Merge pull request #33 from bodsch/master

merge master to 1801
bodsch · Jan 17, 2018 · 78607f6 · 78607f6
2 parents ebcc772 + 99731c1
commit 78607f6
Show file tree

Hide file tree

Showing 10 changed files with 206 additions and 69 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -6,7 +6,7 @@ ENV \
   TZ='Europe/Berlin' \
   BUILD_DATE="2018-01-18" \
   BUILD_TYPE="stable" \
-  CERT_SERVICE_VERSION="0.15.12" \
+  CERT_SERVICE_VERSION="0.16.3" \
   ICINGA_VERSION="2.8.0-r0"
 
 EXPOSE 5665 8080
@@ -45,14 +45,20 @@ RUN \
   gem install --quiet --no-rdoc --no-ri \
     io-console bundler && \
   cd /tmp && \
-  git clone https://github.com/bodsch/ruby-icinga-cert-service.git && \
-  cd ruby-icinga-cert-service && \
-  if [ "${BUILD_TYPE}" == "stable" ] ; then \
-    echo "switch to stable Tag v${CERT_SERVICE_VERSION}" && \
-    git checkout tags/${CERT_SERVICE_VERSION} 2> /dev/null ; \
-  elif [ "${BUILD_TYPE}" == "development" ] ; then \
-    echo "switch to development Branch" && \
-    git checkout development 2> /dev/null ; \
+  if [ "${BUILD_TYPE}" == "local" ] ; then \
+    echo "use local sources" && \
+    mv /ruby-icinga-cert-service /tmp/ && \
+    cd ruby-icinga-cert-service ; \
+  else \
+    git clone https://github.com/bodsch/ruby-icinga-cert-service.git && \
+    cd ruby-icinga-cert-service && \
+    if [ "${BUILD_TYPE}" == "stable" ] ; then \
+      echo "switch to stable Tag v${CERT_SERVICE_VERSION}" && \
+      git checkout tags/${CERT_SERVICE_VERSION} 2> /dev/null ; \
+    elif [ "${BUILD_TYPE}" == "development" ] ; then \
+      echo "switch to development Branch" && \
+      git checkout development 2> /dev/null ; \
+    fi \
   fi && \
   bundle install --quiet && \
   gem uninstall --quiet \

