Add in another service for Edge Server management (#327)

* Add in another service for Edge Server management

Using a service called shell2http to expose scripts as HTTP endpoints.  Roll back setting up Edge Server initially and have the tests start and stop edge server as needed since configuration changes require a restart.

* Added iptables command to firewall.sh:
- Empty allow and deny lists would remove all the rules added
- Accepts allow and deny params as array of strings and adds the rules to ES_RULES chain

---------

Co-authored-by: barkha06 <[email protected]>

Author: borrrden

environment/aws/es_setup/configure-system.sh

@@ -2,10 +2,21 @@
 
 set -x
 
-mkdir -p $HOME/config
 mkdir -p $HOME/cert
 mkdir -p $HOME/log
+mkdir -p $HOME/shell2http
 
 curl -LO https://github.com/caddyserver/caddy/releases/download/v2.10.2/caddy_2.10.2_linux_amd64.tar.gz
 tar xvf caddy_2.10.2_linux_amd64.tar.gz caddy
-rm caddy_2.10.2_linux_amd64.tar.gz
+rm caddy_2.10.2_linux_amd64.tar.gz
+
+pushd $HOME/shell2http
+curl -LO https://github.com/msoap/shell2http/releases/download/v1.17.0/shell2http_1.17.0_linux_amd64.tar.gz
+tar xvf shell2http_1.17.0_linux_amd64.tar.gz shell2http
+rm shell2http_1.17.0_linux_amd64.tar.gz
+
+if ! command -v iptables &> /dev/null; then
+  sudo yum install iptables-services -y
+  sudo systemctl enable iptables
+  sudo systemctl start iptables
+fi

environment/aws/es_setup/es_config.json

@@ -202,6 +202,13 @@ def remote_exec(
     click.echo()
 
 
+def remote_exec_bg(ssh: paramiko.SSHClient, command: str, desc: str) -> None:
+    header(desc)
+    ssh.exec_command(command, get_pty=False)
+    header("Done!")
+    click.echo()
+
+
 def setup_server(
     hostname: str, pkey: paramiko.Ed25519Key, es_info: EsDownloadInfo
 ) -> None:
@@ -232,6 +239,15 @@ def setup_server(
     )
     remote_exec(ssh, "bash /tmp/configure-system.sh", "Setting up instance")
 
+    sftp_progress_bar(
+        sftp, SCRIPT_DIR / "cert" / "es_cert.pem", "/home/ec2-user/cert/es_cert.pem"
+    )
+    sftp_progress_bar(
+        sftp, SCRIPT_DIR / "cert" / "es_key.pem", "/home/ec2-user/cert/es_key.pem"
+    )
+    for file in (SCRIPT_DIR / "shell2http").iterdir():
+        sftp_progress_bar(sftp, file, f"/home/ec2-user/shell2http/{file.name}")
+
     if es_info.is_release:
         remote_exec(
             ssh,
@@ -246,10 +262,6 @@ def setup_server(
             f"/tmp/{es_info.local_filename}",
         )
 
-    sftp_progress_bar(sftp, SCRIPT_DIR / "start-es.sh", "/home/ec2-user/start-es.sh")
-    sftp_progress_bar(
-        sftp, SCRIPT_DIR / "es_config.json", "/home/ec2-user/config/es_config.json"
-    )
     sftp_progress_bar(sftp, SCRIPT_DIR / "Caddyfile", "/home/ec2-user/Caddyfile")
     cert = create_self_signed_certificate(hostname)
     cert_pem = cert.pem_bytes()
@@ -280,7 +292,9 @@ def setup_server(
         "Installing Edge Server",
     )
     remote_exec(ssh, "/home/ec2-user/caddy start", "Starting ES log fileserver")
-    remote_exec(ssh, "bash /home/ec2-user/start-es.sh", "Starting Edge Server")
+    remote_exec_bg(
+        ssh, "bash /home/ec2-user/shell2http/start.sh", "Starting ES management server"
+    )
 
     ssh.close()
 

