging/openrc/storage-server.conf
|
||||
type: config|noreplace
|
||||
dst: /etc/conf.d/storage-server
|
||||
file_info:
|
||||
mode: 0640
|
||||
packager: apk
|
||||
- dst: /var/lib/storage-server
|
||||
type: dir
|
||||
file_info:
|
||||
mode: 0700
|
||||
packager: apk
|
||||
- dst: /var/log/storage-server
|
||||
type: dir
|
||||
file_info:
|
||||
mode: 0750
|
||||
packager: apk
|
||||
scripts:
|
||||
postinstall: "misc/packaging/common/postinstall-storage-server.sh"
|
||||
|
|
@ -16,7 +16,8 @@ func NewToken() *cli.Command {
|
|||
Usage: "Generate new authentication token",
|
||||
Flags: []cli.Flag{
|
||||
&cli.StringFlag{
|
||||
Name: "tenant",
|
||||
Name: "tenant",
|
||||
Required: true,
|
||||
},
|
||||
flag.PrivateKey,
|
||||
flag.PrivateKeySigningAlgorithm,
|
||||
|
|
@ -28,6 +29,10 @@ func NewToken() *cli.Command {
|
|||
privateKeyDefaultSize := flag.GetPrivateKeyDefaultSize(ctx)
|
||||
tenant := ctx.String("tenant")
|
||||
|
||||
if tenant == "" {
|
||||
return errors.New("you must provide a value for --tenant flag")
|
||||
}
|
||||
|
||||
privateKey, err := jwtutil.LoadOrGenerateKey(
|
||||
privateKeyFile,
|
||||
privateKeyDefaultSize,
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ const SigningAlgorithmFlagName = "signing-algorithm"
|
|||
|
||||
var PrivateKeySigningAlgorithm = &cli.StringFlag{
|
||||
Name: SigningAlgorithmFlagName,
|
||||
EnvVars: []string{"STORAGE_SERVER_PRIVATE_KEY_SIGNING_ALGORITHM"},
|
||||
EnvVars: []string{"STORAGE_SERVER_SIGNING_ALGORITHM"},
|
||||
Value: jwa.RS256.String(),
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -37,6 +37,7 @@ func Run() *cli.Command {
|
|||
Flags: []cli.Flag{
|
||||
&cli.StringFlag{
|
||||
Name: "address",
|
||||
EnvVars: []string{"STORAGE_SERVER_ADDRESS"},
|
||||
Aliases: []string{"addr"},
|
||||
Value: ":3001",
|
||||
},
|
||||
|
|
|
|||
|
|
@ -0,0 +1,75 @@
|
|||
#!/bin/sh
|
||||
|
||||
use_systemctl="True"
|
||||
systemd_version=0
|
||||
if ! command -V systemctl >/dev/null 2>&1; then
|
||||
use_systemctl="False"
|
||||
else
|
||||
systemd_version=$(systemctl --version | head -1 | cut -d ' ' -f 2)
|
||||
fi
|
||||
|
||||
service_name=storage-server
|
||||
|
||||
cleanup() {
|
||||
if [ "${use_systemctl}" = "False" ]; then
|
||||
rm -f /usr/lib/systemd/system/${service_name}.service
|
||||
else
|
||||
rm -f /etc/chkconfig/${service_name}
|
||||
rm -f /etc/init.d/${service_name}
|
||||
fi
|
||||
}
|
||||
|
||||
cleanInstall() {
|
||||
printf "\033[32m Post Install of an clean install\033[0m\n"
|
||||
if [ "${use_systemctl}" = "False" ]; then
|
||||
if command -V chkconfig >/dev/null 2>&1; then
|
||||
chkconfig --add ${service_name}
|
||||
fi
|
||||
|
||||
service ${service_name} restart || :
|
||||
else
|
||||
if [[ "${systemd_version}" -lt 231 ]]; then
|
||||
printf "\033[31m systemd version %s is less then 231, fixing the service file \033[0m\n" "${systemd_version}"
|
||||
sed -i "s/=+/=/g" /usr/lib/systemd/system/${service_name}.service
|
||||
fi
|
||||
printf "\033[32m Reload the service unit from disk\033[0m\n"
|
||||
systemctl daemon-reload || :
|
||||
printf "\033[32m Unmask the service\033[0m\n"
|
||||
systemctl unmask ${service_name} || :
|
||||
printf "\033[32m Set the preset flag for the service unit\033[0m\n"
|
||||
systemctl preset ${service_name} || :
|
||||
printf "\033[32m Set the enabled flag for the service unit\033[0m\n"
|
||||
systemctl enable ${service_name} || :
|
||||
systemctl restart ${service_name} || :
|
||||
fi
|
||||
}
|
||||
|
||||
upgrade() {
|
||||
printf "\033[32m Post Install of an upgrade\033[0m\n"
|
||||
systemctl daemon-reload || :
|
||||
systemctl restart ${service_name} || :
|
||||
}
|
||||
|
||||
# Step 2, check if this is a clean install or an upgrade
|
||||
action="$1"
|
||||
if [ "$1" = "configure" ] && [ -z "$2" ]; then
|
||||
action="install"
|
||||
elif [ "$1" = "configure" ] && [ -n "$2" ]; then
|
||||
action="upgrade"
|
||||
fi
|
||||
|
||||
case "$action" in
|
||||
"1" | "install")
|
||||
