From 47c6d7cf8eba4c6226aa8d61cad21bcb44c96c97 Mon Sep 17 00:00:00 2001 From: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Date: Thu, 13 Oct 2022 16:31:33 +0200 Subject: [PATCH 1/7] Update provision.sh to start the server with auth --- hack/scripts/provision.sh | 62 +++++++++++++++++++++++++++++++-------- 1 file changed, 49 insertions(+), 13 deletions(-) diff --git a/hack/scripts/provision.sh b/hack/scripts/provision.sh index 5d1fe000..804ac885 100755 --- a/hack/scripts/provision.sh +++ b/hack/scripts/provision.sh @@ -198,14 +198,15 @@ set_arch() { local arch=$(uname -m) case $arch in - x86_64|amd64) - ARCH=amd64 - ;; - aarch64|arm64) - ARCH=arm64 - ;; - *) - die "Unknown arch or arch not supported: $arch." + x86_64 | amd64) + ARCH=amd64 + ;; + aarch64 | arm64) + ARCH=arm64 + ;; + *) + die "Unknown arch or arch not supported: $arch." + ;; esac } @@ -303,6 +304,7 @@ do_all_flintlock() { local parent_iface="$3" local bridge_name="$4" local insecure="$5" + local auth_file="$6" install_flintlockd "$version" @@ -312,7 +314,7 @@ do_all_flintlock() { if [[ -z "$address" ]]; then address=$(lookup_address "$parent_iface") fi - write_flintlockd_config "$address" "$parent_iface" "$bridge_name" "$insecure" + write_flintlockd_config "$address" "$parent_iface" "$bridge_name" "$insecure" "$auth_file" start_flintlockd_service say "Flintlockd running at $address:9090 via interface $parent_iface" @@ -343,6 +345,7 @@ write_flintlockd_config() { local parent_iface="$2" local bridge_name="$3" local insecure="$4" + local auth_file="$5" mkdir -p "$(dirname "$FLINTLOCKD_CONFIG_PATH")" @@ -357,15 +360,36 @@ insecure: $insecure EOF if [[ -n "$bridge_name" ]]; then - cat <>"$FLINTLOCKD_CONFIG_PATH" + cat <>"$FLINTLOCKD_CONFIG_PATH" bridge-name: "$bridge_name" EOF else - cat <>"$FLINTLOCKD_CONFIG_PATH" + cat <>"$FLINTLOCKD_CONFIG_PATH" parent-iface: "$parent_iface" EOF fi + if [[ -n "$auth_file" ]]; then + say "using auth file: $auth_file" + # shellcheck source=auth_file + # shellcheck disable=SC1091 + . "${auth_file}" + if [[ -n "$basic_auth_token" ]]; then + cat <>"$FLINTLOCKD_CONFIG_PATH" +basic-auth-token: "$basic_auth_token" +EOF + fi + if [[ -n "$tls_cert" ]]; then + # shellcheck disable=SC2154 + cat <>"$FLINTLOCKD_CONFIG_PATH" +tls-cert: "$tls_cert" +tls-key: "$tls_key" +tls-client-validate: "$tls_client_validate" +tls-client-ca: "$tls_client_ca" +EOF + fi + fi + say "Flintlockd config saved" } @@ -717,6 +741,7 @@ cmd_all() { local fc_version="$FIRECRACKER_VERSION" local fl_version="$FLINTLOCK_VERSION" local ctrd_version="$CONTAINERD_VERSION" + local auth_file="" while [ $# -gt 0 ]; do case "$1" in @@ -756,6 +781,10 @@ cmd_all() { "--dev") DEVELOPMENT=true ;; + "-f" | "--auth-file") + shift + auth_file="$1" + ;; *) die "Unknown argument: $1. Please use --help for help." ;; @@ -790,7 +819,7 @@ cmd_all() { install_firecracker "$fc_version" do_all_containerd "$ctrd_version" "$set_thinpool" - do_all_flintlock "$fl_version" "$fl_address" "$fl_iface" "$bridge_name" "$insecure" + do_all_flintlock "$fl_version" "$fl_address" "$fl_iface" "$bridge_name" "$insecure" "$auth_file" say "$(date -u +'%F %H:%M:%S %Z'): Host $(hostname) provisioned" } @@ -871,6 +900,7 @@ cmd_flintlock() { local parent_iface="" local bridge_name="" local insecure=false + local auth_file="" while [ $# -gt 0 ]; do case "$1" in @@ -897,6 +927,10 @@ cmd_flintlock() { "-k" | "--insecure") insecure=true ;; + "-f" | "--auth_file") + shift + auth_file="$1" + ;; "--dev") DEVELOPMENT=true ;; @@ -909,7 +943,7 @@ cmd_flintlock() { set_arch prepare_dirs - do_all_flintlock "$version" "$address" "$parent_iface" "$bridge_name" "$insecure" + do_all_flintlock "$version" "$address" "$parent_iface" "$bridge_name" "$insecure" "$auth_file" } cmd_direct_lvm() { @@ -1004,6 +1038,7 @@ cmd_all_help() { --bridge, -b Bridge to use instead of an interface (will override --parent-iface) --insecure, -k Start flintlockd without basic auth or certs --dev Set up development environment. Loop thinpools will be created. + --auth-file, -f Provide a configuration file to set up authentication for flintlock such as, token or TLS (the file should follow shell syntax) EOF } @@ -1038,6 +1073,7 @@ cmd_flintlock_help() { --bridge, -b Bridge to use instead of an interface (will override --parent-iface) --insecure, -k Start flintlockd without basic auth or certs --dev Assumes containerd has been provisioned in a dev environment + --auth-file, -f Provide a configuration file to set up authentication for flintlock such as, token or TLS (the file should follow shell syntax) EOF } From 5ea12a06dbff82ee4b248b4dec9611cc643577a2 Mon Sep 17 00:00:00 2001 From: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Date: Fri, 14 Oct 2022 10:01:16 +0200 Subject: [PATCH 2/7] Merging a user provided config file with the existing one --- hack/scripts/provision.sh | 70 ++++++++++++++++----------------------- 1 file changed, 29 insertions(+), 41 deletions(-) diff --git a/hack/scripts/provision.sh b/hack/scripts/provision.sh index 804ac885..c5657adf 100755 --- a/hack/scripts/provision.sh +++ b/hack/scripts/provision.sh @@ -304,7 +304,7 @@ do_all_flintlock() { local parent_iface="$3" local bridge_name="$4" local insecure="$5" - local auth_file="$6" + local config_file="$6" install_flintlockd "$version" @@ -314,7 +314,7 @@ do_all_flintlock() { if [[ -z "$address" ]]; then address=$(lookup_address "$parent_iface") fi - write_flintlockd_config "$address" "$parent_iface" "$bridge_name" "$insecure" "$auth_file" + write_flintlockd_config "$address" "$parent_iface" "$bridge_name" "$insecure" "$config_file" start_flintlockd_service say "Flintlockd running at $address:9090 via interface $parent_iface" @@ -345,7 +345,7 @@ write_flintlockd_config() { local parent_iface="$2" local bridge_name="$3" local insecure="$4" - local auth_file="$5" + local config_file="$5" mkdir -p "$(dirname "$FLINTLOCKD_CONFIG_PATH")" @@ -369,26 +369,14 @@ parent-iface: "$parent_iface" EOF fi - if [[ -n "$auth_file" ]]; then - say "using auth file: $auth_file" - # shellcheck source=auth_file - # shellcheck disable=SC1091 - . "${auth_file}" - if [[ -n "$basic_auth_token" ]]; then - cat <>"$FLINTLOCKD_CONFIG_PATH" -basic-auth-token: "$basic_auth_token" + if [[ -n "$config_file" ]]; then + say "merging provided config file with the created one" + content=$(cat "${config_file}") + # shellcheck disable=SC2154 + cat <>"$FLINTLOCKD_CONFIG_PATH" +$content EOF - fi - if [[ -n "$tls_cert" ]]; then - # shellcheck disable=SC2154 - cat <>"$FLINTLOCKD_CONFIG_PATH" -tls-cert: "$tls_cert" -tls-key: "$tls_key" -tls-client-validate: "$tls_client_validate" -tls-client-ca: "$tls_client_ca" -EOF - fi - fi + fi say "Flintlockd config saved" } @@ -741,7 +729,7 @@ cmd_all() { local