mirror of
https://github.com/ovh/the-bastion.git
synced 2024-09-20 06:55:58 +08:00
feat: add yubico-piv-checker install script
This commit is contained in:
parent
7aa655bcd2
commit
62d6393d56
1
.github/workflows/freebsd.yml
vendored
1
.github/workflows/freebsd.yml
vendored
|
@ -24,6 +24,7 @@ jobs:
|
|||
rsync -a . /opt/bastion/
|
||||
/opt/bastion/bin/admin/packages-check.sh -i
|
||||
/opt/bastion/bin/admin/install-ttyrec.sh -s
|
||||
/opt/bastion/bin/admin/install-yubico-piv-checker.sh -s
|
||||
/opt/bastion/bin/admin/install --new-install --no-wait
|
||||
ssh-keygen -t ed25519 -f id_user
|
||||
ssh-keygen -t ed25519 -f id_root
|
||||
|
|
|
@ -2,98 +2,31 @@
|
|||
# vim: set filetype=sh ts=4 sw=4 sts=4 et:
|
||||
set -e
|
||||
|
||||
RELEASE_API_URL='https://api.github.com/repos/ovh/ovh-ttyrec/releases'
|
||||
PROGRAM_NAME=ovh-ttyrec
|
||||
RELEASE_API_URL="https://api.github.com/repos/ovh/$PROGRAM_NAME/releases"
|
||||
|
||||
basedir=$(readlink -f "$(dirname "$0")"/../..)
|
||||
# shellcheck source=lib/shell/functions.inc
|
||||
. "$basedir"/lib/shell/functions.inc
|
||||
# shellcheck source=lib/shell/install.inc
|
||||
. "$basedir"/lib/shell/install.inc
|
||||
|
||||
usage() {
|
||||
cat <<EOF
|
||||
Options:
|
||||
-s Download and install precompiled ttyrec static binaries in /usr/local/bin
|
||||
-d Download the prebuilt Debian package, and install it (for Debian, Ubuntu and derivatives)
|
||||
-r Download the prebuild RPM package, and install it (for RHEL, CentOS and derivatives)
|
||||
-a Automatically detect the OS to install the proper package type, fallback to static binaries if no package applies
|
||||
-h Show this help
|
||||
EOF
|
||||
}
|
||||
|
||||
set_download_url() {
|
||||
pattern="$1"
|
||||
|
||||
action_doing "Looking for download tool..."
|
||||
if command -v wget >/dev/null; then
|
||||
action_done wget
|
||||
_apicall() {
|
||||
wget -q -O - --header="Accept: application/vnd.github.v3+json" "$1" || true
|
||||
}
|
||||
_download() {
|
||||
wget -q "$1"
|
||||
}
|
||||
elif command -v curl >/dev/null; then
|
||||
action_done curl
|
||||
_apicall() {
|
||||
curl -sL -H 'Accept: application/vnd.github.v3+json' "$1" || true
|
||||
}
|
||||
_download() {
|
||||
curl -sL -O "$1"
|
||||
}
|
||||
elif command -v fetch >/dev/null; then
|
||||
action_done fetch
|
||||
_apicall() {
|
||||
fetch -o - "$1" || true
|
||||
}
|
||||
_download() {
|
||||
fetch "$1"
|
||||
}
|
||||
else
|
||||
action_error "Couldn't find wget, curl nor fetch"
|
||||
exit 1
|
||||
fi
|
||||
action_doing "Getting latest release for arch $arch..."