diff --git a/Dockerfile.DEV b/Dockerfile.DEV
@@ -0,0 +1,96 @@
+
+FROM alpine:3.7
+
+ENV \
+  TERM=xterm \
+  TZ='Europe/Berlin' \
+  BUILD_DATE="2018-01-18" \
+  BUILD_TYPE="stable" \
+  CERT_SERVICE_VERSION="0.16.3" \
+  ICINGA_VERSION="2.8.0-r0"
+
+EXPOSE 5665 8080
+
+LABEL \
+  version="1801" \
+  maintainer="Bodo Schulz <[email protected]>" \
+  org.label-schema.build-date=${BUILD_DATE} \
+  org.label-schema.name="Icinga2 Docker Image" \
+  org.label-schema.description="Inofficial Icinga2 Docker Image" \
+  org.label-schema.url="https://www.icinga.org/" \
+  org.label-schema.vcs-url="https://github.com/bodsch/docker-icinga2" \
+  org.label-schema.vendor="Bodo Schulz" \
+  org.label-schema.version=${ICINGA_VERSION} \
+  org.label-schema.schema-version="1.0" \
+  com.microscaling.docker.dockerfile="/Dockerfile" \
+  com.microscaling.license="GNU General Public License v3.0"
+
+# ---------------------------------------------------------------------------------------
+
+ADD build/ /
+
+RUN \
+  apk update --quiet --no-cache  && \
+  apk upgrade --quiet --no-cache && \
+  apk add --quiet --no-cache --virtual .build-deps \
+    libffi-dev g++ make git openssl-dev ruby-dev && \
+  apk add --quiet --no-cache \
+    bash bind-tools curl expect fping inotify-tools icinga2 jq mailx monitoring-plugins mariadb-client netcat-openbsd nmap nrpe-plugin openssl pwgen ruby rsync ssmtp tzdata unzip && \
+  cp /etc/icinga2/conf.d.example/* /etc/icinga2/conf.d/ && \
+  ln -s /usr/lib/nagios/plugins/* /usr/lib/monitoring-plugins/ && \
+  /usr/sbin/icinga2 feature enable command checker mainlog notification && \
+  mkdir -p /etc/icinga2/objects.d && \
+  mkdir -p /run/icinga2/cmd && \
+  cp /etc/icinga2/zones.conf /etc/icinga2/zones.conf-distributed && \
+  chmod u+s /bin/busybox && \
+  echo 'gem: --no-document' >> /etc/gemrc && \
+  gem install --quiet --no-rdoc --no-ri \
+    io-console bundler
+
+RUN \
+  cd /tmp && \
+  if [ "${BUILD_TYPE}" == "local" ] ; then \
+    echo "use local sources" && \
+    mv /ruby-icinga-cert-service /tmp/ && \
+    cd ruby-icinga-cert-service ; \
+  else \
+    git clone https://github.com/bodsch/ruby-icinga-cert-service.git && \
+    cd ruby-icinga-cert-service && \
+    if [ "${BUILD_TYPE}" == "stable" ] ; then \
+      echo "switch to stable Tag v${CERT_SERVICE_VERSION}" && \
+      git checkout tags/${CERT_SERVICE_VERSION} 2> /dev/null ; \
+    elif [ "${BUILD_TYPE}" == "development" ] ; then \
+      echo "switch to development Branch" && \
+      git checkout development 2> /dev/null ; \
+    fi \
+  fi && \
+  bundle install --quiet && \
+  gem uninstall --quiet \
+    io-console bundler && \
+  cp -ar /tmp/ruby-icinga-cert-service/bin /usr/local/ && \
+  cp -ar /tmp/ruby-icinga-cert-service/lib /usr/local/
+
+RUN \
+  apk del --quiet --purge .build-deps && \
+  rm -rf \
+    /tmp/* \
+    /var/cache/apk/* \
+    /root/.gem \
+    /root/.bundle
+
+COPY rootfs/ /
+
+WORKDIR "/etc/icinga2"
+
+VOLUME [ "/etc/icinga2", "/var/lib/icinga2" ]
+
+HEALTHCHECK \
+  --interval=5s \
+  --timeout=2s \
+  --retries=12 \
+  --start-period=10s \
+  CMD ps ax | grep -v grep | grep -c "/usr/lib/icinga2/sbin/icinga2" || exit 1
+
+CMD [ "/init/run.sh" ]
+
+# ---------------------------------------------------------------------------------------
diff --git a/docker-compose_example.yml b/docker-compose_example.yml
@@ -56,6 +56,7 @@ services:
       - MYSQL_ROOT_PASS=vYUQ14SGVrJRi69PsujC
       - IDO_PASSWORD=qUVuLTk9oEDUV0A
       # environment variables for the certificates service
+      - ICINGA_HOST=icinga2-master.matrix.lan
       - ICINGA_MASTER=icinga2-master.matrix.lan
       - BASIC_AUTH_USER=foofoo
       - BASIC_AUTH_PASS=barbar

diff --git a/rootfs/etc/icinga2/conf.d/api-users.conf b/rootfs/etc/icinga2/conf.d/api-users.conf
@@ -4,11 +4,3 @@ object ApiUser "root" {
   client_cn   = NodeName
   permissions = [ "*" ]
 }
-
-/*
-object ApiUser "dashing" {
-  password    = "icinga2ondashingr0xx"
-  client_cn   = NodeName
-  permissions = [ "*" ]
-}
-*/
diff --git a/rootfs/init/api_user.sh b/rootfs/init/api_user.sh
@@ -15,24 +15,28 @@ create_api_user() {
 
   if [[ ! -z "${api_users}" ]]
   then
-    log_info "create configuration for API users ..."
 
-    # DESTROY the old entrys
-    #
-    echo "" > ${api_file}
+    if [[ $(cat ${api_file} | wc -l) -eq 6 ]]
+    then
+      log_info "create configuration for API users ..."
 
-    for u in ${api_users}
-    do
-      user=$(echo "${u}" | cut -d: -f1)
-      pass=$(echo "${u}" | cut -d: -f2)
+      # the initial configuration
+      # make it blank and create our default users
+      #
+      echo "" > ${api_file}
 
-      [[ -z ${pass} ]] && pass=${user}
+      for u in ${api_users}
+      do
+        user=$(echo "${u}" | cut -d: -f1)
+        pass=$(echo "${u}" | cut -d: -f2)
 
-      log_info "  - '${user}'"
+        [[ -z ${pass} ]] && pass=${user}
 
-      if [[ $(grep -c "object ApiUser \"${user}\"" ${api_file}) -eq 0 ]]
-      then
-        cat << EOF >> ${api_file}
+        if [[ $(grep -c "object ApiUser \"${user}\"" ${api_file}) -eq 0 ]]
+        then
+          log_info "  add user '${user}'"
+
+          cat << EOF >> ${api_file}
 
 object ApiUser "${user}" {
   password    = "${pass}"
@@ -41,8 +45,9 @@ object ApiUser "${user}" {
 }
 