fc_version="$FIRECRACKER_VERSION" local fl_version="$FLINTLOCK_VERSION" local ctrd_version="$CONTAINERD_VERSION" - local auth_file="" + local flintlock_config_file="" while [ $# -gt 0 ]; do case "$1" in @@ -781,9 +769,9 @@ cmd_all() { "--dev") DEVELOPMENT=true ;; - "-f" | "--auth-file") + "-f" | "--flintlock_config_file") shift - auth_file="$1" + flintlock_config_file="$1" ;; *) die "Unknown argument: $1. Please use --help for help." @@ -819,7 +807,7 @@ cmd_all() { install_firecracker "$fc_version" do_all_containerd "$ctrd_version" "$set_thinpool" - do_all_flintlock "$fl_version" "$fl_address" "$fl_iface" "$bridge_name" "$insecure" "$auth_file" + do_all_flintlock "$fl_version" "$fl_address" "$fl_iface" "$bridge_name" "$insecure" "$flintlock_config_file" say "$(date -u +'%F %H:%M:%S %Z'): Host $(hostname) provisioned" } @@ -900,7 +888,7 @@ cmd_flintlock() { local parent_iface="" local bridge_name="" local insecure=false - local auth_file="" + local config_file="" while [ $# -gt 0 ]; do case "$1" in @@ -927,9 +915,9 @@ cmd_flintlock() { "-k" | "--insecure") insecure=true ;; - "-f" | "--auth_file") + "-f" | "--config_file") shift - auth_file="$1" + config_file="$1" ;; "--dev") DEVELOPMENT=true @@ -943,7 +931,7 @@ cmd_flintlock() { set_arch prepare_dirs - do_all_flintlock "$version" "$address" "$parent_iface" "$bridge_name" "$insecure" "$auth_file" + do_all_flintlock "$version" "$address" "$parent_iface" "$bridge_name" "$insecure" "$config_file" } cmd_direct_lvm() { @@ -1029,16 +1017,16 @@ cmd_all_help() { can be configured by setting the FLINTLOCK, CONTAINERD and FIRECRACKER environment variables. OPTIONS: - -y Autoapprove all prompts (danger) - --skip-apt, -s Skip installation of apt packages - --thinpool, -t Name of thinpool to create (default: flintlock or flintlock-dev) - --disk, -d Name blank unpartioned disk to use for direct lvm thinpool (ignored if --dev set) - --grpc-address, -a Address on which to start the Flintlock GRPC server (default: local ipv4 address) - --parent-iface, -i Interface of the default route of the host - --bridge, -b Bridge to use instead of an interface (will override --parent-iface) - --insecure, -k Start flintlockd without basic auth or certs - --dev Set up development environment. Loop thinpools will be created. - --auth-file, -f Provide a configuration file to set up authentication for flintlock such as, token or TLS (the file should follow shell syntax) + -y Autoapprove all prompts (danger) + --skip-apt, -s Skip installation of apt packages + --thinpool, -t Name of thinpool to create (default: flintlock or flintlock-dev) + --disk, -d Name blank unpartioned disk to use for direct lvm thinpool (ignored if --dev set) + --grpc-address, -a Address on which to start the Flintlock GRPC server (default: local ipv4 address) + --parent-iface, -i Interface of the default route of the host + --bridge, -b Bridge to use instead of an interface (will override --parent-iface) + --insecure, -k Start flintlockd without basic auth or certs + --dev Set up development environment. Loop thinpools will be created. + --flintlock_config_file, -f Provide a configuration file to set up authentication for flintlock such as, token or TLS EOF } @@ -1073,7 +1061,7 @@ cmd_flintlock_help() { --bridge, -b Bridge to use instead of an interface (will override --parent-iface) --insecure, -k Start flintlockd without