|
||||
payload=$(mktemp)
|
||||
# shellcheck disable=SC2064
|
||||
trap "rm -f $payload" EXIT
|
||||
|
||||
_apicall $RELEASE_API_URL > "$payload"
|
||||
if command -v jq >/dev/null; then
|
||||
# If we have jq, we can do it properly
|
||||
url=$(jq -r '.[0].assets|.[]|.browser_download_url' < "$payload" | grep -F "$pattern" | head -n1)
|
||||
elif perl -MJSON -e 1 2>/dev/null; then
|
||||
# If we don't, there's a good chance we have Perl with the JSON module, use it
|
||||
url=$(perl -MJSON -e 'undef $/; $d=decode_json(<>); foreach(@{ $d->[0]{assets} || [] }) { $_=$_->{browser_download_url}; /\Q'"$pattern"'\E/ && print && exit }' "$payload" | head -n1)
|
||||
else
|
||||
# Otherwise, go the ugly way, don't bother the user in installing jq just for this need
|
||||
url=$(grep -Eo 'https://[a-z0-9./_-]+' "$payload" | grep -F "$pattern" | head -n1)
|
||||
fi
|
||||
|
||||
if [ -n "$url" ]; then
|
||||
action_detail "$url"
|
||||
else
|
||||
action_error "Couldn't find a proper URL for your architecture ($arch), looked for pattern '$pattern'. You may have to compile ovh-ttyrec yourself!"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
prepare_temp_folder() {
|
||||
tmpfolder=$(mktemp -d)
|
||||
# shellcheck disable=SC2064
|
||||
trap "test -d '$tmpfolder' && rm -rf -- '$tmpfolder'" EXIT
|
||||
cd "$tmpfolder"
|
||||
set_download_url_package() {
|
||||
type="$1"
|
||||
case "$type" in
|
||||
rpm) set_download_url "/${PROGRAM_NAME}-.+\\.$archre\\.rpm$";;
|
||||
deb) set_download_url "/${PROGRAM_NAME}_.+_$archre\\.deb$";;
|
||||
*) exit 1;;
|
||||
esac
|
||||
}
|
||||
|
||||
action_static() {
|
||||
if command -v dpkg >/dev/null; then
|
||||
set_arch_from_deb
|
||||
elif command -v rpm >/dev/null; then
|
||||
set_arch_from_rpm
|
||||
else
|
||||
arch=$(uname -m)
|
||||
fi
|
||||
set_archre
|
||||
os=$(uname -s | tr '[:upper:]' '[:lower:]')
|
||||
|
||||
set_download_url "_$arch-$os-static-binary.tar.gz"
|
||||
if [ "$arch" = "x86_64" ] || [ "$arch" = "amd64" ]; then
|
||||
set_download_url "/${PROGRAM_NAME}.*_(x86_|amd)64-$os-static-binary\\.tar\\.gz$"
|
||||
else
|
||||
set_download_url "/${PROGRAM_NAME}.*_$arch-$os-static-binary\\.tar\\.gz$"
|
||||
fi
|
||||
prepare_temp_folder
|
||||
|
||||
_download "$url"
|
||||
|
@ -119,100 +52,4 @@ action_static() {
|
|||
cd /
|
||||
}
|
||||
|
||||
set_arch_from_deb() {
|
||||
arch=$(dpkg --print-architecture)
|
||||
}
|
||||
|
||||
action_debian() {
|
||||
if ! command -v dpkg >/dev/null; then
|
||||
echo "Couldn't find dpkg, aborting" >&2
|
||||
exit 1
|
||||
fi
|
||||
set_arch_from_deb
|
||||
set_download_url "_$arch.deb"
|
||||
prepare_temp_folder
|
||||
|
||||
_download "$url"
|
||||
action_done
|
||||
|
||||
action_doing "Installing package"
|
||||
if dpkg -i -- *.deb; then
|
||||
action_done
|
||||
else
|
||||
action_error
|
||||
fi
|
||||
|
||||
cd /
|
||||
}
|
||||
|
||||
set_arch_from_rpm() {
|
||||
arch=$(rpm -E '%{_arch}')
|
||||
|
||||
# in some cases, %{_arch} is not defined, so the macro isn't expanded.
|
||||
# In that case, find it ourselves
|
||||
if [ "$arch" = "%{_arch}" ]; then
|
||||
arch=$(rpm --showrc | grep "^install arch" | awk '{print $4}')
|
||||
fi
|
||||
}
|
||||
|
||||
action_rpm() {
|
||||
if ! command -v rpm >/dev/null; then
|
||||
echo "Couldn't find rpm, aborting" >&2
|
||||
exit 1
|
||||
fi
|
||||
set_arch_from_rpm
|
||||
|
||||
set_download_url ".$arch.rpm"
|
||||
prepare_temp_folder
|
||||
|
||||
_download "$url"
|
||||
action_done
|
||||
|
||||
action_doing "Installing package"
|
||||
if rpm -Uvh -- *.rpm; then
|
||||
action_done
|
||||
else
|
||||
action_error
|
||||
fi
|
||||
|
||||
cd /
|
||||
}
|
||||
|
||||
action_auto() {
|
||||
action_doing "Detecting OS..."
