archive/netdata_netdata
0
0
Fork 0
mirror of https://github.com/netdata/netdata.git synced 2025-04-06 06:25:32 +00:00
Code Issues Projects Releases Wiki Activity

Add improved handling for TLS certificates for static builds. ()

Browse source 
* Add improved handling for TLS certificates for static builds.

* Properly replace symlinks.

* Fix shellcheck warning.

* Fix option handling.

- Persist certificate handling mode and check URL across reinstalls.
- Properly consume the arguments for the certificate handling options.

* Add five minute hard timeout on certificate check.

* Differentiate specific error results from curl.

* Persist cert handling options regardless of how they’re passed in.

* Escape slashes in REINSTALL_OPTIONS.

* Fix escaping of reinstall options.
This commit is contained in:
Austin S. Hemmelgarn 2024-06-12 07:05:39 -04:00 committed by GitHub
parent ce1cb43d30
commit 405a1635a5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 88 additions and 12 deletions
packaging
installer
kickstart.sh
makeself
install-or-update.sh

8
packaging/installer/kickstart.sh
View file

@ -1816,9 +1816,15 @@ try_static_install() {
opts="${opts} --accept"
fi
env_cmd="env NETDATA_CERT_TEST_URL=${NETDATA_CLAIM_URL} NETDATA_CERT_MODE=check"
if [ -n "${NETDATA_OFFLINE_INSTALL_SOURCE}" ]; then
env_cmd="env NETDATA_CERT_TEST_URL=${NETDATA_CLAIM_URL} NETDATA_CERT_MODE=auto"
fi
progress "Installing netdata"
# shellcheck disable=SC2086
if ! run_as_root sh "${tmpdir}/${netdata_agent}" ${opts} -- ${NETDATA_INSTALLER_OPTIONS}; then
if ! run_as_root ${env_cmd} /bin/sh "${tmpdir}/${netdata_agent}" ${opts} -- ${NETDATA_INSTALLER_OPTIONS}; then
warning "Failed to install static build of Netdata on ${SYSARCH}."
run rm -rf /opt/netdata
return 2

92
packaging/makeself/install-or-update.sh
View file

@ -27,6 +27,8 @@ fi
STARTIT=1
REINSTALL_OPTIONS=""
NETDATA_CERT_MODE="${NETDATA_CERT_MODE:-auto}"
NETDATA_CERT_TEST_URL="${NETDATA_CERT_TEST_URL:-https://app.netdata.cloud}"
RELEASE_CHANNEL="nightly"
while [ "${1}" ]; do
@ -48,6 +50,19 @@ while [ "${1}" ]; do
NETDATA_DISABLE_TELEMETRY=1
REINSTALL_OPTIONS="${REINSTALL_OPTIONS} ${1}"
;;
"--certificates")
case "${2}" in
auto|system) NETDATA_CERT_MODE="auto" ;;
check) NETDATA_CERT_MODE="check" ;;
bundled) NETDATA_CERT_MODE="bundled" ;;
*) run_failed "Unknown certificate handling mode '${2}'. Supported modes are auto, check, system, and bundled."; exit 1 ;;
esac
shift 1
;;
"--certificate-test-url")
NETDATA_CERT_TEST_URL="${2}"
shift 1
;;
*) echo >&2 "Unknown option '${1}'. Ignoring it." ;;
esac
@ -62,6 +77,14 @@ if [ ! "${DISABLE_TELEMETRY:-0}" -eq 0 ] ||
REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --disable-telemetry"
fi
if [ -n "${NETDATA_CERT_MODE}" ]; then
REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --certificates ${NETDATA_CERT_MODE}"
fi
if [ -n "${NETDATA_CERT_TEST_URL}" ]; then
REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --certificate-test-url ${NETDATA_CERT_TEST_URL}"
fi
# -----------------------------------------------------------------------------
progress "Attempt to create user/group netdata/netadata"
@ -208,26 +231,73 @@ done
# -----------------------------------------------------------------------------
echo "Configure TLS certificate paths"
replace_symlink() {
target="${1}"
name="${2}"
rm -f "${name}"
ln -s "${target}" "${name}"
}
select_system_certs() {
if [ -d /etc/pki/tls ] ; then
echo "${1} /etc/pki/tls for TLS configuration and certificates"
replace_symlink /etc/pki/tls /opt/netdata/etc/ssl
elif [ -d /etc/ssl ] ; then
echo "${1} /etc/ssl for TLS configuration and certificates"
replace_symlink /etc/ssl /opt/netdata/etc/ssl
fi
}
select_internal_certs() {
echo "Using bundled TLS configuration and certificates"
replace_symlink /opt/netdata/share/ssl /opt/netdata/etc/ssl
}
certs_selected() {
[ -L /opt/netdata/etc/ssl ] || return 1
}
test_certs() {
/opt/netdata/bin/curl --fail --max-time 300 --silent --output /dev/null "${NETDATA_CERT_TEST_URL}"
case "$?" in
35|77) echo "Failed to load certificate files for test." ; return 1 ;;
60|82|83) echo "Certificates cannot be used to connect to ${NETDATA_CERT_TEST_URL}" ; return 1 ;;
53|54|66) echo "Unable to use OpenSSL configuration associated with certificates" ; return 1 ;;
0) echo "Successfully connected to ${NETDATA_CERT_TEST_URL} using certificates" ;;
*) echo "Unable to test certificates due to networking problems, blindly assuming they work" ;;
esac
}
# If the user has manually set up certificates, dont mess with it.
if [ ! -L /opt/netdata/etc/ssl ] && [ -d /opt/netdata/etc/ssl ] ; then
echo "Preserving existing user configuration for TLS"
else
if [ -d /etc/pki/tls ] ; then
echo "Using /etc/pki/tls for TLS configuration and certificates"
ln -sf /etc/pki/tls /opt/netdata/etc/ssl
elif [ -d /etc/ssl ] ; then
echo "Using /etc/ssl for TLS configuration and certificates"
ln -sf /etc/ssl /opt/netdata/etc/ssl
else
echo "Using bundled TLS configuration and certificates"
ln -sf /opt/netdata/share/ssl /opt/netdata/etc/ssl
fi
echo "Configure TLS certificate paths (mode: ${NETDATA_CERT_MODE})"
case "${NETDATA_CERT_MODE}" in
check)
select_system_certs "Testing"
if certs_selected && test_certs; then
select_system_certs "Using"
else
select_internal_certs
fi
;;
bundled) select_internal_certs ;;
*)
select_system_certs "Using"
if ! certs_selected; then
select_internal_certs
fi
;;
esac
fi
# -----------------------------------------------------------------------------
echo "Save install options"
grep -qv 'IS_NETDATA_STATIC_BINARY="yes"' "${NETDATA_PREFIX}/etc/netdata/.environment" || echo IS_NETDATA_STATIC_BINARY=\"yes\" >> "${NETDATA_PREFIX}/etc/netdata/.environment"
REINSTALL_OPTIONS="$(echo "${REINSTALL_OPTIONS}" | awk '{gsub("/", "\\/"); print}')"
sed -i "s/REINSTALL_OPTIONS=\".*\"/REINSTALL_OPTIONS=\"${REINSTALL_OPTIONS}\"/" "${NETDATA_PREFIX}/etc/netdata/.environment"
# -----------------------------------------------------------------------------