basic auth or certs --dev Assumes containerd has been provisioned in a dev environment - --auth-file, -f Provide a configuration file to set up authentication for flintlock such as, token or TLS (the file should follow shell syntax) + --config-file, -f Provide a configuration file to set up authentication for flintlock such as, token or TLS (the file should follow shell syntax) EOF } From 422f7c5b6c7e2fafce1e757e3fc225564a9183b5 Mon Sep 17 00:00:00 2001 From: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Date: Fri, 14 Oct 2022 16:43:53 +0200 Subject: [PATCH 3/7] Apply suggestions from code review Co-authored-by: Claudia --- hack/scripts/provision.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hack/scripts/provision.sh b/hack/scripts/provision.sh index c5657adf..6166a849 100755 --- a/hack/scripts/provision.sh +++ b/hack/scripts/provision.sh @@ -769,7 +769,7 @@ cmd_all() { "--dev") DEVELOPMENT=true ;; - "-f" | "--flintlock_config_file") + "-f" | "--flintlock-config-file") shift flintlock_config_file="$1" ;; @@ -915,7 +915,7 @@ cmd_flintlock() { "-k" | "--insecure") insecure=true ;; - "-f" | "--config_file") + "-f" | "--config-file") shift config_file="$1" ;; @@ -1026,7 +1026,7 @@ cmd_all_help() { --bridge, -b Bridge to use instead of an interface (will override --parent-iface) --insecure, -k Start flintlockd without basic auth or certs --dev Set up development environment. Loop thinpools will be created. - --flintlock_config_file, -f Provide a configuration file to set up authentication for flintlock such as, token or TLS + --flintlock-config-file, -f Provide a configuration file to set up authentication for flintlock such as, token or TLS EOF } From bcaa4e4eb35aa398cda914466f290f87ff121f9a Mon Sep 17 00:00:00 2001 From: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Date: Fri, 14 Oct 2022 17:14:12 +0200 Subject: [PATCH 4/7] Added an associative array approach to merging user config with existing settings --- hack/scripts/provision.sh | 41 +++++++++++++++++++++++---------------- 1 file changed, 24 insertions(+), 17 deletions(-) diff --git a/hack/scripts/provision.sh b/hack/scripts/provision.sh index 6166a849..34ee5f68 100755 --- a/hack/scripts/provision.sh +++ b/hack/scripts/provision.sh @@ -351,32 +351,39 @@ write_flintlockd_config() { say "Writing flintlockd config to $FLINTLOCKD_CONFIG_PATH." - cat <"$FLINTLOCKD_CONFIG_PATH" ---- -containerd-socket: "$CONTAINERD_STATE_DIR/containerd.sock" -grpc-endpoint: "$address:9090" -verbosity: 9 -insecure: $insecure -EOF + declare -A settings + settings["containerd-socket"]="$CONTAINERD_STATE_DIR/containerd.sock" + settings["grpc-endpoint"]="$address:9090" + settings["verbosity"]="9" + settings["insecure"]="$insecure" if [[ -n "$bridge_name" ]]; then - cat <>"$FLINTLOCKD_CONFIG_PATH" -bridge-name: "$bridge_name" -EOF + settings["bridge-name"]="$bridge_name" else - cat <>"$FLINTLOCKD_CONFIG_PATH" -parent-iface: "$parent_iface" -EOF + settings["parent-iface"]="$parent_iface" fi if [[ -n "$config_file" ]]; then say "merging provided config file with the created one" - content=$(cat "${config_file}") - # shellcheck disable=SC2154 - cat <>"$FLINTLOCKD_CONFIG_PATH" + while IFS= read -r line; do + key=$(echo "$line" | awk 'BEGIN { FS = ":" } ; { print $1 }') + value=$(echo "$line" | awk 'BEGIN { FS = ":" } ; { print $2 }' | tr -d ' ') + settings[$key]="$value" + done <"$config_file" + fi + + local content = '' + for key in ${!settings[@]}; do + # note that there is a line-break in this string + # that is important to keep the settings file valid. + content+="${key}: ${settings[${key}]} +" + done + + cat <"$FLINTLOCKD_CONFIG_PATH" +--- $content EOF - fi say "Flintlockd config saved" } From 00dadb3a921087d7ad8662e609288767c123807f Mon Sep 17 00:00:00 2001 From: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Date: Fri, 21 Oct 2022 15:52:07 +0200 Subject: [PATCH 5/7] Apply suggestions from code review Co-authored-by: Claudia --- hack/scripts/provision.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hack/scripts/provision.sh b/hack/scripts/provision.sh index 806d7fff..25011219 100755 --- a/hack/scripts/provision.sh +++ b/hack/scripts/provision.sh @@ -1033,7 +1033,7 @@ cmd_all_help() { --bridge, -b Bridge to use instead of an interface (will override --parent-iface) --insecure, -k Start flintlockd without basic auth or certs --dev Set up development environment. Loop thinpools will be created. - --flintlock-config-file, -f Provide a configuration file to set up authentication for flintlock such as, token or TLS + --flintlock-config-file, -f Path to a valid flintlockd configuration file with overriding config EOF } @@ -1068,7 +1068,7 @@ cmd_flintlock_help() { --bridge, -b Bridge to use instead of an interface (will override --parent-iface) --insecure, -k Start flintlockd without basic auth or certs --dev Assumes containerd has been provisioned in a dev environment - --config-file, -f Provide a configuration file to set up authentication for flintlock such as, token or TLS (the file should follow shell syntax) + --config-file, -f Path to a valid flintlockd configuration file with overriding config EOF } From daf8ee53e42a93934dc480fb1138dbbeb4295ec4 Mon Sep 17 00:00:00 2001 From: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Date: Mon, 24 Oct 2022 08:35:18 +0200 Subject: [PATCH 6/7] Added check for lines to contain ":". --- hack/scripts/provision.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hack/scripts/provision.sh b/hack/scripts/provision.sh index 5baaef3f..a52a482e 100755 --- a/hack/scripts/provision.sh +++ b/hack/scripts/provision.sh @@ -366,6 +366,9 @@ write_flintlockd_config() { if [[ -n "$config_file" ]]; then say "merging provided config file with the created one" while IFS= read -r line; do + if [[ $line != *":"* ]]; then + continue + fi key=$(echo "$line" | awk 'BEGIN { FS = ":" } ; { print $1 }') value=$(echo "$line" | awk 'BEGIN { FS = ":" } ; { print $2 }' | tr -d ' ') settings[$key]="$value" From 8cef6f3b368092460dcd18488a02077f906a6413 Mon Sep 17 00:00:00 2001 From: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Date: Mon, 24 Oct 2022 10:49:42 +0200 Subject: [PATCH 7/7] Update hack/scripts/provision.sh Co-authored-by: Claudia --- hack/scripts/provision.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/scripts/provision.sh b/hack/scripts/provision.sh index a52a482e..1b51feec 100755 --- a/hack/scripts/provision.sh +++ b/hack/scripts/provision.sh @@ -364,7 +364,7 @@ write_flintlockd_config() { fi if [[ -n "$config_file" ]]; then - say "merging provided config file with the created one" + say "Merging provided flintlockd config file with auto-generated options" while IFS= read -r line; do if [[ $line != *":"* ]]; then continue