|
||||
action_detail "Found $OS_FAMILY"
|
||||
if [ "$OS_FAMILY" = Linux ]; then
|
||||
action_detail "Found distro $LINUX_DISTRO version $DISTRO_VERSION (major $DISTRO_VERSION_MAJOR), distro like $DISTRO_LIKE"
|
||||
fi
|
||||
action_done
|
||||
|
||||
case "$DISTRO_LIKE" in
|
||||
*debian*) action_debian;;
|
||||
*rhel*) action_rpm;;
|
||||
*suse*) action_rpm;;
|
||||
*)
|
||||
if [ "$OS_FAMILY" = Linux ]; then
|
||||
action_static
|
||||
else
|
||||
echo "This script doesn't support this OS yet ($DISTRO_LIKE)" >&2
|
||||
exit 1
|
||||
fi;;
|
||||
esac
|
||||
}
|
||||
|
||||
if [ "$OS_FAMILY" != "Linux" ] && [ "$OS_FAMILY" != "FreeBSD" ]; then
|
||||
echo "Sorry, your OS ($OS_FAMILY) is not supported." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
while getopts :sdrah arg; do
|
||||
case "$arg" in
|
||||
s) action_static; exit 0;;
|
||||
d) action_debian; exit 0;;
|
||||
r) action_rpm; exit 0;;
|
||||
a) action_auto; exit 0;;
|
||||
h) usage; exit 0;;
|
||||
?) echo "Invalid option: -$OPTARG"; usage; exit 1;;
|
||||
esac
|
||||
done
|
||||
usage
|
||||
install_main "$@"
|
||||
|
|
48
bin/admin/install-yubico-piv-checker.sh
Executable file
48
bin/admin/install-yubico-piv-checker.sh
Executable file
|
@ -0,0 +1,48 @@
|
|||
#! /usr/bin/env bash
|
||||
# vim: set filetype=sh ts=4 sw=4 sts=4 et:
|
||||
set -e
|
||||
|
||||
PROGRAM_NAME=yubico-piv-checker
|
||||
RELEASE_API_URL="https://api.github.com/repos/ovh/$PROGRAM_NAME/releases"
|
||||
|
||||
basedir=$(readlink -f "$(dirname "$0")"/../..)
|
||||
# shellcheck source=lib/shell/install.inc
|
||||
. "$basedir"/lib/shell/install.inc
|
||||
|
||||
set_download_url_package() {
|
||||
type="$1"
|
||||
case "$type" in
|
||||
rpm) set_download_url "/${PROGRAM_NAME}-.+\\.$archre\\.rpm$";;
|
||||
deb) set_download_url "/${PROGRAM_NAME}_.+_$archre\\.deb$";;
|
||||
*) exit 1;;
|
||||
esac
|
||||
}
|
||||
|
||||
action_static() {
|
||||
set_archre
|
||||
os=$(uname -s | tr '[:upper:]' '[:lower:]')
|
||||
|
||||
if [ "$arch" = "x86_64" ] || [ "$arch" = "amd64" ]; then
|
||||
set_download_url "/${PROGRAM_NAME}.*_${os}_(x86_|amd)64\\.tar\\.gz$"
|
||||
else
|
||||
set_download_url "/${PROGRAM_NAME}.*_${os}_$arch\\.tar\\.gz$"
|
||||
fi
|
||||
prepare_temp_folder
|
||||
|
||||
_download "$url"
|
||||
# we have just one archive file in the current temp directory
|
||||
# shellcheck disable=SC2035
|
||||
tar xzf *.tar.gz
|
||||
action_done
|
||||
|
||||
action_doing "Installing files"
|
||||
for file in $PROGRAM_NAME; do
|
||||
action_detail "/usr/local/bin/$file"
|
||||
install -m 0755 "$file" /usr/local/bin/
|
||||
done
|
||||
action_done
|
||||
|
||||
cd /
|
||||
}
|
||||
|
||||
install_main "$@"
|
|
@ -2,10 +2,11 @@ FROM centos:7
|
|||
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
|
||||
|
||||
# cache builds efficiently: just copy the scripts to install packages first
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
|
||||
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"]
|
||||
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"]
|
||||
|
||||
# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log
|
||||
RUN test -e /etc/syslog-ng/syslog-ng.conf && \
|
||||
|
@ -23,5 +24,5 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
|
|||
# start at entrypoint
|
||||
ENTRYPOINT /opt/bastion/docker/entrypoint.sh
|
||||
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 HAS_PIV=1
|
||||
# TESTFROM centos:7.9.2009 centos:7.8.2003 centos:7.7.1908
|
||||
|
|
|
@ -2,10 +2,11 @@ FROM centos:8
|
|||
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
|
||||
|
||||
# cache builds efficiently: just copy the scripts to install packages first
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
|
||||
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"]
|
||||
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"]
|
||||
|
||||
# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log
|
||||
RUN test -e /etc/syslog-ng/syslog-ng.conf && \
|
||||
|
@ -23,5 +24,5 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
|
|||
# start at entrypoint
|
||||
ENTRYPOINT /opt/bastion/docker/entrypoint.sh
|
||||
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 HAS_PIV=1
|
||||
# TESTFROM centos:8.3.2011 centos:8.2.2004 centos:8.1.1911
|
||||
|
|
|
@ -2,10 +2,11 @@ FROM debian:buster
|
|||
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
|
||||
|
||||
# cache builds efficiently: just copy the scripts to install packages first
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
