Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen gezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
update [2017/04/04 06:18] mike |
update [2018/03/14 11:36] (aktuell) mike |
||
---|---|---|---|
Zeile 7: | Zeile 7: | ||
''00'' - Development | ''00'' - Development | ||
- | ''01'' - Testmaschinen | + | ''01'' - Testmaschinen, Demos |
''02'' - Testkunden | ''02'' - Testkunden | ||
''10 - 99'' produktive Kundenserver | ''10 - 99'' produktive Kundenserver | ||
+ | |||
+ | ''100'' - ''999'' on-premises Maschinen bei Kunden | ||
===== Updateserver ===== | ===== Updateserver ===== | ||
Zeile 22: | Zeile 24: | ||
datenschutz-server-1.0-SNAPSHOT.jar.enc ... die verschlüsselte Updatedatei | datenschutz-server-1.0-SNAPSHOT.jar.enc ... die verschlüsselte Updatedatei | ||
version.sha256 ... Die Prüfsumme der unverschlüsselten Updatedatei | version.sha256 ... Die Prüfsumme der unverschlüsselten Updatedatei | ||
+ | sysupdate.txt ... Enthält "OK" wenn in dieser Region Systemupdates durchgeführt werden sollen | ||
</file> | </file> | ||
Zeile 103: | Zeile 106: | ||
fi | fi | ||
</code> | </code> | ||
+ | |||
+ | ===== Systemupdates am Updateserver===== | ||
+ | |||
+ | Für jede Region können die Systemupdates (mittels yum) aktiviert werden. Auf Testsystemen werden die Updates um 01:00 am Montag durchgeführt. Produktivsysteme führen Updates am Donnerstag um 01:00 durch. Am Freitag werden alle Systeme durch Nagios geprüft und gegebenenfalls Alarme ausgelöst falls Updates nicht durchgeführt wurden. | ||
+ | |||
+ | Dieser Updatemechanismus kann pro Region aktiviert oder deaktiviert werden: | ||
+ | |||
+ | <code> | ||
+ | /home/ec2-user/# sudo sysupdate.sh <region> enable|disable | ||
+ | </code> | ||
+ | |||
+ | Also zB: | ||
+ | |||
+ | <code> | ||
+ | ## Disable Updates for region 02: | ||
+ | /home/ec2-user/# sudo sysupdate.sh 02 disable | ||
+ | </code> | ||
+ | |||
+ | /home/ec2-user/sysupdate.sh: | ||
+ | <code> | ||
+ | #!/bin/bash | ||
+ | |||
+ | UPDATE_DIR=/var/www/html/update | ||
+ | UPDFILE=sysupdate.txt | ||
+ | |||
+ | |||
+ | if [[ $# -eq 0 ]] ; then | ||
+ | echo "Usage: $0 <Channel> <enable|disable>" | ||
+ | echo "For Example: " | ||
+ | echo "$0 00 enable" | ||
+ | exit 0 | ||
+ | fi | ||
+ | |||
+ | if [ ! -d $UPDATE_DIR/$1 ]; then | ||
+ | echo "Directory $1 does not exist... creating" | ||
+ | mkdir $UPDATE_DIR/$1 | ||
+ | fi | ||
+ | |||
+ | if [ "$2" == "enable" ]; then | ||
+ | echo "Enabling system update for $1" | ||
+ | echo "OK" >$UPDATE_DIR/$1/$UPDFILE | ||
+ | exit 0 | ||
+ | fi | ||
+ | |||
+ | if [ "$2" == "disable" ]; then | ||
+ | echo "Disabling system update for $1" | ||
+ | echo "DISABLE" >$UPDATE_DIR/$1/$UPDFILE | ||
+ | exit 0 | ||
+ | fi | ||
+ | |||
+ | exit 1 | ||
+ | </code> | ||
+ | |||
===== Clients ===== | ===== Clients ===== | ||
Zeile 123: | Zeile 179: | ||
==== update.sh ==== | ==== update.sh ==== | ||
- | Bitte beachten, dass unter ''UPDATE_SERVER'' am Ende die korrekte Region für die Maschine eingetragen werden sollte. | + | Der Aufruf erfolg mit: |
+ | <code> | ||
+ | sudo ./update.sh <region> [reboot] | ||
+ | </code> | ||
+ | |||
+ | Also zB: | ||
<code> | <code> | ||
+ | ## Check for updates, apply if needed and reboot the machine: | ||
+ | sudo ./update.sh 00 reboot | ||
+ | </code> | ||
+ | |||
+ | <code> | ||
+ | |||
#/bin/bash | #/bin/bash | ||
- | UPDATE_SERVER=https://doku.traunau.at/update/00 | + | CHANNEL=$1 |
+ | UPDATE_SERVER=https://doku.datareporter.eu/update/$CHANNEL | ||
UPDATE_DIR=/opt/webserver/update | UPDATE_DIR=/opt/webserver/update | ||
SERVICE=/opt/webserver/service.sh | SERVICE=/opt/webserver/service.sh | ||
- | JAR_FILE=datenschutz-server-1.0-SNAPSHOT.jar | + | JAR_FILE=datareporter-server-1.0-SNAPSHOT.jar |
PRODUCTIVE_DIR=/opt/webserver | PRODUCTIVE_DIR=/opt/webserver | ||
