/* This file is part of Bolixo. Bolixo is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. Bolixo is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with Bolixo. If not, see . */ /* This program lauch all the components of the trli system over the network. It also program the blackhole system tying all the components together. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "bolixo.m" using namespace std; static int trli_chmod (const PARAM_STRING name, int mode) { int ret = chmod (name.ptr,mode); if (ret == -1) tlmp_error ("Can't chmod %s (%s)\n",name.ptr,strerror(errno)); return ret; } struct SERVER{ string sshcmd; string cpcmd; string public_ip; SERVER (const string &_sshcmd, const string &_cpcmd, const string &_ip){ sshcmd = _sshcmd; cpcmd = _cpcmd; public_ip = _ip; } SERVER(){} }; struct BLACKHOLE { string server; string config; unsigned port; BLACKHOLE (const string &_server, const string &_config, unsigned _port){ server = _server; config = _config; port = _port; } }; struct BOD { string server; unsigned port; unsigned workers; string secret; unsigned maxaccts; BOD (const string &_server, unsigned _port, unsigned _workers, const string &_secret, unsigned _maxaccts){ server = _server; port = _port; workers = _workers; secret = _secret; maxaccts = _maxaccts; } }; struct WRITED { string server; unsigned port; unsigned workers; string secret; WRITED (const string &_server, unsigned _port, unsigned _workers, const string &_secret){ server = _server; port = _port; workers = _workers; secret = _secret; } }; struct SESSIOND { string server; unsigned port; SESSIOND (const string &_server, unsigned _port){ server = _server; port = _port; } }; struct SQLD { string server; SQLD (const string &_server){ server = _server; } }; struct PROTO { string server; unsigned port; unsigned port_l; unsigned workers; PROTO (const string &_server, unsigned _workers){ server = _server; port = 9080; port_l = 9180; workers = _workers; } }; struct WEB { string server; string secret; WEB (const string &_server){ server = _server; } WEB (const string &_server, const string &_secret){ server = _server; secret = _secret; } }; struct MON { string server; string bod_secret; string bolixod_secret; string alarmcmd; MON (const string &_server, const string &_bod_secret, const string &_bolixod_secret, const string &_alarmcmd){ server = _server; bod_secret = _bod_secret; bolixod_secret = _bolixod_secret; alarmcmd = _alarmcmd; } }; struct BOLIXOD { string server; string secret; unsigned workers; unsigned maxaccts; BOLIXOD (const string &_server, const string &_secret, unsigned _workers, unsigned _maxaccts){ server = _server; secret = _secret; workers = _workers; maxaccts = _maxaccts; } }; struct PUBLISHD { string server; string secret; PUBLISHD (const string &_server, const string &_secret){ server = _server; secret = _secret; } }; static bool closeweb = false; static const char *config_dir = "/etc/bolixo"; static const char *log_dir = "/var/log/bolixo"; static const char *sock_dir = "/var/run/blackhole"; static const char *sock_tests_dir = "/var/run/tests"; static const char *lxcsock_dir = "/var/run/blackhole"; //static const char *bin_path = "/usr/bin"; static const char *sbin_path = "/usr/sbin"; static const char *project_path = "/usr/sbin"; static const char *horizon_ip = "192.168.4.1"; static const char *horizon_ip2 = "192.168.4.2"; static const char *dnsproxy_ip = "192.168.4.3"; static const char *horizon_masterip = "192.168.4.1"; static const char *sql_bolixod_pwd = "bolixod.1"; static const char *sql_bolixod_user = "bolixod"; static const char *sql_bod_pwd = "bod.1"; static const char *sql_bod_user = "bod"; static const char *sql_bo_writed_pwd = "bo_writed.1"; static const char *sql_bo_writed_user = "bo_writed"; static const char *sql_publishd_pwd = "publishd.1"; static const char *sql_publishd_user = "publishd"; static const char *trli_user = "bolixo"; static int trli_userid = -1; static const char *blackhole_path = "/usr/sbin"; static const char *blackhole_user = "blackhole"; static const char *pid_dir = "/var/run"; static const char *devlog = "/dev/bolixo.log"; static const char *blackhole_options_conf = "/etc/blackhole-options.conf"; static const char *blackhole_rules = "/etc/blackhole-rules.sh"; static const char *horizon_options_conf = "/etc/horizon-options.conf"; static const char *horizon_rules = "/etc/horizon-rules.sh"; static const char *conproxy_options_conf = "/etc/conproxy-options.conf"; #define IP_PREFIX "192.168.122." static const char *ip_bod = IP_PREFIX "2"; static const char *ip_writed = IP_PREFIX "3"; static const char *ip_sessiond = IP_PREFIX "4"; static const char *ip_web = IP_PREFIX "5"; static const char *ip_web_fail = IP_PREFIX "15"; static const char *ip_webadm = IP_PREFIX "6"; static const char *ip_proto = IP_PREFIX "7"; static const char *ip0_webssl = IP_PREFIX "8"; static const char *ip_webssl = IP_PREFIX "8"; static const char *ip_webssl_fail = IP_PREFIX "18"; static const char *ip_preprod = IP_PREFIX "21"; static const char *ip_bosqlduser = IP_PREFIX "9"; static const char *ip_bosqlddata = IP_PREFIX "10"; static const char *ip_bosqldbolixo = IP_PREFIX "14"; static const char *ip_exim = IP_PREFIX "11"; static const char *ip_keysd = IP_PREFIX "12"; static const char *ip_bolixod = IP_PREFIX "13"; static const char *ip_publishd = IP_PREFIX "16"; #define IP_PREFIX_P "192.168.5." static const char *ip_sqld_p = IP_PREFIX_P "1"; static const char *ip_bod_p = IP_PREFIX_P "2"; static const char *ip_writed_p = IP_PREFIX_P "3"; static const char *ip_sessiond_p = IP_PREFIX_P "4"; static const char *ip_web_p = IP_PREFIX_P "5"; static const char *ip_webadm_p = IP_PREFIX_P "6"; static const char *ip_proto_p = IP_PREFIX_P "7"; static const char *ip_webssl_p = IP_PREFIX_P "8"; static const char *vs_bod = "bod"; static const char *vs_bolixod = "bolixod"; static const char *vs_writed = "writed"; static const char *vs_sessiond = "sessiond"; static const char *vs_publishd = "publishd"; struct CONFIG { bool iptables; bool private_site; string hostname; string nodename; string dirserver; string org; map servers; vector blackholes; vector bods; vector writeds; vector keysds; vector sessionds; vector bosqlddatas; vector bosqldusers; vector bosqldbolixos; vector protos; vector webs; vector webadms; vector webssls; vector logs; vector computes; vector exims; vector dnsproxys; vector monitors; vector bolixods; vector publishds; CONFIG(){ dirserver = "https://bolixo.org"; org="Bolixo.org"; iptables = false; } }; static bool preprodmode = false; static void generateconfig ( FILE *fout, const string &theserver, // We are generating for this server // This will allow some blackhole rule affinity const CONFIG &config, bool devmode) { string bk_control_str = string(blackhole_path) + "/blackhole-control -p " + sock_dir + "/blackhole.sock"; const char *bk_control = bk_control_str.c_str(); const char *rootserver = theserver.c_str(); // For now, there is only one server, so it is the one testing itself // Finds all servers set servers; for (auto x:config.bolixods) servers.insert(x.server); for (auto x:config.bods) servers.insert(x.server); for (auto x:config.writeds) servers.insert(x.server); for (auto x:config.keysds) servers.insert(x.server); for (auto x:config.sessionds) servers.insert(x.server); for (auto x:config.bosqlddatas) servers.insert(x.server); for (auto x:config.bosqldusers) servers.insert(x.server); for (auto x:config.bosqldbolixos) servers.insert(x.server); for (auto x:config.protos) servers.insert(x.server); for (auto x:config.webs) servers.insert(x.server); for (auto x:config.webadms) servers.insert(x.server); for (auto x:config.logs) servers.insert(x.server); for (auto x:config.webssls) servers.insert(x.server); for (auto x:config.exims) servers.insert(x.server); for (auto x:config.dnsproxys) servers.insert(x.server); fprintf (fout,"# Connect to all horizons\n"); for (auto x:servers) fprintf (fout,"%s horizon %s:%s/horizon-master.sock near\n",bk_control,x.c_str(),sock_dir); fprintf (fout,"%s reset-rules\n",bk_control); fprintf (fout,"# rule to connect the browser to the web server\n"); const char *prefix = ""; for (auto t:config.protos){ for (unsigned i=0; i static void print_configs ( const string &server, const string &public_ip, const CONFIG &config, bool devmode) { glocal const CONFIG *config = &config; glocal bool devmode = devmode; glocal const char *public_ip = public_ip.c_str(); glocal string server = server; glocal string stopbod; glocal string stopbolixod; glocal string stoppublishd; glocal string stopwrited; glocal string stopkeysd; glocal string stopsessiond; glocal string stopweb; glocal string stopwebadm; glocal string stopwebssl; glocal string stopsqlddata; glocal string stopsqlduser; glocal string stopsqldbolixo; glocal string stopproto; glocal string stopexim; glocal string stoptrlimon; glocal string stoptrlisyslog; glocal string stopcompute; glocal const char *dirserver = config.dirserver.c_str(); glocal const char *nodename = config.nodename.c_str(); glocal const char *hostname = config.hostname.c_str(); glocal const char *org = config.org.c_str(); glocal bool iptables = config.iptables; glocal bool private_site = config.private_site; ("/tmp/bkstart.sh",false); glocal FILE *all_fout = fout; fprintf (fout,"#!/bin/sh\n"); if (glocal.devmode){ fprintf (fout,"ifconfig | fgrep -q 192.168.4.1 || echo 192.168.4.1 non disponible\n"); }else{ fprintf (fout,"mkdir -p %s %s\n",sock_dir,log_dir); } // SERVICE blackhole for (auto bk:glocal.config->blackholes){ if (bk.server == glocal.server){ (blackhole_options_conf,false); fprintf (fout,"#!