diff --git a/pkg/deploy/generator/scripts/gatewayVMSS.sh b/pkg/deploy/generator/scripts/gatewayVMSS.sh index 40bcbee2f6b..b9cfb3a9e08 100644 --- a/pkg/deploy/generator/scripts/gatewayVMSS.sh +++ b/pkg/deploy/generator/scripts/gatewayVMSS.sh @@ -147,8 +147,11 @@ RPIMAGE='$rpimage'" reboot_vm } +# export AZURE_CLOUD_NAME="${AZURECLOUDNAME:?"Failed to carry over variables"}" export AZURE_CLOUD_NAME="${AZURECLOUDNAME:?"Failed to carry over variables"}" +# util="util.sh" +# # util.sh does not exist when deployed to VMSS via VMSS extensions # Provides shellcheck definitions util="util.sh" diff --git a/pkg/deploy/generator/scripts/rpVMSS.sh b/pkg/deploy/generator/scripts/rpVMSS.sh index 846cfbbcefd..dcfd9007c09 100644 --- a/pkg/deploy/generator/scripts/rpVMSS.sh +++ b/pkg/deploy/generator/scripts/rpVMSS.sh @@ -8,10 +8,12 @@ main() { # transaction attempt retry time in seconds # shellcheck disable=SC2034 local -ri retry_wait_time=30 - local -ri pkg_retry_count=60 create_required_dirs + configure_sshd + + local -ri pkg_retry_count=60 configure_rpm_repos retry_wait_time \ "$pkg_retry_count" @@ -53,10 +55,16 @@ main() { # shellcheck disable=SC2153 disable=SC2034 local -r mdmimage="${RPIMAGE%%/*}/${MDMIMAGE#*/}" local -r rpimage="$RPIMAGE" + + # shellcheck disable=SC2034 local -r miseimage="${RPIMAGE%%/*}/${MISEIMAGE#*/}" + + # shellcheck disable=SC2034 local -r otelimage="$OTELIMAGE" + # shellcheck disable=SC2034 local -r fluentbit_image="$FLUENTBITIMAGE" + # shellcheck disable=SC2034 local -rA aro_images=( ["mdm"]="mdmimage" @@ -214,11 +222,15 @@ MSI_RP_ENDPOINT='$MSIRPENDPOINT' reboot_vm } +# export AZURE_CLOUD_NAME="${AZURECLOUDNAME:?"Failed to carry over variables"}" +# # This variable is used by az-cli # It's assumed that if this variable hasn't been carried over, that others are also not present, so we fail early by returning an error # This was mostly helpful when testing on a development VM, but is still applicable export AZURE_CLOUD_NAME="${AZURECLOUDNAME:?"Failed to carry over variables"}" +# util="util.sh" +# # util.sh does not exist when deployed to VMSS via VMSS extensions # Provides shellcheck definitions util="util.sh" diff --git a/pkg/deploy/generator/scripts/util-common.sh b/pkg/deploy/generator/scripts/util-common.sh index a78a4dbf589..8a23a7f01d2 100644 --- a/pkg/deploy/generator/scripts/util-common.sh +++ b/pkg/deploy/generator/scripts/util-common.sh @@ -1,37 +1,96 @@ #!/bin/bash # Internal Functions and Constants -# empty_str - constant; used by functions for optional nameref string arguements -# empty_str="" +# declare -r empty_str="" +# +# empty_str - constant +# * used by functions for optional nameref string arguments # shellcheck disable=SC2034 declare -r empty_str="" -# role_gateway - constant; Is used to determine which VMSS is being bootstrapped +# declare -r role_gateway="gateway" +# # this should be referenced by scripts sourcing this file # role_gateway="gateway" declare -r role_gateway="gateway" -# role_rp - constant; Is used to determine which VMSS is being bootstrapped + +# declare -r role_rp="rp" +# # this should be referenced by scripts sourcing this file # role_rp="rp" declare -r role_rp="rp" -# role_devproxy - constant; Is used to determine which VMSS is being bootstrapped -# role_devproxy="devproxy" + +# declare -r role_devproxy="devproxy" +# +# role_devproxy - constant +# * Is used to determine which VMSS is being bootstrapped declare -r role_devproxy="devproxy" -# us_gov_cloud - constant; Is the name of AZURECLOUDNAME for US government cloud -# us_gov_cloud="AzureUSGovernment" + +# declare -r us_gov_cloud="AzureUSGovernment" +# +# us_gov_cloud - constant +# * Is the name of AZURECLOUDNAME for US government cloud declare -r us_gov_cloud="AzureUSGovernment" -# log is a wrapper for echo that includes the function name -# Args -# 1) msg - string -# 2) stack_level - int; optional, defaults to the function at the bottom of the call stack +# declare -i XTRACE_IS_SET +# +# Global variable used to keep track of if xtrace was/is set. +declare -i XTRACE_IS_SET + +# declare -i XTRACE_SET=1 +# +# constant value used to set XTRACE_IS_SET +declare -ir XTRACE_SET=1 + +# declare -i XTRACE_UNSET=0 +# +# constant value used to set XTRACE_IS_SET +declare -ir XTRACE_UNSET=0 + +# xtrace_set_capture() +# +# Captures if xtrace is set in the current shell using global variable XTRACE_IS_SET. +# * Used for reapplying xtrace setting after disabling. +# * Sets XTRACE_IS_SET=XTRACE_SET (if true) or XTRACE_IS_SET=XTRACE_UNSET (if false). +xtrace_set_capture() { + [[ $- =~ "x" ]] && XTRACE_IS_SET=$XTRACE_SET || XTRACE_IS_SET=$XTRACE_UNSET +} + +# xtrace_unset() +# +# Un-sets xtrace (if set) +xtrace_unset() { + if (( XTRACE_IS_SET == XTRACE_SET )); then + set +x + fi +} + +# xtrace_set() +# +# Restores xtrace to state captured by xtrace_set_capture (if it was set) +xtrace_set() { + if (( XTRACE_IS_SET == XTRACE_SET )); then + set -x + fi +} + +# log() +# +# Wrapper for echo that includes the function name +# args: +# 1) msg - string +# 2) stack_level - int +# * optional +# * defaults to the function at the bottom of the call stack log() { local -r msg="${1:-"log message is empty"}" local -r stack_level="${2:-1}" echo "${FUNCNAME[${stack_level}]}: ${msg}" } -# abort is a wrapper for log that exits with an error code +# abort() +# +# Wrapper for log that exits with an error code abort() { local -ri origin_stacklevel=2 log "${1}" "$origin_stacklevel" @@ -39,11 +98,13 @@ abort() { exit 1 } -# write_file -# Args -# 1) filename - string -# 2) file_contents - string -# 3) clobber - boolean; optional - defaults to false +# write_file() +# +# args: +# 1) filename - string +# 2) file_contents - string +# 3) clobber - boolean +# * Optional; defaults to false write_file() { local -n filename="$1" local -n file_contents="$2" @@ -58,11 +119,16 @@ write_file() { fi } -# retry Adding retry logic to yum commands in order to avoid stalling out on resource locks +# retry() +# +# Add retry logic to commands in order to avoid stalling out on resource locks # args: -# 1) cmd_retry - nameref, array; Command and arguement(s) to retry -# 2) wait_time - nameref, integer; Time to wait before retrying command -# 3) retries - integer, optional; Ammount of times to retry command, defaults to 5 +# 1) cmd_retry - nameref, array +# * Command and argument(s) to retry +# 2) wait_time - nameref, integer +# * Time to wait before retrying command +# 3) retries - integer, optional +# * Amount of times to retry command, defaults to 5 retry() { local -n cmd_retry="$1" local -n wait_time="$2" @@ -81,9 +147,11 @@ retry() { abort "${cmd_retry[*]} failed after #$retries attempts" } -# verify_role +# verify_role() +# # args: -# 1) test_role - nameref; role being verified +# 1) test_role - nameref +# * role being verified verify_role() { local -n test_role="$1" @@ -95,11 +163,15 @@ verify_role() { fi } -# get_keyvault_suffix +# get_keyvault_suffix() +# # args: -# 1) rl - nameref, string; role to get short role for -# 2) kv_suffix - nameref, string; short role will be assigned to this nameref -# 3) sec_prefix - nameref, string; keyvault certificate prefix will be assigned to this nameref +# 1) rl - nameref, string +# * role to get short role for +# 2) kv_suffix - nameref, string +# * short role will be assigned to this nameref +# 3) sec_prefix - nameref, string +# * keyvault certificate prefix will be assigned to this nameref get_keyvault_suffix() { local -n rl="$1" local -n kv_suffix="$2" @@ -118,14 +190,16 @@ get_keyvault_suffix() { sec_prefix="$role_rp" ;; *) - abort "unkown role $rl" + abort "unknown role $rl" ;; esac } +# reboot_vm() +# # reboot_vm restores calls shutdown -r in a subshell -# Reboots should scheduled after all VM extensions have had time to complete -# Reference: https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-linux#tips +# * Reboots should scheduled after all VM extensions have had time to complete +# * Reference: https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-linux#tips reboot_vm() { log "starting" diff --git a/pkg/deploy/generator/scripts/util-packages.sh b/pkg/deploy/generator/scripts/util-packages.sh index 95102ba25d1..b8d37cdf198 100644 --- a/pkg/deploy/generator/scripts/util-packages.sh +++ b/pkg/deploy/generator/scripts/util-packages.sh @@ -1,6 +1,7 @@ #!