|
||||
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"]
|
||||
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"]
|
||||
|
||||
# handle locales
|
||||
RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen
|
||||
|
@ -26,4 +27,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
|
|||
# start at entrypoint
|
||||
ENTRYPOINT /opt/bastion/docker/entrypoint.sh
|
||||
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 HAS_PIV=1
|
||||
|
|
|
@ -2,10 +2,11 @@ FROM debian:jessie
|
|||
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
|
||||
|
||||
# cache builds efficiently: just copy the scripts to install packages first
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
|
||||
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"]
|
||||
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"]
|
||||
|
||||
# handle locales
|
||||
RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen
|
||||
|
@ -26,4 +27,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
|
|||
# start at entrypoint
|
||||
ENTRYPOINT /opt/bastion/docker/entrypoint.sh
|
||||
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 HAS_PIV=1
|
||||
|
|
|
@ -2,10 +2,11 @@ FROM debian:stretch
|
|||
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
|
||||
|
||||
# cache builds efficiently: just copy the scripts to install packages first
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
|
||||
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"]
|
||||
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"]
|
||||
|
||||
# handle locales
|
||||
RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen
|
||||
|
@ -26,4 +27,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
|
|||
# start at entrypoint
|
||||
ENTRYPOINT /opt/bastion/docker/entrypoint.sh
|
||||
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 HAS_PIV=1
|
||||
|
|
|
@ -2,10 +2,11 @@ FROM opensuse/leap:15.0
|
|||
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
|
||||
|
||||
# cache builds efficiently: just copy the scripts to install packages first
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
|
||||
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"]
|
||||
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"]
|
||||
|
||||
# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log
|
||||
RUN test -e /etc/syslog-ng/syslog-ng.conf && \
|
||||
|
@ -23,4 +24,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
|
|||
# start at entrypoint
|
||||
ENTRYPOINT /opt/bastion/docker/entrypoint.sh
|
||||
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0 HAS_PIV=1
|
||||
|
|
|
@ -2,10 +2,11 @@ FROM opensuse/leap:15.1
|
|||
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
|
||||
|
||||
# cache builds efficiently: just copy the scripts to install packages first
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
|
||||
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"]
|
||||
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"]
|
||||
|
||||
# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log
|
||||
RUN test -e /etc/syslog-ng/syslog-ng.conf && \
|
||||
|
@ -23,4 +24,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
|
|||
# start at entrypoint
|
||||
ENTRYPOINT /opt/bastion/docker/entrypoint.sh
|
||||
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0 HAS_PIV=1
|
||||
|
|
|
@ -2,10 +2,11 @@ FROM opensuse/leap:15.2
|
|||
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
|
||||
|
||||
# cache builds efficiently: just copy the scripts to install packages first
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
|
||||
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"]
|
||||
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"]
|
||||
|
||||
# disable /dev/kmsg handling by syslog-ng and explicitely enable /dev/log
|
||||
RUN test -e /etc/syslog-ng/syslog-ng.conf && \
|
||||
|
@ -23,4 +24,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
|
|||
# start at entrypoint
|
||||
ENTRYPOINT /opt/bastion/docker/entrypoint.sh
|
||||
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0 HAS_PIV=1
|
||||
|
|
|
@ -13,6 +13,8 @@ RUN \
|
|||
/opt/bastion/bin/admin/packages-check.sh -i -d -s && \
|
||||
# download and install the ttyrec deb package (-d) \
|
||||
/opt/bastion/bin/admin/install-ttyrec.sh -d && \
|
||||
# download and install the yubico-piv-checker deb package (-d) \
|
||||
/opt/bastion/bin/admin/install-yubico-piv-checker.sh -d && \
|
||||
# cleanup packages cache to save space \
|
