Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen gezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
update [2017/04/03 16:01] mike |
update [2018/03/14 11:36] (aktuell) mike |
||
---|---|---|---|
Zeile 7: | Zeile 7: | ||
''00'' - Development | ''00'' - Development | ||
- | ''01'' - Testmaschinen | + | ''01'' - Testmaschinen, Demos |
''02'' - Testkunden | ''02'' - Testkunden | ||
''10 - 99'' produktive Kundenserver | ''10 - 99'' produktive Kundenserver | ||
+ | |||
+ | ''100'' - ''999'' on-premises Maschinen bei Kunden | ||
===== Updateserver ===== | ===== Updateserver ===== | ||
Zeile 22: | Zeile 24: | ||
datenschutz-server-1.0-SNAPSHOT.jar.enc ... die verschlüsselte Updatedatei | datenschutz-server-1.0-SNAPSHOT.jar.enc ... die verschlüsselte Updatedatei | ||
version.sha256 ... Die Prüfsumme der unverschlüsselten Updatedatei | version.sha256 ... Die Prüfsumme der unverschlüsselten Updatedatei | ||
+ | sysupdate.txt ... Enthält "OK" wenn in dieser Region Systemupdates durchgeführt werden sollen | ||
</file> | </file> | ||
Zeile 27: | Zeile 30: | ||
Als Verschlüsselung wird ein asymmetrisches Verfahren verwendet, wobei sich der öffentliche Schlüssel unter ''update-secure.pub.pem'' am Updateserver befindet und der private Schlüssel in den Clients gespeichert ist. | Als Verschlüsselung wird ein asymmetrisches Verfahren verwendet, wobei sich der öffentliche Schlüssel unter ''update-secure.pub.pem'' am Updateserver befindet und der private Schlüssel in den Clients gespeichert ist. | ||
+ | |||
+ | Danach werden die einzelnen Regionen freigeschalten, indem das Script ''distribute.sh <src> <dst>'' aufgerufen wird, wobei src die Ausgangsregion und dst die Zielregion ist. | ||
+ | |||
+ | Ein Beispielaufruf wäre: | ||
+ | |||
+ | <code> | ||
+ | # sudo ./distribute.sh 00 01 | ||
+ | </code> | ||
+ | |||
+ | um die Updates von der Developmentregion auf die Testmaschinen freizugeben. | ||
+ | |||
Inhalte des Verszeichnis ''/home/ec2-user/package'' am Updateserver: | Inhalte des Verszeichnis ''/home/ec2-user/package'' am Updateserver: | ||
<file> | <file> | ||
- | -rw-r--r-- 1 ec2-user ec2-user 24068096 Apr 3 15:45 datenschutz-server-1.0-SNAPSHOT.jar | + | -rw-r--r-- 1 ec2-user ec2-user 68093168 Apr 3 16:06 datenschutz-server-1.0-SNAPSHOT.jar |
+ | -rwxr--r-- 1 root root 874 Apr 3 16:33 distribute.sh | ||
-rwx------ 1 root root 320 Apr 3 13:51 package.sh | -rwx------ 1 root root 320 Apr 3 13:51 package.sh | ||
-rw------- 1 root root 1391 Apr 3 13:40 update-secure.pub.pem | -rw------- 1 root root 1391 Apr 3 13:40 update-secure.pub.pem | ||
Zeile 49: | Zeile 64: | ||
openssl smime -encrypt -binary -text -aes256 -in $SRC_DIR/$SRC_JAR -out $TARGET_DIR/$SRC_JAR.enc -outform DER update-secure.pub.pem | openssl smime -encrypt -binary -text -aes256 -in $SRC_DIR/$SRC_JAR -out $TARGET_DIR/$SRC_JAR.enc -outform DER update-secure.pub.pem | ||
</code> | </code> | ||
+ | |||
+ | ==== distribute.sh ==== | ||
+ | |||
+ | <code> | ||
+ | #!/bin/bash | ||
+ | |||
+ | UPDATE_DIR=/var/www/html/update | ||
+ | ENC_JAR=datenschutz-server-1.0-SNAPSHOT.jar.enc | ||
+ | SHAFILE=version.sha256 | ||
+ | |||
+ | if [ -f $UPDATE_DIR/$1/$ENC_JAR ]; then | ||
+ | if [ -f $UPDATE_DIR/$1/$SHAFILE ]; then | ||
+ | |||
+ | if [ ! -d $UPDATE_DIR/$2 ]; then | ||
+ | echo "Directory $2 does not exist... creating" | ||
+ | mkdir $UPDATE_DIR/$2 | ||
+ | fi | ||
+ | |||
+ | if [ -f $UPDATE_DIR/$2/$ENC_JAR ]; then | ||
+ | echo "Removing old JAR" | ||
