feat(storage-server): add packaging services
arcad/edge/pipeline/pr-master This commit looks good Details

This commit is contained in:
wpetit 2023-10-02 15:05:18 -06:00
parent d2472623f2
commit 9f89c89fb9
10 changed files with 188 additions and 19 deletions

View File

@ -84,20 +84,39 @@ nfpms:
formats: formats:
- apk - apk
- deb - deb
# contents: contents:
# - src: misc/packaging/common/config-agent.yml # Deb
# dst: /etc/emissary/agent.yml - src: misc/packaging/systemd/storage-server.systemd.service
# type: config dst: /usr/lib/systemd/system/storage-server.service
# - src: misc/packaging/systemd/emissary-agent.systemd.service packager: deb
# dst: /usr/lib/systemd/system/emissary-agent.service - src: misc/packaging/systemd/storage-server.env
# packager: deb dst: /etc/storage-server/environ
# - src: misc/packaging/systemd/emissary-agent.systemd.service type: config|noreplace
# dst: /usr/lib/systemd/system/emissary-agent.service file_info:
# packager: rpm mode: 0640
# - src: misc/packaging/openrc/emissary-agent.openrc.sh packager: deb
# dst: /etc/init.d/emissary-agent
# file_info: # APK
# mode: 0755 - src: misc/packaging/openrc/storage-server.openrc.sh
# packager: apk dst: /etc/init.d/storage-server
# scripts: file_info:
# postinstall: "misc/packaging/common/postinstall-agent.sh" mode: 0755
packager: apk
- src: misc/packaging/openrc/storage-server.conf
type: config|noreplace
dst: /etc/conf.d/storage-server
file_info:
mode: 0640
packager: apk
- dst: /var/lib/storage-server
type: dir
file_info:
mode: 0700
packager: apk
- dst: /var/log/storage-server
type: dir
file_info:
mode: 0750
packager: apk
scripts:
postinstall: "misc/packaging/common/postinstall-storage-server.sh"

View File

@ -17,6 +17,7 @@ func NewToken() *cli.Command {
Flags: []cli.Flag{ Flags: []cli.Flag{
&cli.StringFlag{ &cli.StringFlag{
Name: "tenant", Name: "tenant",
Required: true,
}, },
flag.PrivateKey, flag.PrivateKey,
flag.PrivateKeySigningAlgorithm, flag.PrivateKeySigningAlgorithm,
@ -28,6 +29,10 @@ func NewToken() *cli.Command {
privateKeyDefaultSize := flag.GetPrivateKeyDefaultSize(ctx) privateKeyDefaultSize := flag.GetPrivateKeyDefaultSize(ctx)
tenant := ctx.String("tenant") tenant := ctx.String("tenant")
if tenant == "" {
return errors.New("you must provide a value for --tenant flag")
}
privateKey, err := jwtutil.LoadOrGenerateKey( privateKey, err := jwtutil.LoadOrGenerateKey(
privateKeyFile, privateKeyFile,
privateKeyDefaultSize, privateKeyDefaultSize,

View File

@ -22,7 +22,7 @@ const SigningAlgorithmFlagName = "signing-algorithm"
var PrivateKeySigningAlgorithm = &cli.StringFlag{ var PrivateKeySigningAlgorithm = &cli.StringFlag{
Name: SigningAlgorithmFlagName, Name: SigningAlgorithmFlagName,
EnvVars: []string{"STORAGE_SERVER_PRIVATE_KEY_SIGNING_ALGORITHM"}, EnvVars: []string{"STORAGE_SERVER_SIGNING_ALGORITHM"},
Value: jwa.RS256.String(), Value: jwa.RS256.String(),
} }

View File

@ -37,6 +37,7 @@ func Run() *cli.Command {
Flags: []cli.Flag{ Flags: []cli.Flag{
&cli.StringFlag{ &cli.StringFlag{
Name: "address", Name: "address",
EnvVars: []string{"STORAGE_SERVER_ADDRESS"},
Aliases: []string{"addr"}, Aliases: []string{"addr"},
Value: ":3001", Value: ":3001",
}, },

View File

@ -0,0 +1,75 @@
#!/bin/sh
use_systemctl="True"
systemd_version=0
if ! command -V systemctl >/dev/null 2>&1; then
use_systemctl="False"
else
systemd_version=$(systemctl --version | head -1 | cut -d ' ' -f 2)
fi
service_name=storage-server
cleanup() {
if [ "${use_systemctl}" = "False" ]; then
rm -f /usr/lib/systemd/system/${service_name}.service
else
rm -f /etc/chkconfig/${service_name}
rm -f /etc/init.d/${service_name}
fi
}
cleanInstall() {
printf "\033[32m Post Install of an clean install\033[0m\n"
if [ "${use_systemctl}" = "False" ]; then
if command -V chkconfig >/dev/null 2>&1; then
chkconfig --add ${service_name}
fi
service ${service_name} restart || :
else
if [[ "${systemd_version}" -lt 231 ]]; then
printf "\033[31m systemd version %s is less then 231, fixing the service file \033[0m\n" "${systemd_version}"
sed -i "s/=+/=/g" /usr/lib/systemd/system/${service_name}.service
fi
printf "\033[32m Reload the service unit from disk\033[0m\n"
systemctl daemon-reload || :
printf "\033[32m Unmask the service\033[0m\n"
systemctl unmask ${service_name} || :
printf "\033[32m Set the preset flag for the service unit\033[0m\n"
systemctl preset ${service_name} || :
printf "\033[32m Set the enabled flag for the service unit\033[0m\n"
systemctl enable ${service_name} || :
systemctl restart ${service_name} || :
fi
}
upgrade() {
printf "\033[32m Post Install of an upgrade\033[0m\n"
systemctl daemon-reload || :
systemctl restart ${service_name} || :
}
# Step 2, check if this is a clean install or an upgrade
action="$1"
if [ "$1" = "configure" ] && [ -z "$2" ]; then
action="install"
elif [ "$1" = "configure" ] && [ -n "$2" ]; then
action="upgrade"
fi
case "$action" in
"1" | "install")
cleanInstall
;;
"2" | "upgrade")
printf "\033[32m Post Install of an upgrade\033[0m\n"
upgrade
;;
*)
printf "\033[32m Alpine\033[0m"
cleanInstall
;;
esac
cleanup