/bin/bash # Repository and package management related functions +# configure_repo_mariner_extended() configure_repo_mariner_extended() { local -r extended_repo_config="https://packages.microsoft.com/cbl-mariner/2.0/prod/extended/x86_64/config.repo" curl -sSL "$extended_repo_config" -o /etc/yum.repos.d/mariner-extended.repo @@ -19,10 +20,13 @@ configure_repo_mariner_extended() { } # configure_rpm_repos +# # New repositories should be added in their own functions, and called here # args: -# 1) wait_time - nameref, integer; Time to wait before retrying command -# 2) retries - integer, optional; Amount of times to retry command, defaults to 5 +# 1) wait_time - nameref, integer +# * Time to wait before retrying command +# 2) retries - integer, optional +# * Amount of times to retry command, defaults to 5 configure_rpm_repos() { log "starting" @@ -30,10 +34,14 @@ configure_rpm_repos() { } # dnf_install_pkgs +# # args: -# 1) pkgs - nameref, string array; Packages to be installed -# 2) wait_time - nameref, integer; Time to wait before retrying command -# 3) retries - integer, optional; Amount of times to retry command, defaults to 5 +# 1) pkgs - nameref, string array +# * Packages to be installed +# 2) wait_time - nameref, integer +# * Time to wait before retrying command +# 3) retries - integer, optional +# * Amount of times to retry command, defaults to 5 dnf_install_pkgs() { local -n pkgs="$1" log "starting" @@ -55,11 +63,15 @@ dnf_install_pkgs() { # dnf_update_pkgs +# # args: -# 1) excludes - nameref, string array, optional; Packages to exclude from updating -# Each index must be prefixed with -x -# 2) wait_time - nameref, integer; Time to wait before retrying command -# 3) retries - integer, optional; Ammount of times to retry command, defaults to 5 +# 1) excludes - nameref, string array, optional +# * Packages to exclude from updating +# * Each index must be prefixed with -x +# 2) wait_time - nameref, integer +# * Time to wait before retrying command +# 3) retries - integer, optional +# * Amount of times to retry command, defaults to 5 dnf_update_pkgs() { local -n excludes="${1:-empty_str}" log "starting" @@ -87,9 +99,12 @@ dnf_update_pkgs() { } # rpm_import_keys +# # args: -# 1) keys - nameref, string array; rpm keys to be imported -# 2) wait_time - nameref, integer; Time to wait before retrying command +# 1) keys - nameref, string array +# * rpm keys to be imported +# 2) wait_time - nameref, integer +# * Time to wait before retrying command rpm_import_keys() { local -n keys="$1" log "starting" @@ -112,6 +127,8 @@ rpm_import_keys() { done } +# util_common="util-common.sh" +# # util-common.sh does not exist when deployed to VMSS via VMSS extensions # Provides shellcheck definitions util_common="util-common.sh" diff --git a/pkg/deploy/generator/scripts/util-services.sh b/pkg/deploy/generator/scripts/util-services.sh index b4f3ee9179a..56a57dbd426 100644 --- a/pkg/deploy/generator/scripts/util-services.sh +++ b/pkg/deploy/generator/scripts/util-services.sh @@ -1,9 +1,12 @@ #!/bin/bash # ARO service setup functions -# enable_services enables the systemd services that are passed in +# enable_services +# +# enables the systemd services that are passed in # args: -# 1) services - array; services to be enabled +# * 1) services - array +# * services to be enabled enable_services() { local -n svcs="$1" log "starting" @@ -21,11 +24,16 @@ enable_services() { } # configure_service_aro_gateway +# # args: -# 1) image - nameref, string; container image -# 2) role - nameref, string; VMSS role -# 3) conf_file - nameref, string; aro gateway environment file -# 4) ipaddress - nameref, string; static ip of podman network to be attached +# 1) image - nameref, string +# * container image +# 2) role - nameref, string +# * VMSS role +# 3) conf_file - nameref, string +# * aro gateway environment file +# 4) ipaddress - nameref, string +# * static ip of podman network to be attached configure_service_aro_gateway() { local -n image="$1" local -n role="$2" @@ -34,6 +42,7 @@ configure_service_aro_gateway() { log "starting" log "Configuring aro-gateway service" + # shellcheck disable=SC2034 local -r aro_gateway_conf_filename='/etc/sysconfig/aro-gateway' local -r add_conf_file="PODMAN_NETWORK='podman' IPADDRESS='$ipaddress' @@ -47,6 +56,7 @@ ARO_LOG_LEVEL='$GATEWAYLOGLEVEL'" local -r aro_gateway_service_filename='/etc/systemd/system/aro-gateway.service' # shellcheck disable=SC2034 + # shellcheck disable=SC2016 # below variable is in single quotes # as it