environment/aws/es_setup/setup_edge_servers.py

@@ -0,0 +1,8 @@
+read_http_body() {
+  local len="${HTTP_CONTENT_LENGTH:-}"
+  if [[ -n "$len" ]]; then
+    head -c "$len"
+  else
+    cat
+  fi
+}

environment/aws/es_setup/shell2http/common.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/common.sh"
+
+REQUEST_BODY=$(read_http_body)
+
+ALLOW=$(echo $REQUEST_BODY | jq -r '.allow')
+DENY=$(echo $REQUEST_BODY | jq -r '.deny')
+if [[ ( -z "$ALLOW" || "$ALLOW" == "null" ) && ( -z "$DENY" || "$DENY" == "null" ) ]]; then
+#  echo "Error: provide 'allow' or 'deny' (at least one)"
+#  exit 1
+iptables -F ES_RULES
+exit 0
+fi
+
+if ! iptables -L ES_RULES >/dev/null 2>&1; then
+  iptables -N ES_RULES
+fi
+iptables -F ES_RULES
+
+
+if [[ "$ALLOW" != "null" ]]; then
+  echo "$ALLOW" | jq -r '.[]' | while read ip; do
+    iptables -A ES_RULES -s "$ip" -j ACCEPT
+  done
+fi
+
+if [[ "$DENY" != "null" ]]; then
+  echo "$DENY" | jq -r '.[]' | while read ip; do
+    iptables -A ES_RULES -s "$ip" -j DROP
+  done
+fi
+
+iptables -C INPUT -j ES_RULES 2>/dev/null || iptables -I INPUT -j ES_RULES
+iptables -L ES_RULES --line-numbers

environment/aws/es_setup/shell2http/firewall.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+PID=$(ps -ax | grep [e]dge-server | awk '{print $1}')
+if [[ "$PID" == "" ]]; then
+    echo "Running process not found"
+    exit 0
+fi
+
+kill -SIGHUP $PID

environment/aws/es_setup/shell2http/kill-edgeserver.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/common.sh"
+REQUEST_BODY=$(read_http_body)
+
+DB_FILENAME=$(echo $REQUEST_BODY | jq -r '.filename')
+if [ -z "$DB_FILENAME" ] || [ "$DB_FILENAME" == "null" ]; then
+  echo "Error: 'filename' field is required in the request body"
+  exit 1
+fi
+
+# Ensure it ends with 'cblite2'
+if [[ "$DB_FILENAME" != *.cblite2 ]]; then
+  echo "Error: 'filename' must end with '.cblite2'"
+  exit 1
+fi
+
+if [ ! -d "$DB_FILENAME" ]; then
+  echo "Database file '$DB_FILENAME' does not exist"
+  exit 0
+fi
+
+rm -rf "$DB_FILENAME"

environment/aws/es_setup/shell2http/reset-db.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/common.sh"
+REQUEST_BODY=$(read_http_body)
+
+DIR=$(mktemp -d)
+rm $DIR/config.json || true
+echo $REQUEST_BODY > $DIR/config.json
+
+LOG="$DIR/edge.log"
+nohup /opt/couchbase-edge-server/bin/couchbase-edge-server $DIR/config.json > $LOG 2>&1 < /dev/null &
+EDGE_SERVER_PID=$!
+sleep 1
+if kill -0 "$EDGE_SERVER_PID" 2>/dev/null; then
+  echo "Edge server running"
+else
+  echo "Edge server failed to start:"
+  cat $LOG
+  exit 1
+fi

environment/aws/es_setup/shell2http/start-edgeserver.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+setsid /home/ec2-user/shell2http/shell2http -no-index -cgi -500 -port 20001 \
+/firewall $SCRIPT_DIR/firewall.sh \
+/kill-edgeserver $SCRIPT_DIR/kill-edgeserver.sh \
+/reset-db $SCRIPT_DIR/reset-db.sh /start-edgeserver \
+$SCRIPT_DIR/start-edgeserver.sh > /dev/null 2>&1 &