 EOF
-      fi
-    done
+        fi
+      done
+    fi
   fi
 
 }

diff --git a/rootfs/init/common.sh b/rootfs/init/common.sh
@@ -4,6 +4,7 @@ DEMO_DATA=${DEMO_DATA:-'false'}
 USER=
 GROUP=
 ICINGA_MASTER=${ICINGA_MASTER:-''}
+ICINGA_HOST=${ICINGA_HOST:-${ICINGA_MASTER}}
 
 # prepare the system and icinga to run in the docker environment
 #
@@ -155,3 +156,37 @@ curl_opts() {
 
   echo ${opts}
 }
+
+
+validate_certservice_environment() {
+
+  ICINGA_CERT_SERVICE_BA_USER=${ICINGA_CERT_SERVICE_BA_USER:-"admin"}
+  ICINGA_CERT_SERVICE_BA_PASSWORD=${ICINGA_CERT_SERVICE_BA_PASSWORD:-"admin"}
+  ICINGA_CERT_SERVICE_API_USER=${ICINGA_CERT_SERVICE_API_USER:-""}
+  ICINGA_CERT_SERVICE_API_PASSWORD=${ICINGA_CERT_SERVICE_API_PASSWORD:-""}
+  ICINGA_CERT_SERVICE_SERVER=${ICINGA_CERT_SERVICE_SERVER:-"localhost"}
+  ICINGA_CERT_SERVICE_PORT=${ICINGA_CERT_SERVICE_PORT:-"80"}
+  ICINGA_CERT_SERVICE_PATH=${ICINGA_CERT_SERVICE_PATH:-"/"}
+  ICINGA_CERT_SERVICE=false
+
+  # use the new Cert Service to create and get a valide certificat for distributed icinga services
+  #
+  if (
+    [[ ! -z ${ICINGA_CERT_SERVICE_BA_USER} ]] &&
+    [[ ! -z ${ICINGA_CERT_SERVICE_BA_PASSWORD} ]] &&
+    [[ ! -z ${ICINGA_CERT_SERVICE_API_USER} ]] &&
+    [[ ! -z ${ICINGA_CERT_SERVICE_API_PASSWORD} ]]
+  )
+  then
+    ICINGA_CERT_SERVICE=true
+
+    export ICINGA_CERT_SERVICE_BA_USER
+    export ICINGA_CERT_SERVICE_BA_PASSWORD
+    export ICINGA_CERT_SERVICE_API_USER
+    export ICINGA_CERT_SERVICE_API_PASSWORD
+    export ICINGA_CERT_SERVICE_SERVER
+    export ICINGA_CERT_SERVICE_PORT
+    export ICINGA_CERT_SERVICE_PATH
+    export ICINGA_CERT_SERVICE
+  fi
+}
diff --git a/rootfs/init/icinga_types/master.sh b/rootfs/init/icinga_types/master.sh
@@ -1,27 +1,21 @@
 
 # restore a old zone file for automatic generated satellites
 #
-restore_old_zone_config() {
+restore_backup() {
 
   # backwards compatibility
   # in an older version, we create all zone config files in an seperate directory
   #
   [[ -d ${ICINGA_LIB_DIR}/backup/automatic-zones.d ]] && mv ${ICINGA_LIB_DIR}/backup/automatic-zones.d ${ICINGA_LIB_DIR}/backup/zones.d
 
-  if [[ -d ${ICINGA_LIB_DIR}/backup/zones.d ]]
+  if [[ -d ${ICINGA_LIB_DIR}/backup ]]
   then
-    log_info "restore older zone configurations"
-
-    rsync \
-      --archive \
-      --recursive \
-      --delete \
-      --include="zones.d/***" \
-      --include="zones.*" \
-      --exclude='*' \
-      ${ICINGA_LIB_DIR}/backup/* /etc/icinga2/
-  fi
+    log_info "restore backup"
 
+    [[ -f ${ICINGA_LIB_DIR}/backup/zones.conf ]] && cp -a ${ICINGA_LIB_DIR}/backup/zones.conf /etc/icinga2/zones.conf
+    [[ -d ${ICINGA_LIB_DIR}/backup/zones.d ]]    && cp -ar ${ICINGA_LIB_DIR}/backup/zones.d/* /etc/icinga2/zones.d/
+    [[ -f ${ICINGA_LIB_DIR}/backup/conf.d/api-users.conf ]] && cp -a ${ICINGA_LIB_DIR}/backup/conf.d/api-users.conf /etc/icinga2/conf.d/api-users.conf
+  fi
 }
 