is to be expanded at systemd start time (by systemd, not this script) local -r aro_gateway_service_file='[Unit] @@ -92,11 +102,16 @@ WantedBy=multi-user.target } # configure_service_aro_rp +# # args: -# 1) image - nameref, string; RP container image -# 2) role - nameref, string; VMSS role -# 3) conf_file - nameref, string; aro rp environment file -# 4) ipaddress - nameref, string; static ip of podman network to be attached +# * 1) image - nameref, string +# * RP container image +# * 2) role - nameref, string +# * VMSS role +# * 3) conf_file - nameref, string +# * aro rp environment file +# * 4) ipaddress - nameref, string +# * static ip of podman network to be attached configure_service_aro_rp() { local -n image="$1" local -n role="$2" @@ -105,6 +120,7 @@ configure_service_aro_rp() { log "starting" log "Configuring aro-rp service" + # shellcheck disable=SC2034 local -r aro_rp_conf_filename='/etc/sysconfig/aro-rp' local -r add_conf_file="PODMAN_NETWORK='podman' IPADDRESS='$ipaddress' @@ -116,7 +132,9 @@ ARO_LOG_LEVEL='$RPLOGLEVEL'" # shellcheck disable=SC2034 local -r aro_rp_service_filename='/etc/systemd/system/aro-rp.service' + # shellcheck disable=SC2034 + # shellcheck disable=SC2016 # below variable is in single quotes # as it is to be expanded at systemd start time (by systemd, not this script) local -r aro_rp_service_file='[Unit] @@ -182,9 +200,12 @@ WantedBy=multi-user.target' } # configure_service_aro_monitor +# # args: -# 1) image - nameref, string; RP container image -# 2) ipaddress - nameref, string; static ip of podman network to be attached +# 1) image - nameref, string +# * RP container image +# 2) ipaddress - nameref, string +# * static ip of podman network to be attached configure_service_aro_monitor() { local -n image="$1" local -n ipaddress="$2" @@ -195,6 +216,7 @@ configure_service_aro_monitor() { # are not used, but can't easily be refactored out. Should be revisited in the future. # shellcheck disable=SC2034 local -r aro_monitor_service_conf_filename='/etc/sysconfig/aro-monitor' + # shellcheck disable=SC2034 local -r aro_monitor_service_conf_file="AZURE_FP_CLIENT_ID='$FPCLIENTID' DOMAIN_NAME='$LOCATION.$CLUSTERPARENTDOMAINNAME' @@ -222,7 +244,9 @@ ARO_LOG_LEVEL='$MONITORLOGLEVEL'" # shellcheck disable=SC2034 local -r aro_monitor_service_filename='/etc/systemd/system/aro-monitor.service' + # shellcheck disable=SC2034 + # shellcheck disable=SC2016 # below variable is in single quotes # as it is to be expanded at systemd start time (by systemd, not this script) local -r aro_monitor_service_file='[Unit] @@ -273,9 +297,12 @@ WantedBy=multi-user.target' } # configure_service_aro_portal +# # args: -# 1) image - nameref, string; RP container image -# 2) ipaddress - nameref, string; static ip of podman network to be attached +# * 1) image - nameref, string +# * RP container image +# * 2) ipaddress - nameref, string +# * static ip of podman network to be attached configure_service_aro_portal() { local -n image="$1" local -n ipaddress="$2" @@ -303,7 +330,9 @@ ARO_LOG_LEVEL='$PORTALLOGLEVEL'" # shellcheck disable=SC2034 local -r aro_portal_service_filename='/etc/systemd/system/aro-portal.service' + # shellcheck disable=SC2034 + # shellcheck disable=SC2016 # below variable is in single quotes # as it is to be expanded at systemd start time (by systemd, not this script) local -r aro_portal_service_file='[Unit] @@ -349,10 +378,14 @@ WantedBy=multi-user.target' } # configure_service_aro_mimo_actuator +# # args: -# 1) image - nameref, string; RP container image -# 2) conf_file - nameref, string; aro rp environment file -# 3) ipaddress - nameref, string; static ip of podman network to be attached +# 1) image - nameref, string +# * RP container image +# 2) conf_file - nameref, string +# * aro rp environment file +# 3) ipaddress - nameref, string +# * static ip of podman network to be attached configure_service_aro_mimo_actuator() { local -n image="$1" local -n conf_file="$2" @@ -360,7 +393,10 @@ configure_service_aro_mimo_actuator() { log "starting" log "Configuring aro-mimo-actuator service" + # shellcheck disable=SC2034 local -r aro_mimo_actuator_conf_filename='/etc/sysconfig/aro-mimo-actuator' + + # shellcheck disable=SC2034 local -r add_conf_file="PODMAN_NETWORK='podman' IPADDRESS='$ipaddress' ARO_LOG_LEVEL='$MIMOACTUATORLOGLEVEL'" @@ -370,7 +406,9 @@ ARO_LOG_LEVEL='$MIMOACTUATORLOGLEVEL'" # shellcheck disable=SC2034 local -r aro_mimo_actuator_service_filename='/etc/systemd/system/aro-mimo-actuator.service' + # shellcheck disable=SC2034 + # shellcheck disable=SC2016 # below variable is in single quotes # as it is to be expanded at systemd start time (by systemd, not this script) local -r aro_mimo_actuator_service_file='[Unit] @@ -433,9 +471,12 @@ WantedBy=multi-user.target' } # configure_service_aro_mise +# # args: -# 1) image - nameref, string; MISE container image -# 2) ipaddress - nameref, string; static ip of podman network to be attached +# 1) image - nameref, string +# * MISE container image +# 2) ipaddress - nameref, string +# * static ip of podman network to be attached configure_service_aro_mise() { local -n image="$1" local -n ipaddress="$2" @@ -531,7 +572,9 @@ IPADDRESS='$ipaddress'" # shellcheck disable=SC2034 local -r aro_mise_service_filename='/etc/systemd/system/aro-mise.service' + # shellcheck disable=SC2034 + # shellcheck disable=SC2016 # below variable is in single quotes # as it is to be expanded at systemd start time (by systemd, not this script) local -r aro_mise_service_file='[Unit] @@ -560,11 +603,16 @@ WantedBy=multi-user.target' write_file aro_mise_service_filename aro_mise_service_file true } + # configure_service_aro_otel_collector +# # args: -# 1) image - nameref, string; OTEL container image -# 2) static_ip_address - nameref, array; static ips of all services -# 3) ipaddress - nameref, string; static ip of podman network to be attached +# 1) image - nameref, string +# * OTEL container image +# 2) static_ip_address - nameref, array +# * static ips of all services +# 3) ipaddress - nameref, string +# * static ip of podman network to be attached configure_service_aro_otel_collector() { local -n image="$1" local -n static_ip_address="$2" @@ -630,7 +678,9 @@ service: # shellcheck disable=SC2034 local -r aro_otel_collector_service_filename='/etc/systemd/system/aro-otel-collector.service' + # shellcheck disable=SC2034 + # shellcheck disable=SC2016 # below variable is in single quotes # as it is to be expanded at systemd start time (by systemd, not this script) local -r aro_otel_collector_service_file='[Unit] @@ -661,9 +711,12 @@ WantedBy=multi-user.target' } # configure_service_mdsd +# # args: -# 1) monitoring_role - nameref, string; can be "gateway" or "rp" -# 2) monitor_config_version - nameref, string; mdsd config version +# 1) monitoring_role - nameref, string +# * can be "gateway" or "rp" +# 2) monitor_config_version - nameref, string +# * mdsd config version configure_service_mdsd() { local -n role="$1" local -n monitor_config_version="$2" @@ -709,10 +762,14 @@ export MDSD_MSGPACK_SORT_COLUMNS=\"1\"" } # configure_service_fluentbit +# # args: -# 1) conf_file - string; fluenbit configuration file -# 2) image - string; fluentbit container image to run -# 3) ipaddress - nameref, string; static ip of podman network to be attached +# 1) conf_file - string +# * fluenbit configuration file +# 2) image - string +# * fluentbit container image to run +# 3) ipaddress - nameref, string +# * static ip of podman network to be attached configure_service_fluentbit() { # shellcheck disable=SC2034 local -n conf_file="$1" @@ -736,7 +793,9 @@ configure_service_fluentbit() { # shellcheck disable=SC2034 local -r service_filename='/etc/systemd/system/fluentbit.service' + # shellcheck disable=SC2034 + # shellcheck disable=SC2016 # below variable is in single quotes # as it is to be expanded at systemd start time (by systemd, not this script) local -r service_file='[Unit] @@ -775,8 +834,10 @@ WantedBy=multi-user.target' } # configure_timers_mdm_mdsd +# # args: -# 1) role - string; can be "gateway" or "rp" +# 1) role - string +# * can be "gateway" or "rp" configure_timers_mdm_mdsd() { local -n role="$1" log "starting" @@ -931,10 +992,14 @@ WantedBy=multi-user.target' } # configure_service_mdm +# # args: -# 1) role - nameref, string; can be "gateway" or "rp" -# 2) image - nameref, string; mdm container image to run -# 3) ipaddress - nameref, string; static ip of podman network to be attached +# 1) role - nameref, string +# * can be "gateway" or "rp" +# 2) image - nameref, string +# * mdm container image to run +# 3) ipaddress - nameref, string +# * static ip of podman network to be attached configure_service_mdm() { local -n role="$1" local -n image="$2" @@ -963,7 +1028,9 @@ IPADDRESS='$ipaddress'" mkdir -p /var/etw # shellcheck disable=SC2034 local -r mdm_service_filename="/etc/systemd/system/mdm.service" + # shellcheck disable=SC2034 + # shellcheck disable=SC2016 # below variable is in single quotes # as it is to be expanded at systemd start time (by systemd, not this script) local -r mdm_service_file='[Unit] @@ -1008,11 +1075,16 @@ WantedBy=multi-user.target' } # configure_vmss_aro_service +# # args: -# 1) r - nameref, string; role of VMSS -# 2) images - nameref, associative array; ARO container images -# 3) configs - nameref, associative array; configuration files and versions. The values should be a reference to variables, not dereferenced. -# This is because the value is used when creating nameref variables by helper functions. +# 1) r - nameref, string +# * role of VMSS +# 2) images - nameref, associative array +# * ARO container images +# 3) configs - nameref, associative array +# * configuration files and versions. +# * The values should be a reference to variables, not dereferenced. +# * This is because the value is used when creating nameref variables by helper functions. configure_vmss_aro_services() { local -n r="$1" local -n images="$2" @@ -1021,25 +1093,46 @@ configure_vmss_aro_services() { verify_role "$1" if [ "$r" == "$role_gateway" ]; then - configure_service_aro_gateway "${images["rp"]}" "$1" "${configs["gateway_config"]}" "${configs["static_ip_address"]}["gateway"]" + configure_service_aro_gateway "${images["rp"]}" "$1" "${configs["gateway_config"]}" "${configs["static_ip_address"]}[gateway]" configure_certs_gateway elif [ "$r" == "$role_rp" ]; then - configure_service_aro_rp "${images["rp"]}" "$1" "${configs["rp_config"]}" "${configs["static_ip_address"]}["rp"]" - configure_service_aro_mimo_actuator "${images["rp"]}" "${configs["rp_config"]}" "${configs["static_ip_address"]}["mimo_actuator"]" - configure_service_aro_monitor "${images["rp"]}" "${configs["static_ip_address"]}["monitor"]" - configure_service_aro_portal "${images["rp"]}" "${configs["static_ip_address"]}["portal"]" - configure_service_aro_mise "${images["mise"]}" "${configs["static_ip_address"]}["mise"]" - configure_service_aro_otel_collector "${images["otel"]}" "${configs["static_ip_address"]}" "${configs["static_ip_address"]}["otel_collector"]" + configure_service_aro_rp "${images["rp"]}" \ + "$1" \ + "${configs[rp_config]}" \ + "${configs[static_ip_address]}[rp]" + + configure_service_aro_mimo_actuator "${images[rp]}" \ + "${configs[rp_config]}" \ + "${configs[static_ip_address]}[mimo_actuator]" + + configure_service_aro_monitor "${images[rp]}" "${configs[static_ip_address]}[monitor]" + + configure_service_aro_portal "${images[rp]}" "${configs[static_ip_address]}[portal]" + + configure_service_aro_mise "${images[mise]}" "${configs[static_ip_address]}[mise]" + + configure_service_aro_otel_collector "${images[otel]}" \ + "${configs[static_ip_address]}" \ + "${configs["static_ip_address"]}[otel_collector]" + configure_certs_rp fi - configure_service_fluentbit "${configs["fluentbit"]}" "${images["fluentbit"]}" + configure_service_fluentbit "${configs[fluentbit]}" "${images[fluentbit]}" + configure_timers_mdm_mdsd "$1" - configure_service_mdm "$1" "${images["mdm"]}" "${configs["static_ip_address"]}["mdm"]" - configure_service_mdsd "$1" "${configs["mdsd"]}" + + configure_service_mdm "$1" \ + "${images[mdm]}" \ + "${configs["static_ip_address"]}[mdm]" + + configure_service_mdsd "$1" "${configs[mdsd]}" + run_azsecd_config_scan } +# util_common="util-common.sh" +# # util-common.sh does not exist when deployed to VMSS via VMSS extensions # Provides shellcheck definitions util_common="util-common.sh" @@ -1048,6 +1141,8 @@ if [ -f "$util_common" ]; then source "$util_common" fi +# util_system="util-system.sh" +# # util-system.sh does not exist when deployed to VMSS via VMSS extensions # Provides shellcheck definitions util_system="util-system.sh" diff --git a/pkg/deploy/generator/scripts/util-system.sh b/pkg/deploy/generator/scripts/util-system.sh index 0fc156f9a35..6ee750bf76b 100644 --- a/pkg/deploy/generator/scripts/util-system.sh +++ b/pkg/deploy/generator/scripts/util-system.sh @@ -2,10 +2,15 @@ # This file is intended to be sourced by bootstrapping scripts for commonly used functions # get_boot_dev_uuid +# # Get the boot devices uuid # args: -# 1) boot_dev_uuid - nameref, string; Empty variable for boot device uuid assignment +# +# * 1) boot_dev_uuid - nameref, string; Empty variable for boot device uuid assignment +# # Taken and refactored from https://eng.ms/docs/products/azure-linux/features/security/fips +# TODO remove this once sku cbl-mariner-2-gen2-fips is supported by automatic OS updates +# * Reference: https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade#supported-os-images get_boot_dev_uuid() { local -n boot_dev_uuid="$1" # Set boot_uuid variable for the boot partition if different from the root @@ -20,8 +25,12 @@ get_boot_dev_uuid() { } # fips_verify +# # Verify that fips mode is enabled +# # Taken and refactored from https://eng.ms/docs/products/azure-linux/features/security/fips +# TODO remove this once sku cbl-mariner-2-gen2-fips is supported by automatic OS updates +# * Reference: https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade#supported-os-images fips_verify() { fips_enabled_proc="$(cat /proc/sys/crypto/fips_enabled)" fips_enabled_sysctl="$(sysctl -n crypto.fips_enabled)" @@ -33,10 +42,12 @@ fips_verify() { } # fips_configure +# # Configures VM to run with fips mode enabled +# # Taken and refactored from https://eng.ms/docs/products/azure-linux/features/security/fips # TODO remove this once sku cbl-mariner-2-gen2-fips is supported by automatic OS updates -# Reference: https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade#supported-os-images +# * Reference: https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade#supported-os-images fips_configure() { # shellcheck disable=SC2034 local boot_uuid @@ -54,6 +65,7 @@ fips_configure() { } # configure_sshd +# # We need to configure PasswordAuthentication to yes in order for the VMSS Access JIT to work configure_sshd() { log "starting" @@ -66,9 +78,12 @@ configure_sshd() { } # configure_logrotate clobbers /etc/logrotate.conf +# # args: -# 1) dropin_files - nameref, associative array, optional; logrotate files to write to /etc/logrotate.d -# Key name dictates filenames written to /etc/logrotate.d. +# 1) dropin_files - nameref, associative array; optional +# * logrotate files to write to /etc/logrotate.d +# * Key name dictates filenames written to /etc/logrotate.d. +# # Example: # Key dictates the filename written in /etc/logrotate.d # shellcheck disable=SC2034 @@ -132,16 +147,19 @@ include /etc/logrotate.d } # pull_container_images +# # args: -# 1) pull_images - nameref, string array -# 2) registry_conf - nameref, string, optional; path to docker/podman configuration file +# 1) pull_images - nameref, string array +# * array of strings. Each string is an image to be pulled. +# 2) registry_conf - nameref, string, optional +# * path to docker/podman configuration file. pull_container_images() { local -n pull_images="$1" local -n registry_conf="${2:-empty_str}" log "starting" # shellcheck disable=SC2034 - local -ri retry_time=30 + local -ir retry_time=30 cmd=( az login @@ -157,24 +175,39 @@ pull_container_images() { mkdir -p /root/.docker touch /etc/containers/nodocker + [ -n "${registry_conf}" ] && write_file REGISTRY_AUTH_FILE registry_conf "true" + # This name is used in the case that az acr login searches for this in it's environment + # exported here as it's used by podman login and subsequent podman pull export REGISTRY_AUTH_FILE="/root/.docker/config.json" - if [ -n "${registry_conf}" ]; then - write_file REGISTRY_AUTH_FILE registry_conf true - fi - - log "logging into prod acr" - cmd=( - az - acr - login - --name - # TODO replace this with variable expansion - # Reference: https://www.shellcheck.net/wiki/SC2001 - "$(sed -e 's|.