cleanInstall
|
||||
;;
|
||||
"2" | "upgrade")
|
||||
printf "\033[32m Post Install of an upgrade\033[0m\n"
|
||||
upgrade
|
||||
;;
|
||||
*)
|
||||
printf "\033[32m Alpine\033[0m"
|
||||
cleanInstall
|
||||
;;
|
||||
esac
|
||||
|
||||
cleanup
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
export STORAGE_SERVER_ADDRESS=:3001
|
||||
export STORAGE_SERVER_BLOBSTORE_DSN_PATTERN="sqlite:///var/lib/storage-server/data/%TENANT%/%APPID%/blobstore.sqlite?_pragma=foreign_keys(1)&_pragma=busy_timeout=60000"
|
||||
export STORAGE_SERVER_DOCUMENTSTORE_DSN_PATTERN="sqlite:///var/lib/storage-server/data/%TENANT%/%APPID%/documentstore.sqlite?_pragma=foreign_keys(1)&_pragma=busy_timeout=60000"
|
||||
export STORAGE_SERVER_SHARESTORE_DSN_PATTERN="sqlite:///var/lib/storage-server/data/%TENANT%/sharestore.sqlite?_pragma=foreign_keys(1)&_pragma=busy_timeout=60000"
|
||||
export STORAGE_SERVER_PRIVATE_KEY="/var/lib/storage-server/storage-server.key"
|
||||
export STORAGE_SERVER_PRIVATE_KEY_DEFAULT_SIZE="2048"
|
||||
export STORAGE_SERVER_SIGNING_ALGORITHM="RS256"
|
||||
export STORAGE_SERVER_CACHE_TTL=1h
|
||||
export STORAGE_SERVER_CACHE_SIZE=32
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
#!/sbin/openrc-run
|
||||
|
||||
command="/usr/bin/storage-server"
|
||||
command_args=""
|
||||
supervisor=supervise-daemon
|
||||
output_log="/var/log/storage-server.log"
|
||||
error_log="$output_log"
|
||||
|
||||
depend() {
|
||||
need net
|
||||
}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
STORAGE_SERVER_ADDRESS=:3001
|
||||
STORAGE_SERVER_BLOBSTORE_DSN_PATTERN="sqlite:///var/lib/storage-server/data/%TENANT%/%APPID%/blobstore.sqlite?_pragma=foreign_keys(1)&_pragma=busy_timeout=60000"
|
||||
STORAGE_SERVER_DOCUMENTSTORE_DSN_PATTERN="sqlite:///var/lib/storage-server/data/%TENANT%/%APPID%/documentstore.sqlite?_pragma=foreign_keys(1)&_pragma=busy_timeout=60000"
|
||||
STORAGE_SERVER_SHARESTORE_DSN_PATTERN="sqlite:///var/lib/storage-server/data/%TENANT%/sharestore.sqlite?_pragma=foreign_keys(1)&_pragma=busy_timeout=60000"
|
||||
STORAGE_SERVER_PRIVATE_KEY="/var/lib/storage-server/storage-server.key"
|
||||
STORAGE_SERVER_PRIVATE_KEY_DEFAULT_SIZE="2048"
|
||||
STORAGE_SERVER_SIGNING_ALGORITHM="RS256"
|
||||
STORAGE_SERVER_CACHE_TTL=1h
|
||||
STORAGE_SERVER_CACHE_SIZE=32
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
[Unit]
|
||||
Description=storage-server service
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Restart=on-failure
|
||||
EnvironmentFile=/etc/storage-server/environ
|
||||
ExecStart=/usr/bin/storage-server
|
||||
EnvironmentFile=/etc/storage-server/environ
|
||||
NoNewPrivileges=yes
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=yes
|
||||
PrivateUsers=yes
|
||||
DynamicUser=yes
|
||||
StateDirectory=storage-server
|
||||
DevicePolicy=closed
|
||||
ProtectSystem=true
|
||||
ProtectHome=read-only
|
||||
ProtectKernelLogs=yes
|
||||
ProtectProc=invisible
|
||||
ProtectClock=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictSUIDSGID=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
LockPersonality=yes
|
||||
CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER CAP_NET_ADMIN CAP_WAKE_ALARM CAP_SYS_TTY_CONFIG
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
@ -6,6 +6,7 @@ import (
|
|||
"github.com/lestrrat-go/jwx/v2/jwa"
|
||||
"github.com/lestrrat-go/jwx/v2/jwk"
|
||||
"github.com/lestrrat-go/jwx/v2/jwt"
|
||||
"github.com/oklog/ulid/v2"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
|
|
@ -16,6 +17,10 @@ func SignedToken(key jwk.Key, signingAlgorithm jwa.SignatureAlgorithm, claims ma
|
|||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
if err := token.Set(jwt.JwtIDKey, ulid.Make().String()); err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
for key, value := range claims {
|
||||
if err := token.Set(key, value); err != nil {
|
||||
return nil, errors.Wrapf(err, "could not set claim '%s' with value '%v'", key, value)
|
||||
|
|
|
|||
Loading…
Reference in New Issue