 
@@ -33,7 +27,7 @@ configure_icinga2_master() {
 
   create_ca
 
-  restore_old_zone_config
+  restore_backup
 
   # copy master specific configurations
   #

diff --git a/rootfs/init/run.sh b/rootfs/init/run.sh
@@ -76,6 +76,7 @@ run() {
   . /init/common.sh
 
   prepare
+  validate_certservice_environment
 
   . /init/database/mysql.sh
   . /init/configure_icinga.sh
@@ -95,10 +96,13 @@ run() {
     # backup the generated zones
     #
     nohup /init/runtime/inotify.sh > /dev/stdout 2>&1 &
+
+    # env | grep ICINGA | sort
     nohup /usr/local/bin/rest-service.rb > /dev/stdout 2>&1 &
   else
     :
     nohup /init/runtime/ca_validator.sh > /dev/stdout 2>&1 &
+
     if [[ ! -e /tmp/final ]]
     then
       nohup /init/runtime/zone_watcher.sh > /dev/stdout 2>&1 &

diff --git a/rootfs/init/runtime/inotify.sh b/rootfs/init/runtime/inotify.sh
@@ -26,7 +26,7 @@ inotifywait \
   while read path action file
   do
 
-    if ( [[ -z "${file}" ]] || [[ ! ${file} =~ ^zones* ]] )
+    if ( [[ -z "${file}" ]] || [[ ! ${file} =~ ^zones* ]] && [[ "${file}" != "api-users.conf" ]] )
     then
       continue
     fi
@@ -48,22 +48,26 @@ inotifywait \
       # remove directory
       #
       rm -rf ${backup_directory}/${file}
-
-    # monitor CLOSE_WRITE,CLOSE
-    #
-    elif [[ "${action}" = "CLOSE_WRITE,CLOSE" ]]
-    then
-      # use rsync for an backup
-      # we need only zones.conf and the complete zones.d directory
-      # all others are irrelevant
-      #
-      rsync \
-        --archive \
-        --recursive \
-        --delete \
-        --include="zones.d/***" \
-        --include="zones.*" \
-        --exclude='*' \
-        ${monitored_directory}/* ${backup_directory}/
     fi
+
+#     # monitor CLOSE_WRITE,CLOSE
+#     #
+#     elif [[ "${action}" = "CLOSE_WRITE,CLOSE" ]]
+#     then
+#       # use rsync for an backup
+#       # we need only zones.conf and the complete zones.d directory
+#       # all others are irrelevant
+#       #
+#       rsync \
+#         --archive \
+#         --recursive \
+#         --delete \
+#         --verbose \
+#         --include="zones.d/***" \
+#         --include="zones.*" \
+#         --include="conf.d" \
+#         --include="conf.d/api-users.conf" \
+#         --exclude='*' \
+#         ${monitored_directory}/* ${backup_directory}/
+#     fi
   done
diff --git a/rootfs/init/wait_for/cert_service.sh b/rootfs/init/wait_for/cert_service.sh
@@ -5,7 +5,7 @@ wait_for_icinga_cert_service() {
 
   # the CERT-Service API use an Basic-Auth as first Authentication *AND*
   # use an own API Userr
-  if [[ ${ICINGA_CERT_SERVICE} ]]
+  if [[ "${ICINGA_CERT_SERVICE}" = "true" ]]
   then
 
     # use the new Cert Service to create and get a valide certificat for distributed icinga services
@@ -77,10 +77,10 @@ wait_for_icinga_cert_service() {
     fi
   else
     log_warn "missing variables:"
-    log_warn"     ICINGA_CERT_SERVICE_BA_USER: '${ICINGA_CERT_SERVICE_BA_USER}'"
-    log_warn"     ICINGA_CERT_SERVICE_BA_PASSWORD: '${ICINGA_CERT_SERVICE_BA_PASSWORD}'"
-    log_warn"     ICINGA_CERT_SERVICE_API_USER: '${ICINGA_CERT_SERVICE_API_USER}'"
-    log_warn"     ICINGA_CERT_SERVICE_API_PASSWORD: '${ICINGA_CERT_SERVICE_API_PASSWORD}'"
+    log_warn "     ICINGA_CERT_SERVICE_BA_USER: '${ICINGA_CERT_SERVICE_BA_USER}'"
+    log_warn "     ICINGA_CERT_SERVICE_BA_PASSWORD: '${ICINGA_CERT_SERVICE_BA_PASSWORD}'"
+    log_warn "     ICINGA_CERT_SERVICE_API_USER: '${ICINGA_CERT_SERVICE_API_USER}'"
+    log_warn "     ICINGA_CERT_SERVICE_API_PASSWORD: '${ICINGA_CERT_SERVICE_API_PASSWORD}'"
   fi
 }