+ | rm $UPDATE_DIR/$2/$ENC_JAR | ||
+ | fi | ||
+ | if [ -f $UPDATE_DIR/$2/$SHAFILE ]; then | ||
+ | echo "Removing old checksum" | ||
+ | rm $UPDATE_DIR/$2/$SHAFILE | ||
+ | fi | ||
+ | |||
+ | echo "Distributing from $1 to $2..." | ||
+ | cp $UPDATE_DIR/$1/$ENC_JAR $UPDATE_DIR/$2/$ENC_JAR | ||
+ | cp $UPDATE_DIR/$1/$SHAFILE $UPDATE_DIR/$2/$SHAFILE | ||
+ | echo "Ready." | ||
+ | exit 0 | ||
+ | |||
+ | else | ||
+ | echo "SHA 256 file not found, exiting." | ||
+ | exit 1 | ||
+ | fi | ||
+ | else | ||
+ | echo "Encrypted JAR file not found, exiting." | ||
+ | exit 1 | ||
+ | fi | ||
+ | </code> | ||
+ | |||
+ | ===== Systemupdates am Updateserver===== | ||
+ | |||
+ | Für jede Region können die Systemupdates (mittels yum) aktiviert werden. Auf Testsystemen werden die Updates um 01:00 am Montag durchgeführt. Produktivsysteme führen Updates am Donnerstag um 01:00 durch. Am Freitag werden alle Systeme durch Nagios geprüft und gegebenenfalls Alarme ausgelöst falls Updates nicht durchgeführt wurden. | ||
+ | |||
+ | Dieser Updatemechanismus kann pro Region aktiviert oder deaktiviert werden: | ||
+ | |||
+ | <code> | ||
+ | /home/ec2-user/# sudo sysupdate.sh <region> enable|disable | ||
+ | </code> | ||
+ | |||
+ | Also zB: | ||
+ | |||
+ | <code> | ||
+ | ## Disable Updates for region 02: | ||
+ | /home/ec2-user/# sudo sysupdate.sh 02 disable | ||
+ | </code> | ||
+ | |||
+ | /home/ec2-user/sysupdate.sh: | ||
+ | <code> | ||
+ | #!/bin/bash | ||
+ | |||
+ | UPDATE_DIR=/var/www/html/update | ||
+ | UPDFILE=sysupdate.txt | ||
+ | |||
+ | |||
+ | if [[ $# -eq 0 ]] ; then | ||
+ | echo "Usage: $0 <Channel> <enable|disable>" | ||
+ | echo "For Example: " | ||
+ | echo "$0 00 enable" | ||
+ | exit 0 | ||
+ | fi | ||
+ | |||
+ | if [ ! -d $UPDATE_DIR/$1 ]; then | ||
+ | echo "Directory $1 does not exist... creating" | ||
+ | mkdir $UPDATE_DIR/$1 | ||
+ | fi | ||
+ | |||
+ | if [ "$2" == "enable" ]; then | ||
+ | echo "Enabling system update for $1" | ||
+ | echo "OK" >$UPDATE_DIR/$1/$UPDFILE | ||
+ | exit 0 | ||
+ | fi | ||
+ | |||
+ | if [ "$2" == "disable" ]; then | ||
+ | echo "Disabling system update for $1" | ||
+ | echo "DISABLE" >$UPDATE_DIR/$1/$UPDFILE | ||
+ | exit 0 | ||
+ | fi | ||
+ | |||
+ | exit 1 | ||
+ | </code> | ||
+ | |||
===== Clients ===== | ===== Clients ===== | ||
Zeile 69: | Zeile 179: | ||
==== update.sh ==== | ==== update.sh ==== | ||
+ | Der Aufruf erfolg mit: | ||
<code> | <code> | ||
+ | sudo ./update.sh <region> [reboot] | ||
+ | </code> | ||
+ | |||
+ | Also zB: | ||
+ | |||
+ | <code> | ||
+ | ## Check for updates, apply if needed and reboot the machine: | ||
+ | sudo ./update.sh 00 reboot | ||
+ | </code> | ||
+ | |||
+ | <code> | ||
+ | |||
#/bin/bash | #/bin/bash | ||
- | UPDATE_SERVER=https://doku.traunau.at/update/00 | + | CHANNEL=$1 |
+ | UPDATE_SERVER=https://doku.datareporter.eu/update/$CHANNEL | ||
UPDATE_DIR=/opt/webserver/update | UPDATE_DIR=/opt/webserver/update | ||
SERVICE=/opt/webserver/service.sh | SERVICE=/opt/webserver/service.sh | ||
- | JAR_FILE=datenschutz-server-1.0-SNAPSHOT.jar | + | JAR_FILE=datareporter-server-1.0-SNAPSHOT.jar |
PRODUCTIVE_DIR=/opt/webserver | PRODUCTIVE_DIR=/opt/webserver | ||
+ | if [[ $# -eq 0 ]] ; then | ||
+ | echo "Usage: $0 <Channel> [reboot]" | ||
+ | echo "For Example: " | ||
+ | echo "$0 00 reboot" | ||
+ | exit 0 | ||
+ | fi | ||
if [ -f $UPDATE_DIR/$JAR_FILE ]; then | if [ -f $UPDATE_DIR/$JAR_FILE ]; then | ||
Zeile 113: | Zeile 243: | ||