/bin/sh\n" "BLACKHOLEOPTIONS=\" --control %s/blackhole.sock --horizon_port 8100" " --statfile %s/blackhole-connect.log --pidfile %s/blackhole.pid" " --conproxyport %s/conproxy.sock" " --debugfile /tmp/blackhole.log\"\n" ,sock_dir,log_dir,pid_dir ,sock_dir); return 0; trli_chmod (blackhole_options_conf,0755); ("/tmp/blackhole.sh",false); fprintf (fout,"#!/bin/sh\n" ". %s\n" "%s/blackhole --daemon $BLACKHOLEOPTIONS\n" ,blackhole_options_conf,blackhole_path); return 0; trli_chmod ("/tmp/blackhole.sh",0755); fprintf (glocal.all_fout,"/tmp/blackhole.sh\n"); (blackhole_rules,false); generateconfig (fout,glocal.server,*glocal.config,glocal.devmode); return 0; trli_chmod (blackhole_rules,0755); fprintf (glocal.all_fout,"%s\n",blackhole_rules); ("/tmp/blackhole-reload.sh",false); string bk_control_str = string(blackhole_path) + "/blackhole-control -p " + sock_dir + "/blackhole.sock"; const char *bk_control = bk_control_str.c_str(); fprintf (fout,"#!/bin/sh\n"); fprintf (fout,"%s pause\n",bk_control); fprintf (fout,"%s reset-rules\n",bk_control); fprintf (fout,"%s reset-horizons\n",bk_control); fprintf (fout,"%s reset-wormholes\n",bk_control); fprintf (fout,"/tmp/blackhole-rules.sh\n"); fprintf (fout,"%s resume\n",bk_control); return 0; trli_chmod ("/tmp/blackhole-reload.sh",0755); } } // SERVICE horizon (horizon_options_conf,false); fprintf (fout,"#!/bin/sh\n"); if (!glocal.devmode){ fprintf (fout,"ifconfig lo:horizon 192.168.4.1 netmask 255.255.255.255\n"); fprintf (fout,"ifconfig lo:horizon2 192.168.4.2 netmask 255.255.255.255\n"); fprintf (fout,"ifconfig lo:dnsproxy 192.168.4.3 netmask 255.255.255.255\n"); fprintf (fout,"ifconfig lo:web 192.168.5.5 netmask 255.255.255.255\n"); fprintf (fout,"ifconfig lo:webadm 192.168.5.6 netmask 255.255.255.255\n"); fprintf (fout,"ifconfig lo:writed 192.168.5.3 netmask 255.255.255.255\n"); } fprintf (fout,"mkdir -p %s\n",sock_tests_dir); fprintf (fout,"rm -f %s/*\n",sock_tests_dir); const char *user = blackhole_user; if (!glocal.devmode){ user = "root"; } fprintf (fout, "HORIZONOPTIONS=\"" " --bind %s,9000 --bind %s,9100 --bind %s,9200 --bind %s,3307 --bind %s,3307" " --bind %s,9080 --bind %s,9081 --bind %s,8053" " --bind %s,9080 --bind %s,9081" " --control %s/horizon.sock --master %s,8100 --master %s/horizon-master.sock --user %s --pidfile %s/horizon.pid" " --conproxyport %s/conproxy.sock --open_network" ,horizon_ip,horizon_ip,horizon_ip,horizon_ip,horizon_ip2 ,horizon_ip,horizon_ip,horizon_ip ,horizon_ip2,horizon_ip2 ,sock_dir,horizon_masterip,sock_dir,user,pid_dir ,sock_dir); if (!glocal.devmode){ fprintf (fout," --bind %s,25",glocal.public_ip); fprintf (fout," --bind %s,80",glocal.public_ip); fprintf (fout," --bind %s,443",glocal.public_ip); fprintf (fout," --bind 127.0.0.1,8080"); fprintf (fout," --open_client"); } fprintf (fout,"\"\n"); return 0; trli_chmod (horizon_options_conf,0755); ("/tmp/horizon.sh",false); fprintf (fout,". %s\n",horizon_options_conf); fprintf (fout,"%s/horizon --daemon $HORIZONOPTIONS\n",blackhole_path); return 0; trli_chmod ("/tmp/horizon.sh",0755); fprintf (glocal.all_fout,"/tmp/horizon.sh\n"); fprintf (glocal.all_fout,"%s\n",horizon_rules); (horizon_rules,false); string hc_str = string (blackhole_path) + "/horizon-control --port " + sock_dir + "/horizon.sock"; const char *hc = hc_str.c_str(); fprintf (fout,"#!