diff options
author | Austin S. Hemmelgarn <austin@netdata.cloud> | 2024-06-12 07:05:39 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-06-12 07:05:39 -0400 |
commit | 405a1635a57b4337d3006bf65708d9da1ea8cc8c (patch) | |
tree | 7dc38869e35a25f748c0f7a67546c34280558cb1 /packaging | |
parent | ce1cb43d30a73826a054b987dd1201bb13b1056e (diff) |
Add improved handling for TLS certificates for static builds. (#17605)
* Add improved handling for TLS certificates for static builds.
* Properly replace symlinks.
* Fix shellcheck warning.
* Fix option handling.
- Persist certificate handling mode and check URL across reinstalls.
- Properly consume the arguments for the certificate handling options.
* Add five minute hard timeout on certificate check.
* Differentiate specific error results from curl.
* Persist cert handling options regardless of how they’re passed in.
* Escape slashes in REINSTALL_OPTIONS.
* Fix escaping of reinstall options.
Diffstat (limited to 'packaging')
-rwxr-xr-x | packaging/installer/kickstart.sh | 8 | ||||
-rwxr-xr-x | packaging/makeself/install-or-update.sh | 92 |
2 files changed, 88 insertions, 12 deletions
diff --git a/packaging/installer/kickstart.sh b/packaging/installer/kickstart.sh index 63402825d8..dde738c281 100755 --- a/packaging/installer/kickstart.sh +++ b/packaging/installer/kickstart.sh @@ -1816,9 +1816,15 @@ try_static_install() { opts="${opts} --accept" fi + env_cmd="env NETDATA_CERT_TEST_URL=${NETDATA_CLAIM_URL} NETDATA_CERT_MODE=check" + + if [ -n "${NETDATA_OFFLINE_INSTALL_SOURCE}" ]; then + env_cmd="env NETDATA_CERT_TEST_URL=${NETDATA_CLAIM_URL} NETDATA_CERT_MODE=auto" + fi + progress "Installing netdata" # shellcheck disable=SC2086 - if ! run_as_root sh "${tmpdir}/${netdata_agent}" ${opts} -- ${NETDATA_INSTALLER_OPTIONS}; then + if ! run_as_root ${env_cmd} /bin/sh "${tmpdir}/${netdata_agent}" ${opts} -- ${NETDATA_INSTALLER_OPTIONS}; then warning "Failed to install static build of Netdata on ${SYSARCH}." run rm -rf /opt/netdata return 2 diff --git a/packaging/makeself/install-or-update.sh b/packaging/makeself/install-or-update.sh index e5397c9e8c..67be9d69c5 100755 --- a/packaging/makeself/install-or-update.sh +++ b/packaging/makeself/install-or-update.sh @@ -27,6 +27,8 @@ fi STARTIT=1 REINSTALL_OPTIONS="" +NETDATA_CERT_MODE="${NETDATA_CERT_MODE:-auto}" +NETDATA_CERT_TEST_URL="${NETDATA_CERT_TEST_URL:-https://app.netdata.cloud}" RELEASE_CHANNEL="nightly" while [ "${1}" ]; do @@ -48,6 +50,19 @@ while [ "${1}" ]; do NETDATA_DISABLE_TELEMETRY=1 REINSTALL_OPTIONS="${REINSTALL_OPTIONS} ${1}" ;; + "--certificates") + case "${2}" in + auto|system) NETDATA_CERT_MODE="auto" ;; + check) NETDATA_CERT_MODE="check" ;; + bundled) NETDATA_CERT_MODE="bundled" ;; + *) run_failed "Unknown certificate handling mode '${2}'. Supported modes are auto, check, system, and bundled."; exit 1 ;; + esac + shift 1 + ;; + "--certificate-test-url") + NETDATA_CERT_TEST_URL="${2}" + shift 1 + ;; *) echo >&2 "Unknown option '${1}'. Ignoring it." ;; esac @@ -62,6 +77,14 @@ if [ ! "${DISABLE_TELEMETRY:-0}" -eq 0 ] || REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --disable-telemetry" fi +if [ -n "${NETDATA_CERT_MODE}" ]; then + REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --certificates ${NETDATA_CERT_MODE}" +fi + +if [ -n "${NETDATA_CERT_TEST_URL}" ]; then + REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --certificate-test-url ${NETDATA_CERT_TEST_URL}" +fi + # ----------------------------------------------------------------------------- progress "Attempt to create user/group netdata/netadata" @@ -208,26 +231,73 @@ done # ----------------------------------------------------------------------------- -echo "Configure TLS certificate paths" -if [ ! -L /opt/netdata/etc/ssl ] && [ -d /opt/netdata/etc/ssl ] ; then - echo "Preserving existing user configuration for TLS" -else +replace_symlink() { + target="${1}" + name="${2}" + rm -f "${name}" + ln -s "${target}" "${name}" +} + +select_system_certs() { if [ -d /etc/pki/tls ] ; then - echo "Using /etc/pki/tls for TLS configuration and certificates" - ln -sf /etc/pki/tls /opt/netdata/etc/ssl + echo "${1} /etc/pki/tls for TLS configuration and certificates" + replace_symlink /etc/pki/tls /opt/netdata/etc/ssl elif [ -d /etc/ssl ] ; then - echo "Using /etc/ssl for TLS configuration and certificates" - ln -sf /etc/ssl /opt/netdata/etc/ssl - else - echo "Using bundled TLS configuration and certificates" - ln -sf /opt/netdata/share/ssl /opt/netdata/etc/ssl + echo "${1} /etc/ssl for TLS configuration and certificates" + replace_symlink /etc/ssl /opt/netdata/etc/ssl fi +} + +select_internal_certs() { + echo "Using bundled TLS configuration and certificates" + replace_symlink /opt/netdata/share/ssl /opt/netdata/etc/ssl +} + +certs_selected() { + [ -L /opt/netdata/etc/ssl ] || return 1 +} + +test_certs() { + /opt/netdata/bin/curl --fail --max-time 300 --silent --output /dev/null "${NETDATA_CERT_TEST_URL}" + + case "$?" in + 35|77) echo "Failed to load certificate files for test." ; return 1 ;; + 60|82|83) echo "Certificates cannot be used to connect to ${NETDATA_CERT_TEST_URL}" ; return 1 ;; + 53|54|66) echo "Unable to use OpenSSL configuration associated with certificates" ; return 1 ;; + 0) echo "Successfully connected to ${NETDATA_CERT_TEST_URL} using certificates" ;; + *) echo "Unable to test certificates due to networking problems, blindly assuming they work" ;; + esac +} + +# If the user has manually set up certificates, don’t mess with it. +if [ ! -L /opt/netdata/etc/ssl ] && [ -d /opt/netdata/etc/ssl ] ; then + echo "Preserving existing user configuration for TLS" +else + echo "Configure TLS certificate paths (mode: ${NETDATA_CERT_MODE})" + case "${NETDATA_CERT_MODE}" in + check) + select_system_certs "Testing" + if certs_selected && test_certs; then + select_system_certs "Using" + else + select_internal_certs + fi + ;; + bundled) select_internal_certs ;; + *) + select_system_certs "Using" + if ! certs_selected; then + select_internal_certs + fi + ;; + esac fi # ----------------------------------------------------------------------------- echo "Save install options" grep -qv 'IS_NETDATA_STATIC_BINARY="yes"' "${NETDATA_PREFIX}/etc/netdata/.environment" || echo IS_NETDATA_STATIC_BINARY=\"yes\" >> "${NETDATA_PREFIX}/etc/netdata/.environment" +REINSTALL_OPTIONS="$(echo "${REINSTALL_OPTIONS}" | awk '{gsub("/", "\\/"); print}')" sed -i "s/REINSTALL_OPTIONS=\".*\"/REINSTALL_OPTIONS=\"${REINSTALL_OPTIONS}\"/" "${NETDATA_PREFIX}/etc/netdata/.environment" # ----------------------------------------------------------------------------- |