||||
rm -rf /var/cache/apt && \
|
||||
# handle locales \
|
||||
|
|
|
@ -2,10 +2,11 @@ FROM ubuntu:14.04
|
|||
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
|
||||
|
||||
# cache builds efficiently: just copy the scripts to install packages first
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
|
||||
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"]
|
||||
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"]
|
||||
|
||||
# handle locales
|
||||
RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen
|
||||
|
@ -26,4 +27,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
|
|||
# start at entrypoint
|
||||
ENTRYPOINT /opt/bastion/docker/entrypoint.sh
|
||||
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0 HAS_PIV=1
|
||||
|
|
|
@ -2,10 +2,11 @@ FROM ubuntu:16.04
|
|||
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
|
||||
|
||||
# cache builds efficiently: just copy the scripts to install packages first
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
|
||||
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"]
|
||||
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"]
|
||||
|
||||
# handle locales
|
||||
RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen
|
||||
|
@ -26,4 +27,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
|
|||
# start at entrypoint
|
||||
ENTRYPOINT /opt/bastion/docker/entrypoint.sh
|
||||
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 HAS_PIV=1
|
||||
|
|
|
@ -2,10 +2,11 @@ FROM ubuntu:18.04
|
|||
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
|
||||
|
||||
# cache builds efficiently: just copy the scripts to install packages first
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
|
||||
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"]
|
||||
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"]
|
||||
|
||||
# handle locales
|
||||
RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen
|
||||
|
@ -26,4 +27,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
|
|||
# start at entrypoint
|
||||
ENTRYPOINT /opt/bastion/docker/entrypoint.sh
|
||||
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 HAS_PIV=1
|
||||
|
|
|
@ -2,10 +2,11 @@ FROM ubuntu:20.04
|
|||
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
|
||||
|
||||
# cache builds efficiently: just copy the scripts to install packages first
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
|
||||
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"]
|
||||
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"]
|
||||
|
||||
# handle locales
|
||||
RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen
|
||||
|
@ -26,4 +27,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
|
|||
# start at entrypoint
|
||||
ENTRYPOINT /opt/bastion/docker/entrypoint.sh
|
||||
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1
|
||||
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 HAS_PIV=1
|
||||
|
|
|
@ -300,6 +300,19 @@ add_user_to_group_compat()
|
|||
fi
|
||||
}
|
||||
|
||||
del_user_from_group_compat()
|
||||
{
|
||||
local _user="$1" _group="$2"
|
||||
if command -v gpasswd >/dev/null ; then
|
||||
gpasswd -d "$_user" "$_group"
|
||||
elif command -v pw >/dev/null ; then
|
||||
pw groupmod -n "$_group" -d "$_user"
|
||||
else
|
||||
echo "del_user_from_group_compat: don't know how to del $_user from $_group!" >&2
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
_logtag="$(basename "$0")[$$]"
|
||||
__log()
|
||||
{
|
||||
|
|
198
lib/shell/install.inc
Normal file
198
lib/shell/install.inc
Normal file
|
@ -0,0 +1,198 @@
|
|||
# vim: set filetype=sh ts=4 sw=4 sts=4 et:
|
||||
# shellcheck shell=bash
|
||||
|
||||
# common parts of install-ttyrec.sh and install-yubico-piv-checker.sh
|
||||
|
||||
# shellcheck source=lib/shell/functions.inc disable=SC2128
|
||||
. "$(dirname "$BASH_SOURCE")"/functions.inc
|
||||
|
||||
install_usage() {
|
||||
cat <<EOF
|
||||
Options:
|
||||
-s Download and install precompiled $PROGRAM_NAME static binaries in /usr/local/bin
|
||||
-d Download the prebuilt Debian package, and install it (for Debian, Ubuntu and derivatives)
|
||||
-r Download the prebuild RPM package, and install it (for RHEL, CentOS and derivatives)
|
||||
-a Automatically detect the OS to install the proper package type, fallback to static binaries if no package applies
|
||||
-h Show this help
|
||||
EOF
|
||||
}
|
||||
|
||||
set_download_url() {
|
||||
pattern="$1"
|
||||
|
||||
action_doing "Looking for download tool..."