/bin/sh\n"); fprintf (fout,"%s vserver dnsproxy %s\n",hc,dnsproxy_ip); fprintf (fout,"%s vserver sqlsource %s\n",hc,horizon_ip); fprintf (fout,"%s vserver sqlsource2 %s\n",hc,horizon_ip2); fprintf (fout,"%s vserver bolixod %s\n",hc,ip_bolixod); fprintf (fout,"%s vserver publishd %s\n",hc,ip_publishd); fprintf (fout,"%s vserver bod %s\n",hc,ip_bod); fprintf (fout,"%s vserver bod_p %s\n",hc,ip_bod_p); fprintf (fout,"%s vserver writed %s\n",hc,ip_writed); fprintf (fout,"%s vserver writed_p %s\n",hc,ip_writed_p); fprintf (fout,"%s vserver sessiond %s\n",hc,ip_sessiond); fprintf (fout,"%s vserver sessiond_p %s\n",hc,ip_sessiond_p); fprintf (fout,"%s vserver web %s\n",hc,ip_web); fprintf (fout,"%s vserver web_p %s\n",hc,ip_web_p); fprintf (fout,"%s vserver webadm %s\n",hc,ip_webadm); fprintf (fout,"%s vserver webadm_p %s\n",hc,ip_webadm_p); fprintf (fout,"%s vserver webssl %s\n",hc,ip_webssl); fprintf (fout,"%s vserver webssl_p %s\n",hc,ip_webssl_p); fprintf (fout,"%s vserver bosqlddata %s\n",hc,ip_bosqlddata); fprintf (fout,"%s vserver bosqlduser %s\n",hc,ip_bosqlduser); fprintf (fout,"%s vserver bosqldbolixo %s\n",hc,ip_bosqldbolixo); fprintf (fout,"%s vserver sqld_p %s\n",hc,ip_sqld_p); fprintf (fout,"%s vserver proto %s\n",hc,ip_proto); fprintf (fout,"%s vserver proto_p %s\n",hc,ip_proto_p); fprintf (fout,"%s allow %s\n",hc,horizon_masterip); fprintf (fout,"%s vserverdir root /\n",hc); // Socket for monitoring for (auto t:glocal.config->keysds){ const char *server = t.server.c_str(); fprintf (fout,"%s --bind unix,%s/A-keysd-%s.sock,root\n" ,hc,sock_tests_dir,server); fprintf (fout,"chown %s %s/A-keysd-%s.sock\n" ,trli_user,sock_tests_dir,server); } for (auto t:glocal.config->sessionds){ const char *server = t.server.c_str(); unsigned port = 9200; fprintf (fout,"%s --bind unix,%s/A-sessiond-%s-client-%u.sock,root\n" ,hc,sock_tests_dir,server,port); fprintf (fout,"%s --bind unix,%s/A-sessiond-%s-admin-%u.sock,root\n" ,hc,sock_tests_dir,server,port); fprintf (fout,"chown %s %s/A-sessiond-%s-admin-9200.sock\n" ,trli_user,sock_tests_dir,server); fprintf (fout,"chown %s %s/A-sessiond-%s-client-9200.sock\n" ,trli_user,sock_tests_dir,server); } fprintf (fout,"# For bolixod system tests\n"); for (auto t:glocal.config->bolixods){ const char *server = t.server.c_str(); for (unsigned i=0; ipublishds){ const char *server = t.server.c_str(); fprintf (fout,"%s --bind unix,%s/B-publishd-%s-client.sock,root\n" ,hc,sock_tests_dir,server); fprintf (fout,"chown %s %s/B-publishd-%s-client.sock\n" ,trli_user,sock_tests_dir,server); } #endif fprintf (fout,"# For bod system tests\n"); for (auto t:glocal.config->bods){ const char *server = t.server.c_str(); for (unsigned i=0; i<=t.workers; i++){ unsigned port = 9000+i; fprintf (fout,"%s --bind unix,%s/B-bod-%s-client-%u.sock,root\n" ,hc,sock_tests_dir,server,port); fprintf (fout,"%s --bind unix,%s/B-bod-%s-admin-%u.sock,root\n" ,hc,sock_tests_dir,server,port); fprintf (fout,"chown %s %s/B-bod-%s-client-%u.sock\n" ,trli_user,sock_tests_dir,server,port); fprintf (fout,"chown %s %s/B-bod-%s-admin-%u.sock\n" ,trli_user,sock_tests_dir,server,port); } } fprintf (fout,"# For exim system tests\n"); for (auto t:glocal.config->exims){ const char *server = t.server.c_str(); fprintf (fout,"%s --bind unix,%s/C-exim-%s.sock,root\n" ,hc,sock_tests_dir,server); fprintf (fout,"chown %s %s/C-exim-%s.sock\n" ,trli_user,sock_tests_dir,server); } fprintf (fout,"# For web 80 system tests\n"); for (auto t:glocal.config->webs){ const char *server = t.server.c_str(); fprintf (fout,"%s --bind unix,%s/F-web-80-%s.sock,root\n" ,hc,sock_tests_dir,server); fprintf (fout,"chown %s %s/F-web-80-%s.sock\n" ,trli_user,sock_tests_dir,server); fprintf (fout,"%s --bind unix,%s/F-web-fail-80-%s.sock,root\n" ,hc,sock_tests_dir,server); fprintf (fout,"chown %s %s/F-web-fail-80-%s.sock\n" ,trli_user,sock_tests_dir,server); } fprintf (fout,"# For web trli-stop system tests\n"); for (auto t:glocal.config->webs){ const char *server = t.server.c_str(); fprintf (fout,"%s --bind unix,%s/D-web-stop-%s.sock,root\n" ,hc,sock_tests_dir,server); fprintf (fout,"chown %s %s/D-web-stop-%s.sock\n" ,trli_user,sock_tests_dir,server); fprintf (fout,"%s --bind unix,%s/D-web-fail-stop-%s.sock,root\n" ,hc,sock_tests_dir,server); fprintf (fout,"chown %s %s/D-web-fail-stop-%s.sock\n" ,trli_user,sock_tests_dir,server); } fprintf (fout,"# For webadm trli-stop system tests\n"); for (auto t:glocal.config->webadms){ const char *server = t.server.c_str(); fprintf (fout,"%s --bind unix,%s/D-webadm-stop-%s.sock,root\n" ,hc,sock_tests_dir,server); fprintf (fout,"chown %s %s/D-webadm-stop-%s.sock\n" ,trli_user,sock_tests_dir,server); } fprintf (fout,"# For trli-syslog system tests\n"); for (auto t:glocal.config->logs){ const char *server = t.server.c_str(); fprintf (fout,"%s --bind unix,%s/E-syslog-%s.sock,root\n" ,hc,sock_tests_dir,server); fprintf (fout,"chown %s %s/E-syslog-%s.sock\n" ,trli_user,sock_tests_dir,server); } fprintf (fout,"# For trli-log system tests\n"); for (auto t:glocal.config->computes){ const char *server = t.server.c_str(); fprintf (fout,"%s --bind unix,%s/E-log-%s.sock,root\n" ,hc,sock_tests_dir,server); fprintf (fout,"chown %s %s/E-log-%s.sock\n" ,trli_user,sock_tests_dir,server); } if (!glocal.devmode){ fprintf (fout,"# Allow the host to send email\n"); fprintf (fout,"%s --bind unix,/dev/smtp.sock,root\n" ,hc); fprintf (fout,"chown %s /dev/smtp.sock\n" ,trli_user); } return 0; trli_chmod (horizon_rules,0755); ("/tmp/horizon-debug.sh",false); string hc_str = string (blackhole_path) + "/horizon-control --port " + sock_dir + "/horizon.sock"; const char *hc = hc_str.c_str(); fprintf (fout,"#!/bin/sh\n"); fprintf (fout,"%s debugfile /tmp/horizon.log\n",hc); fprintf (fout,"if [ \"$1\" = off ]; then\n"); fprintf (fout,"\t%s debug 0\n",hc); fprintf (fout,"elif [ \"$1\" = on ]; then\n"); fprintf (fout,"\t%s debug 1\n",hc); fprintf (fout,"else\n"); fprintf (fout,"\techo on or off\n"); fprintf (fout,"fi\n"); return 0; trli_chmod ("/tmp/horizon-debug.sh",0755); // SERVICE conproxy ("/tmp/conproxy.sh",false); fprintf (fout,"#!/bin/sh\n" "%s/conproxy" " -p %s/conproxy.sock --user %s --pidfile %s/conproxy.pid --daemon --statfile %s/conproxy-connect.log\n" ,blackhole_path,sock_dir,blackhole_user,pid_dir,log_dir); return 0; if (!glocal.devmode){ (conproxy_options_conf,false); fprintf (fout, "MAXHANDLES=10000\n" "CONPROXYOPTIONS=\"-p %s/conproxy.sock --user %s --pidfile %s/conproxy.pid --statfile %s/conproxy-connect.log\"\n" ,sock_dir,blackhole_user,pid_dir,log_dir); return 0; } trli_chmod ("/tmp/conproxy.sh",0755); fprintf (glocal.all_fout,"/tmp/conproxy.sh\n"); ("/tmp/protocheck.sh",false); fprintf (fout,"#!