+ | if [[ $# -eq 0 ]] ; then | ||
+ | echo "Usage: $0 <Channel> [reboot]" | ||
+ | echo "For Example: " | ||
+ | echo "$0 00 reboot" | ||
+ | exit 0 | ||
+ | fi | ||
if [ -f $UPDATE_DIR/$JAR_FILE ]; then | if [ -f $UPDATE_DIR/$JAR_FILE ]; then | ||
Zeile 169: | Zeile 243: | ||
echo "Decrypting JAR file..." | echo "Decrypting JAR file..." | ||
# decrypt the jar with the private key | # decrypt the jar with the private key | ||
- | openssl smime -decrypt -in $UPDATE_DIR/$JAR_FILE.enc -binary -inform DEM -inkey $UPDATE_DIR/update_priv.pem -out $JAR_FILE | + | openssl smime -decrypt -in $UPDATE_DIR/$JAR_FILE.enc -binary -inform DEM -inkey $UPDATE_DIR/update_priv.pem -out $UPDATE_DIR/$JAR_FILE |
#remove the encrypted file | #remove the encrypted file | ||
Zeile 178: | Zeile 252: | ||
# get checksum of encrypted file and check against downloaded sha - if equal both are verified | # get checksum of encrypted file and check against downloaded sha - if equal both are verified | ||
- | cat $UPDATE_DIR/$JAR_FILE | sha256sum >downloaded.sha256 | + | cat $UPDATE_DIR/$JAR_FILE | sha256sum >$UPDATE_DIR/downloaded.sha256 |
diff $UPDATE_DIR/downloaded.sha256 $UPDATE_DIR/version.sha256 >/dev/null | diff $UPDATE_DIR/downloaded.sha256 $UPDATE_DIR/version.sha256 >/dev/null | ||
comp_value=$? | comp_value=$? | ||
Zeile 204: | Zeile 278: | ||
echo "Update verified and ready to install..." | echo "Update verified and ready to install..." | ||
- | echo "Stopping service and waiting 10 seconds to gracefully shut down" | + | echo "Stopping service and waiting 10 seconds to update" |
$SERVICE stop | $SERVICE stop | ||
sleep 10 | sleep 10 | ||
Zeile 221: | Zeile 295: | ||
fi | fi | ||
- | echo "Service start" | + | if [ "$2" == "reboot" ]; then |
- | # start service | + | /sbin/init 6 |
- | $SERVICE start | + | else |
+ | echo "Service start" | ||
+ | # start service | ||
+ | $SERVICE start | ||
+ | fi | ||
fi | fi | ||
fi | fi | ||
echo "Ready." | echo "Ready." | ||
+ | |||
</code> | </code> | ||
Zeile 236: | Zeile 314: | ||
<code> | <code> | ||
- | 15 4 * * * /opt/webserver/update/update.sh | + | 15 4 * * * /opt/webserver/update/update.sh 00 reboot >>/var/log/update.log |
+ | </code> | ||
+ | |||
+ | |||
+ | ===== Systemupdates Client ===== | ||
+ | |||
+ | Am Client unter /opt/webserver/update liegt das Script sysupdate.sh das prüft, ob die Region updaten darf und gegebenfalls ein Systemupdate durchführt. | ||
+ | |||
+ | <code> | ||
+ | /opt/webserver/update/sysupdate.sh <region> | ||
+ | </code> | ||
+ | |||
+ | Also zB: | ||
+ | <code> | ||
+ | /opt/webserver/update/sysupdate.sh 00 | ||
+ | </code> | ||
+ | |||
+ | ==== sysupdate.sh ==== | ||
+ | |||
+ | <code> | ||
+ | #/bin/bash | ||
+ | |||
+ | UPDSERVER=https://doku.datareporter.eu | ||
+ | CHANNEL=$1 | ||
+ | |||
+ | ALLOWED=$(curl -s --fail $UPDSERVER/update/$CHANNEL/sysupdate.txt) | ||
+ | if [ 0 -eq $? ]; then | ||
+ | echo "Allowed: $ALLOWED" | ||
+ | |||
+ | if [ "$ALLOWED" == "OK" ]; then | ||
+ | echo "Update allowed" | ||
+ | yum -y update | ||
+ | /sbin/init 6 | ||
+ | |||
+ | else | ||
+ | echo "Update halted - not performing" | ||
+ | fi | ||
+ | |||
+ | else | ||
+ | echo "Channel not configured - NOT updating" | ||
+ | fi | ||
+ | </code> | ||
+ | |||
+ | ==== Crontab (Testmaschinen) ==== | ||
+ | |||
+ | <code> | ||
+ | 00 1 * * 1 /opt/webserver/update/sysupdate.sh 00 >>/var/log/sysupdate.log | ||
+ | </code> | ||
+ | |||
+ | ==== Crontab (Produktivmaschinen) ==== | ||
+ | |||
+ | <code> | ||
+ | 00 1 * * 4 /opt/webserver/update/sysupdate.sh 10 >>/var/log/sysupdate.log | ||
+ | </code> | ||
+ | |||
+ | ==== Crontab (on-premises Maschinen) ==== | ||
+ | |||
+ | <code> | ||
+ | 00 1 * * 5 /opt/webserver/update/sysupdate.sh 100 >>/var/log/sysupdate.log | ||
</code> | </code> |