Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen gezeigt.
| Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
|
update [2017/04/03 16:38] mike |
update [2018/03/14 11:36] (aktuell) mike |
||
|---|---|---|---|
| Zeile 7: | Zeile 7: | ||
| ''00'' - Development | ''00'' - Development | ||
| - | ''01'' - Testmaschinen | + | ''01'' - Testmaschinen, Demos |
| ''02'' - Testkunden | ''02'' - Testkunden | ||
| ''10 - 99'' produktive Kundenserver | ''10 - 99'' produktive Kundenserver | ||
| + | |||
| + | ''100'' - ''999'' on-premises Maschinen bei Kunden | ||
| ===== Updateserver ===== | ===== Updateserver ===== | ||
| Zeile 22: | Zeile 24: | ||
| datenschutz-server-1.0-SNAPSHOT.jar.enc ... die verschlüsselte Updatedatei | datenschutz-server-1.0-SNAPSHOT.jar.enc ... die verschlüsselte Updatedatei | ||
| version.sha256 ... Die Prüfsumme der unverschlüsselten Updatedatei | version.sha256 ... Die Prüfsumme der unverschlüsselten Updatedatei | ||
| + | sysupdate.txt ... Enthält "OK" wenn in dieser Region Systemupdates durchgeführt werden sollen | ||
| </file> | </file> | ||
| Zeile 103: | Zeile 106: | ||
| fi | fi | ||
| </code> | </code> | ||
| + | |||
| + | ===== Systemupdates am Updateserver===== | ||
| + | |||
| + | Für jede Region können die Systemupdates (mittels yum) aktiviert werden. Auf Testsystemen werden die Updates um 01:00 am Montag durchgeführt. Produktivsysteme führen Updates am Donnerstag um 01:00 durch. Am Freitag werden alle Systeme durch Nagios geprüft und gegebenenfalls Alarme ausgelöst falls Updates nicht durchgeführt wurden. | ||
| + | |||
| + | Dieser Updatemechanismus kann pro Region aktiviert oder deaktiviert werden: | ||
| + | |||
| + | <code> | ||
| + | /home/ec2-user/# sudo sysupdate.sh <region> enable|disable | ||
| + | </code> | ||
| + | |||
| + | Also zB: | ||
| + | |||
| + | <code> | ||
| + | ## Disable Updates for region 02: | ||
| + | /home/ec2-user/# sudo sysupdate.sh 02 disable | ||
| + | </code> | ||
| + | |||
| + | /home/ec2-user/sysupdate.sh: | ||
| + | <code> | ||
| + | #!/bin/bash | ||
| + | |||
| + | UPDATE_DIR=/var/www/html/update | ||
| + | UPDFILE=sysupdate.txt | ||
| + | |||
| + | |||
| + | if [[ $# -eq 0 ]] ; then | ||
| + | echo "Usage: $0 <Channel> <enable|disable>" | ||
| + | echo "For Example: " | ||
| + | echo "$0 00 enable" | ||
| + | exit 0 | ||
| + | fi | ||
| + | |||
| + | if [ ! -d $UPDATE_DIR/$1 ]; then | ||
| + | echo "Directory $1 does not exist... creating" | ||
| + | mkdir $UPDATE_DIR/$1 | ||
| + | fi | ||
| + | |||
| + | if [ "$2" == "enable" ]; then | ||
| + | echo "Enabling system update for $1" | ||
| + | echo "OK" >$UPDATE_DIR/$1/$UPDFILE | ||
| + | exit 0 | ||
| + | fi | ||
| + | |||
| + | if [ "$2" == "disable" ]; then | ||
| + | echo "Disabling system update for $1" | ||
| + | echo "DISABLE" >$UPDATE_DIR/$1/$UPDFILE | ||
| + | exit 0 | ||
| + | fi | ||
| + | |||
| + | exit 1 | ||
| + | </code> | ||
| + | |||
| ===== Clients ===== | ===== Clients ===== | ||
| Zeile 123: | Zeile 179: | ||
| ==== update.sh ==== | ==== update.sh ==== | ||
| - | Bitte beachten, dass unter ''UPDATE_SERVER'' am Ende die korrekte Region für die Maschine eingetragen werden sollte. | + | Der Aufruf erfolg mit: |
| + | <code> | ||
| + | sudo ./update.sh <region> [reboot] | ||
| + | </code> | ||
| + | |||
| + | Also zB: | ||
| <code> | <code> | ||
| + | ## Check for updates, apply if needed and reboot the machine: | ||
| + | sudo ./update.sh 00 reboot | ||
| + | </code> | ||
| + | |||
| + | <code> | ||
| + | |||
| #/bin/bash | #/bin/bash | ||
| - | UPDATE_SERVER=https://doku.traunau.at/update/00 | + | CHANNEL=$1 |
| + | UPDATE_SERVER=https://doku.datareporter.eu/update/$CHANNEL | ||
| UPDATE_DIR=/opt/webserver/update | UPDATE_DIR=/opt/webserver/update | ||
| SERVICE=/opt/webserver/service.sh | SERVICE=/opt/webserver/service.sh | ||
| - | JAR_FILE=datenschutz-server-1.0-SNAPSHOT.jar | + | JAR_FILE=datareporter-server-1.0-SNAPSHOT.jar |
| PRODUCTIVE_DIR=/opt/webserver | PRODUCTIVE_DIR=/opt/webserver | ||