echo "Decrypting JAR file..." | echo "Decrypting JAR file..." | ||
# decrypt the jar with the private key | # decrypt the jar with the private key | ||
- | openssl smime -decrypt -in $JAR_FILE.enc -binary -inform DEM -inkey $UPDATE_DIR/update_priv.pem -out $JAR_FILE | + | openssl smime -decrypt -in $UPDATE_DIR/$JAR_FILE.enc -binary -inform DEM -inkey $UPDATE_DIR/update_priv.pem -out $UPDATE_DIR/$JAR_FILE |
#remove the encrypted file | #remove the encrypted file | ||
Zeile 122: | Zeile 252: | ||
# get checksum of encrypted file and check against downloaded sha - if equal both are verified | # get checksum of encrypted file and check against downloaded sha - if equal both are verified | ||
- | cat $UPDATE_DIR/$JAR_FILE | sha256sum >downloaded.sha256 | + | cat $UPDATE_DIR/$JAR_FILE | sha256sum >$UPDATE_DIR/downloaded.sha256 |
diff $UPDATE_DIR/downloaded.sha256 $UPDATE_DIR/version.sha256 >/dev/null | diff $UPDATE_DIR/downloaded.sha256 $UPDATE_DIR/version.sha256 >/dev/null | ||
comp_value=$? | comp_value=$? | ||
Zeile 148: | Zeile 278: | ||
echo "Update verified and ready to install..." | echo "Update verified and ready to install..." | ||
- | echo "Stopping service and waiting 10 seconds to gracefully shut down" | + | echo "Stopping service and waiting 10 seconds to update" |
$SERVICE stop | $SERVICE stop | ||
sleep 10 | sleep 10 | ||
Zeile 165: | Zeile 295: | ||
fi | fi | ||
- | echo "Service start" | + | if [ "$2" == "reboot" ]; then |
- | # start service | + | /sbin/init 6 |
- | $SERVICE start | + | else |
+ | echo "Service start" | ||
+ | # start service | ||
+ | $SERVICE start | ||
+ | fi | ||
fi | fi | ||
fi | fi | ||
echo "Ready." | echo "Ready." | ||
+ | |||
</code> | </code> | ||
Zeile 180: | Zeile 314: | ||
<code> | <code> | ||
- | 15 4 * * * /opt/webserver/update/update.sh | + | 15 4 * * * /opt/webserver/update/update.sh 00 reboot >>/var/log/update.log |
</code> | </code> | ||
+ | ===== Systemupdates Client ===== | ||
+ | |||
+ | Am Client unter /opt/webserver/update liegt das Script sysupdate.sh das prüft, ob die Region updaten darf und gegebenfalls ein Systemupdate durchführt. | ||
+ | |||
+ | <code> | ||
+ | /opt/webserver/update/sysupdate.sh <region> | ||
+ | </code> | ||
+ | |||
+ | Also zB: | ||
+ | <code> | ||
+ | /opt/webserver/update/sysupdate.sh 00 | ||
+ | </code> | ||
+ | |||
+ | ==== sysupdate.sh ==== | ||
+ | |||
+ | <code> | ||
+ | #/bin/bash | ||
+ | |||
+ | UPDSERVER=https://doku.datareporter.eu | ||
+ | CHANNEL=$1 | ||
+ | |||
+ | ALLOWED=$(curl -s --fail $UPDSERVER/update/$CHANNEL/sysupdate.txt) | ||
+ | if [ 0 -eq $? ]; then | ||
+ | echo "Allowed: $ALLOWED" | ||
+ | |||
+ | if [ "$ALLOWED" == "OK" ]; then | ||
+ | echo "Update allowed" | ||
+ | yum -y update | ||
+ | /sbin/init 6 | ||
+ | |||
+ | else | ||
+ | echo "Update halted - not performing" | ||
+ | fi | ||
+ | |||
+ | else | ||
+ | echo "Channel not configured - NOT updating" | ||
+ | fi | ||
+ | </code> | ||
+ | |||
+ | ==== Crontab (Testmaschinen) ==== | ||
+ | |||
+ | <code> | ||
+ | 00 1 * * 1 /opt/webserver/update/sysupdate.sh 00 >>/var/log/sysupdate.log | ||
+ | </code> | ||
+ | |||
+ | ==== Crontab (Produktivmaschinen) ==== | ||
+ | |||
+ | <code> | ||
+ | 00 1 * * 4 /opt/webserver/update/sysupdate.sh 10 >>/var/log/sysupdate.log | ||
+ | </code> | ||
+ | |||
+ | ==== Crontab (on-premises Maschinen) ==== | ||
+ | |||
+ | <code> | ||
+ | 00 1 * * 5 /opt/webserver/update/sysupdate.sh 100 >>/var/log/sysupdate.log | ||
+ | </code> |