View File

@ -0,0 +1,9 @@
export STORAGE_SERVER_ADDRESS=:3001
export STORAGE_SERVER_BLOBSTORE_DSN_PATTERN="sqlite:///var/lib/storage-server/data/%TENANT%/%APPID%/blobstore.sqlite?_pragma=foreign_keys(1)&_pragma=busy_timeout=60000"
export STORAGE_SERVER_DOCUMENTSTORE_DSN_PATTERN="sqlite:///var/lib/storage-server/data/%TENANT%/%APPID%/documentstore.sqlite?_pragma=foreign_keys(1)&_pragma=busy_timeout=60000"
export STORAGE_SERVER_SHARESTORE_DSN_PATTERN="sqlite:///var/lib/storage-server/data/%TENANT%/sharestore.sqlite?_pragma=foreign_keys(1)&_pragma=busy_timeout=60000"
export STORAGE_SERVER_PRIVATE_KEY="/var/lib/storage-server/storage-server.key"
export STORAGE_SERVER_PRIVATE_KEY_DEFAULT_SIZE="2048"
export STORAGE_SERVER_SIGNING_ALGORITHM="RS256"
export STORAGE_SERVER_CACHE_TTL=1h
export STORAGE_SERVER_CACHE_SIZE=32

View File

@ -0,0 +1,11 @@
#!/sbin/openrc-run
command="/usr/bin/storage-server"
command_args=""
supervisor=supervise-daemon
output_log="/var/log/storage-server.log"
error_log="$output_log"
depend() {
need net
}

View File

@ -0,0 +1,9 @@
STORAGE_SERVER_ADDRESS=:3001
STORAGE_SERVER_BLOBSTORE_DSN_PATTERN="sqlite:///var/lib/storage-server/data/%TENANT%/%APPID%/blobstore.sqlite?_pragma=foreign_keys(1)&_pragma=busy_timeout=60000"
STORAGE_SERVER_DOCUMENTSTORE_DSN_PATTERN="sqlite:///var/lib/storage-server/data/%TENANT%/%APPID%/documentstore.sqlite?_pragma=foreign_keys(1)&_pragma=busy_timeout=60000"
STORAGE_SERVER_SHARESTORE_DSN_PATTERN="sqlite:///var/lib/storage-server/data/%TENANT%/sharestore.sqlite?_pragma=foreign_keys(1)&_pragma=busy_timeout=60000"
STORAGE_SERVER_PRIVATE_KEY="/var/lib/storage-server/storage-server.key"
STORAGE_SERVER_PRIVATE_KEY_DEFAULT_SIZE="2048"
STORAGE_SERVER_SIGNING_ALGORITHM="RS256"
STORAGE_SERVER_CACHE_TTL=1h
STORAGE_SERVER_CACHE_SIZE=32

View File

@ -0,0 +1,35 @@
[Unit]
Description=storage-server service
After=network.target
[Service]
Type=simple
Restart=on-failure
EnvironmentFile=/etc/storage-server/environ
ExecStart=/usr/bin/storage-server
EnvironmentFile=/etc/storage-server/environ
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
PrivateUsers=yes
DynamicUser=yes
StateDirectory=storage-server
DevicePolicy=closed
ProtectSystem=true
ProtectHome=read-only
ProtectKernelLogs=yes
ProtectProc=invisible
ProtectClock=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER CAP_NET_ADMIN CAP_WAKE_ALARM CAP_SYS_TTY_CONFIG
[Install]
WantedBy=multi-user.target

View File

@ -6,6 +6,7 @@ import (
"github.com/lestrrat-go/jwx/v2/jwa" "github.com/lestrrat-go/jwx/v2/jwa"
"github.com/lestrrat-go/jwx/v2/jwk" "github.com/lestrrat-go/jwx/v2/jwk"
"github.com/lestrrat-go/jwx/v2/jwt" "github.com/lestrrat-go/jwx/v2/jwt"
"github.com/oklog/ulid/v2"
"github.com/pkg/errors" "github.com/pkg/errors"
) )
@ -16,6 +17,10 @@ func SignedToken(key jwk.Key, signingAlgorithm jwa.SignatureAlgorithm, claims ma
return nil, errors.WithStack(err) return nil, errors.WithStack(err)
} }
if err := token.Set(jwt.JwtIDKey, ulid.Make().String()); err != nil {
return nil, errors.WithStack(err)
}
for key, value := range claims { for key, value := range claims {
if err := token.Set(key, value); err != nil { if err := token.Set(key, value); err != nil {
return nil, errors.Wrapf(err, "could not set claim '%s' with value '%v'", key, value) return nil, errors.Wrapf(err, "could not set claim '%s' with value '%v'", key, value)