|
||||
if command -v wget >/dev/null; then
|
||||
action_done wget
|
||||
_apicall() {
|
||||
wget -q -O - --header="Accept: application/vnd.github.v3+json" "$1" || true
|
||||
}
|
||||
_download() {
|
||||
wget -q "$1"
|
||||
}
|
||||
elif command -v curl >/dev/null; then
|
||||
action_done curl
|
||||
_apicall() {
|
||||
curl -sL -H 'Accept: application/vnd.github.v3+json' "$1" || true
|
||||
}
|
||||
_download() {
|
||||
curl -sL -O "$1"
|
||||
}
|
||||
elif command -v fetch >/dev/null; then
|
||||
action_done fetch
|
||||
_apicall() {
|
||||
fetch -o - "$1" || true
|
||||
}
|
||||
_download() {
|
||||
fetch "$1"
|
||||
}
|
||||
else
|
||||
action_error "Couldn't find wget, curl nor fetch"
|
||||
exit 1
|
||||
fi
|
||||
action_doing "Getting latest release for arch $arch..."
|
||||
payload=$(mktemp)
|
||||
# shellcheck disable=SC2064
|
||||
trap "rm -f $payload" EXIT
|
||||
|
||||
_apicall "$RELEASE_API_URL" > "$payload"
|
||||
if command -v jq >/dev/null; then
|
||||
# If we have jq, we can do it properly
|
||||
urls="$(jq -r '.[0].assets|.[]|.browser_download_url' < "$payload")"
|
||||
elif perl -MJSON -e 1 2>/dev/null; then
|
||||
# If we don't, there's a good chance we have Perl with the JSON module, use it
|
||||
urls="$(perl -MJSON -e 'undef $/; $d=decode_json(<>); exit if ref $d ne "ARRAY"; foreach(@{ $d->[0]{assets} || [] }) { print $_->{browser_download_url}."\n" }' "$payload")"
|
||||
else
|
||||
# Otherwise, go the ugly way, don't bother the user in installing jq just for this need
|
||||
urls="$(grep -Eo 'https://[a-z0-9./_-]+' "$payload")"
|
||||
fi
|
||||
|
||||
url="$(echo "$urls" | grep -E "$pattern" | head -n1)"
|
||||
|
||||
if [ -n "$url" ]; then
|
||||
action_detail "$url"
|
||||
elif [ ! -s "$payload" ]; then
|
||||
action_error "API returned an empty body, did we hit the query limit?"
|
||||
exit 1
|
||||
elif [ -z "$urls" ]; then
|
||||
action_error "Couldn't find any URL in the returned body, did we hit the query limit? Body follows:"
|
||||
cat "$payload"
|
||||
exit 1
|
||||
else
|
||||
action_error "Couldn't find a proper URL for your architecture ($arch), looked for pattern '$pattern'. You may have to compile $PROGRAM_NAME yourself!"