| + | if [[ $# -eq 0 ]] ; then | ||
| + | echo "Usage: $0 <Channel> [reboot]" | ||
| + | echo "For Example: " | ||
| + | echo "$0 00 reboot" | ||
| + | exit 0 | ||
| + | fi | ||
| if [ -f $UPDATE_DIR/$JAR_FILE ]; then | if [ -f $UPDATE_DIR/$JAR_FILE ]; then | ||
| Zeile 169: | Zeile 243: | ||
| echo "Decrypting JAR file..." | echo "Decrypting JAR file..." | ||
| # decrypt the jar with the private key | # decrypt the jar with the private key | ||
| - | openssl smime -decrypt -in $JAR_FILE.enc -binary -inform DEM -inkey $UPDATE_DIR/update_priv.pem -out $JAR_FILE | + | openssl smime -decrypt -in $UPDATE_DIR/$JAR_FILE.enc -binary -inform DEM -inkey $UPDATE_DIR/update_priv.pem -out $UPDATE_DIR/$JAR_FILE |
| #remove the encrypted file | #remove the encrypted file | ||
| Zeile 178: | Zeile 252: | ||
| # get checksum of encrypted file and check against downloaded sha - if equal both are verified | # get checksum of encrypted file and check against downloaded sha - if equal both are verified | ||
| - | cat $UPDATE_DIR/$JAR_FILE | sha256sum >downloaded.sha256 | + | cat $UPDATE_DIR/$JAR_FILE | sha256sum >$UPDATE_DIR/downloaded.sha256 |
| diff $UPDATE_DIR/downloaded.sha256 $UPDATE_DIR/version.sha256 >/dev/null | diff $UPDATE_DIR/downloaded.sha256 $UPDATE_DIR/version.sha256 >/dev/null | ||
| comp_value=$? | comp_value=$? | ||
| Zeile 204: | Zeile 278: | ||
| echo "Update verified and ready to install..." | echo "Update verified and ready to install..." | ||
| - | echo "Stopping service and waiting 10 seconds to gracefully shut down" | + | echo "Stopping service and waiting 10 seconds to update" |
| $SERVICE stop | $SERVICE stop | ||
| sleep 10 | sleep 10 | ||
| Zeile 221: | Zeile 295: | ||
| fi | fi | ||
| - | echo "Service start" | + | if [ "$2" == "reboot" ]; then |
| - | # start service | + | /sbin/init 6 |
| - | $SERVICE start | + | else |
| + | echo "Service start" | ||
| + | # start service | ||
| + | $SERVICE start | ||
| + | fi | ||
| fi | fi | ||
| fi | fi | ||
| echo "Ready." | echo "Ready." | ||
| + | |||
| </code> | </code> | ||
| Zeile 236: | Zeile 314: | ||
| <code> | <code> | ||
| - | 15 4 * * * /opt/webserver/update/update.sh | + | 15 4 * * * /opt/webserver/update/update.sh 00 reboot >>/var/log/update.log |
| + | </code> | ||
| + | |||
| + | |||
| + | ===== Systemupdates Client ===== | ||
| + | |||
| + | Am Client unter /opt/webserver/update liegt das Script sysupdate.sh das prüft, ob die Region updaten darf und gegebenfalls ein Systemupdate durchführt. | ||
| + | |||
| + | <code> | ||
| + | /opt/webserver/update/sysupdate.sh <region> | ||
| + | </code> | ||
| + | |||
| + | Also zB: | ||
| + | <code> | ||
| + | /opt/webserver/update/sysupdate.sh 00 | ||
| + | </code> | ||
| + | |||
| + | ==== sysupdate.sh ==== | ||
| + | |||
| + | <code> | ||
| + | #/bin/bash | ||
| + | |||
| + | UPDSERVER=https://doku.datareporter.eu | ||
| + | CHANNEL=$1 | ||
| + | |||
| + | ALLOWED=$(curl -s --fail $UPDSERVER/update/$CHANNEL/sysupdate.txt) | ||
| + | if [ 0 -eq $? ]; then | ||
| + | echo "Allowed: $ALLOWED" | ||
| + | |||
| + | if [ "$ALLOWED" == "OK" ]; then | ||
| + | echo "Update allowed" | ||
| + | yum -y update | ||
| + | /sbin/init 6 | ||
| + | |||
| + | else | ||
| + | echo "Update halted - not performing" | ||
| + | fi | ||
| + | |||
| + | else | ||
| + | echo "Channel not configured - NOT updating" | ||
| + | fi | ||
| + | </code> | ||
| + | |||
| + | ==== Crontab (Testmaschinen) ==== | ||
| + | |||
| + | <code> | ||
| + | 00 1 * * 1 /opt/webserver/update/sysupdate.sh 00 >>/var/log/sysupdate.log | ||
| + | </code> | ||
| + | |||
| + | ==== Crontab (Produktivmaschinen) ==== | ||
| + | |||
| + | <code> | ||
| + | 00 1 * * 4 /opt/webserver/update/sysupdate.sh 10 >>/var/log/sysupdate.log | ||
| + | </code> | ||
| + | |||
| + | ==== Crontab (on-premises Maschinen) ==== | ||
| + | |||
| + | <code> | ||
| + | 00 1 * * 5 /opt/webserver/update/sysupdate.sh 100 >>/var/log/sysupdate.log | ||
| </code> | </code> | ||