*/||' <<<"$ACRRESOURCEID")" - ) - + # shellcheck disable=SC2329 + _() { + local -r acr="$1" + local -r registry="$2" + + xtrace_set_capture + xtrace_unset + + log "logging into container registry $2" + az acr login \ + --name "$acr" \ + --expose-token \ + --output tsv \ + --query accessToken \ + | podman login \ + --username "00000000-0000-0000-0000-000000000000" \ + --password-stdin \ + "$registry" + local -ir status=$? + + xtrace_set + return "$status" + } + + local -r acr_name="${ACRRESOURCEID##*/}" + local -r registry_name="${acr_name}.azurecr.io" + cmd=(_ "$acr_name" "$registry_name") retry cmd retry_time # shellcheck disable=SC2068 @@ -200,24 +233,37 @@ pull_container_images() { retry cmd retry_time } -# configure_certs_general Configure system certificates common to all VMSS instances -configure_certs_general() { +# configure_ca_bundle() +# +# Configures system ca-bundle certificates common to all VMSS instances. +configure_ca_bundle() { log "starting" + xtrace_set_capture + xtrace_unset + # setting MONITORING_GCS_AUTH_ID_TYPE=AuthKeyVault seems to have caused mdsd not # to honour SSL_CERT_FILE any more, heaven only knows why. local -r ssl_certs_basedir="/usr/lib/ssl/certs" mkdir -p "$ssl_certs_basedir" - csplit -f "$ssl_certs_basedir/cert-" -b %03d.pem /etc/pki/tls/certs/ca-bundle.crt /^$/1 "{*}" 1>/dev/null + + ca_bundle="/etc/pki/tls/certs/ca-bundle.crt" + log "Configuring $ca_bundle" + csplit -f "$ssl_certs_basedir/cert-" -b %03d.pem "$ca_bundle" /^$/1 "{*}" 1>/dev/null c_rehash "$ssl_certs_basedir" + + xtrace_set } -# configure_certs_rp Configure system certificates for RP VMSS -# args: +# configure_certs_rp() +# +# Configures RP system certificates configure_certs_rp() { log "starting" verify_role role_rp + xtrace_set_capture + xtrace_unset local -r rp_certs_basedir="/etc/aro-rp" mkdir -p "$rp_certs_basedir" @@ -227,22 +273,30 @@ configure_certs_rp() { fi chown -R 1000:1000 "$rp_certs_basedir" - configure_certs_general + + xtrace_set + configure_ca_bundle } -# configure_certs_gateway Configure system certificates for Gateway VMSS instances +# configure_certs_gateway() +# +# Configures system tls certificates for Gateway VMSS instances configure_certs_gateway() { log "starting" verify_role role_gateway - configure_certs_general + configure_ca_bundle } -# configure_certs_devproxy Configure system certificates for devproxy VMSS instances +# configure_certs_devproxy() +# +# Configures system certificates for devproxy VMSS instances configure_certs_devproxy() { log "starting" verify_role role_devproxy + xtrace_set_capture + xtrace_unset local -r proxy_certs_basedir="/etc/proxy" mkdir -p "$proxy_certs_basedir" @@ -251,8 +305,11 @@ configure_certs_devproxy() { base64 -d <<<"$PROXYCLIENTCERT" > "$proxy_certs_basedir/proxy-client.crt" chown -R 1000:1000 /etc/proxy chmod 0600 "$proxy_certs_basedir/proxy.key" + + xtrace_set } +# configure_azsecd_scan() configure_azsecd_scan() { log "starting" @@ -320,9 +377,10 @@ firewalld_configure_backend() { } # firewalld_configure +# # args: # 1) ports - nameref, string array; ports to be enabled. -# Ports must be postfixed with /tcp or /udp +# * Ports must be postfixed with /tcp or /udp firewalld_configure() { local -n ports="$1" log "starting" diff --git a/pkg/deploy/generator/scripts/util.sh b/pkg/deploy/generator/scripts/util.sh index ca1f36304ea..ec00f1a1a5b 100644 --- a/pkg/deploy/generator/scripts/util.sh +++ b/pkg/deploy/generator/scripts/util.sh @@ -1,31 +1,35 @@ #!/bin/bash # File to be sourced by *VMSS.sh scripts -# This is only present for the ability to manaully run the VMSS setup scripts seperate from the deploy process. -# e. g. scp copying the script to a test VM +# +# This is only present for the ability to manually run the VMSS setup scripts separate from the deploy process. +# * e.g. scp copying the script to a test VM +# # During normal deployment operations, the other util-*.sh files are prefixed to the VMSS scripts -if [ "${DEBUG:-false}" == true ]; then - set -x -fi +[ "${DEBUG:-false}" == true ] && set -x +# util_common="util-common.sh" util_common="util-common.sh" if [ -f "$util_common" ]; then # shellcheck source=util-common.sh source "$util_common" fi +# util_system="util-system.sh" util_system="util-system.sh" if [ -f "$util_system" ]; then # shellcheck source=util-system.sh source "$util_system" fi +# util_services="util-services.sh" util_services="util-services.sh" if [ -f "$util_services" ]; then # shellcheck source=util-services.sh source "$util_services" fi +# util_pkgs="util-packages.sh" util_pkgs="util-packages.sh" if [ -f "$util_pkgs" ]; then # shellcheck source=util-packages.sh