|
||||
action_detail "Maybe the release asset naming pattern has changed and we're not aware, if you think one of the packages below match your OS & arch, you may download & install them manually:"
|
||||
for line in $urls; do
|
||||
action_detail "$line"
|
||||
done
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
prepare_temp_folder() {
|
||||
tmpfolder=$(mktemp -d)
|
||||
# shellcheck disable=SC2064
|
||||
trap "test -d '$tmpfolder' && rm -rf -- '$tmpfolder'" EXIT
|
||||
cd "$tmpfolder" || exit 1
|
||||
}
|
||||
|
||||
# shellcheck disable=SC2034
|
||||
set_archre() {
|
||||
if command -v dpkg >/dev/null; then
|
||||
arch=$(dpkg --print-architecture)
|
||||
elif command -v rpm >/dev/null; then
|
||||
arch=$(rpm -E '%{_arch}')
|
||||
|
||||
# in some cases, %{_arch} is not defined, so the macro isn't expanded,
|
||||
# we have to find it ourselves
|
||||
if [ "$arch" = "%{_arch}" ]; then
|
||||
arch=$(rpm --showrc | grep "^install arch" | awk '{print $4}')
|
||||
fi
|
||||
else
|
||||
arch=$(uname -m)
|
||||
fi
|
||||
|
||||
if [ "$arch" = "x86_64" ] || [ "$arch" = "amd64" ]; then
|
||||
archre="(x86_|amd)64"
|
||||
else
|
||||
archre="$arch"
|
||||
fi
|
||||
}
|
||||
|
||||
action_package() {
|
||||
type="$1"
|
||||
case "$type" in
|
||||
deb)
|
||||
if ! command -v dpkg >/dev/null; then
|
||||
echo "Couldn't find dpkg, aborting" >&2
|
||||
exit 1
|
||||
fi;;
|
||||
rpm)
|
||||
if ! command -v rpm >/dev/null; then
|
||||
echo "Couldn't find rpm, aborting" >&2
|
||||
exit 1
|
||||
fi;;
|
||||
*) echo "Unsupported package type $type" >&2; exit 1;;
|
||||
esac
|
||||
|
||||
set_archre
|
||||
set_download_url_package "$type"
|
||||
prepare_temp_folder
|
||||
_download "$url"
|
||||
|
||||
action_done
|
||||
|
||||
action_doing "Installing package"
|
||||
case "$type" in
|
||||
deb) dpkg -i -- *.deb; ret=$?;;
|
||||
rpm) rpm -Uvh -- *.rpm; ret=$?;;
|
||||
*) exit 1;;
|
||||
esac
|
||||
|
||||
if [ "$ret" = 0 ]; then
|
||||
action_done
|
||||
else
|
||||
action_error
|
||||
fi
|
||||
|
||||
cd /
|
||||
}
|
||||
|
||||
action_auto() {
|
||||
action_doing "Detecting OS..."
|
||||
action_detail "Found $OS_FAMILY"
|
||||
if [ "$OS_FAMILY" = Linux ]; then
|
||||
action_detail "Found distro $LINUX_DISTRO version $DISTRO_VERSION (major $DISTRO_VERSION_MAJOR), distro like $DISTRO_LIKE"
|
||||
fi
|
||||
action_done
|
||||
|
||||
case "$DISTRO_LIKE" in
|
||||
*debian*) action_package deb;;
|
||||
*rhel*) action_package rpm;;
|
||||
*suse*) action_package rpm;;
|
||||
*)
|
||||
if [ "$OS_FAMILY" = Linux ]; then
|
||||
action_static
|
||||
else
|
||||
echo "This script doesn't support this OS yet ($DISTRO_LIKE)" >&2
|
||||
exit 1
|
||||
fi;;
|
||||
esac
|
||||
}
|
||||
|
||||
install_main() {
|
||||
if [ "$OS_FAMILY" != "Linux" ] && [ "$OS_FAMILY" != "FreeBSD" ]; then
|
||||
echo "Sorry, your OS ($OS_FAMILY) is not supported." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
while getopts :sdrah arg; do
|
||||
case "$arg" in
|
||||
s) action_static; exit 0;;
|
||||
d) action_package deb; exit 0;;
|
||||
r) action_package rpm; exit 0;;
|
||||
a) action_auto; exit 0;;
|
||||
h) usage; exit 0;;
|
||||
?) echo "Invalid option: -$OPTARG"; usage; exit 1;;
|
||||
esac
|
||||
done
|
||||
install_usage
|
||||
}
|
Loading…
Reference in a new issue