/bin/sh\n" "%s/protocheck-2factors" " --control %s/protocheck-2factors.sock --user %s --pidfile %s/protocheck-0.pid --daemon" " --follow_mode --unlocked --bind %s --port 9080" " --http %s/http_check.conf\n" ,blackhole_path,sock_dir,blackhole_user,pid_dir ,ip_proto_p ,config_dir); fprintf (fout,"#!/bin/sh\n" "%s/protocheck-2factors" " --control %s/protocheck-2factors-learn.sock --user %s --pidfile %s/protocheck-1.pid --daemon" " --follow_mode --unlocked --bind %s --port 9081" " --http %s/http_check.conf --learnfile /tmp/learn.log\n" ,blackhole_path,sock_dir,blackhole_user,pid_dir ,ip_proto_p ,config_dir); return 0; trli_chmod ("/tmp/protocheck.sh",0755); //fprintf (glocal.all_fout,"/tmp/protocheck.sh\n"); return 0; trli_chmod ("/tmp/bkstart.sh",0755); const char *bo_start = "/root/bolixostart.sh"; const char *bo_stop = "/root/bolixostop.sh"; if (devmode){ bo_start = "/tmp/bolixostart.sh"; bo_stop = "/tmp/bolixostop.sh"; } (bo_start,false); glocal FILE *all_fout = fout; fprintf (fout,"#!/bin/sh\n"); { // SERVICE iptables if (!glocal.devmode && glocal.iptables){ const char *iptables_sh = glocal.devmode ? "/tmp/iptables.sh" : "/root/iptables.sh"; (iptables_sh,false); glocal FILE *fout = fout; fprintf (fout,"#!/bin/sh\n"); fprintf (fout,"iptables --flush\n"); fprintf (fout,"iptables --flush -t nat\n"); fprintf (fout,"iptables --delete-chain\n"); fprintf (fout,"iptables -t nat --delete-chain\n"); if (preprodmode){ fprintf (fout,"iptables -t nat -A PREROUTING -s %s -p tcp -j REDIRECT --to-port 2025\n",ip_exim); }else{ fprintf (fout,"#iptables -t nat -A PREROUTING -s %s -p tcp -j REDIRECT --to-port 8080\n",ip_exim); } fprintf (fout,"iptables -t nat -A POSTROUTING -o eth0 -s %s -j MASQUERADE\n",ip_exim); fprintf (fout,"iptables -t nat -A POSTROUTING -o eth0 -s %s -j MASQUERADE\n",ip_bod); fprintf (fout,"iptables -t nat -A POSTROUTING -o eth0 -s %s -j MASQUERADE\n",ip_bolixod); fprintf (fout,"iptables -t nat -A POSTROUTING -o eth0 -s %s -j MASQUERADE\n",ip_publishd); fprintf (fout,"iptables --flush -t mangle\n"); #if 1 fprintf (fout,"iptables -t mangle -X DIVERT\n"); fprintf (fout,"iptables -t mangle -N DIVERT\n"); fprintf (fout,"iptables -t mangle -A PREROUTING -p tcp -m socket --transparent -j DIVERT\n"); #endif #if 0 fprintf (fout,"iptables -t mangle -A OUTPUT --src 192.168.122.0/24 -d 192.168.4.0/24 -j ACCEPT\n"); fprintf (fout,"iptables -t mangle -A OUTPUT --src 192.168.122.0/24 -d 192.168.122.1 -j ACCEPT\n"); fprintf (fout,"iptables -t mangle -A OUTPUT --src %s -p tcp -j MARK --set-xmark 0x1/0xffffffff\n",ip_exim); fprintf (fout,"iptables -t mangle -A OUTPUT --src %s -p tcp -j MARK --set-xmark 0x1/0xffffffff\n",ip_webssl); #endif #if 1 // Used by the horizon to connect to internal services while // using the original source IP (form the internet) fprintf (fout,"iptables -t mangle -A DIVERT -j MARK --set-mark 1\n"); fprintf (fout,"iptables -t mangle -A DIVERT -j ACCEPT\n"); fprintf (fout,"ip rule add fwmark 1 lookup 100\n"); fprintf (fout,"ip route add local 0.0.0.0/0 dev lo table 100\n"); fprintf (fout,"echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter\n"); #endif glocal bool onerule = false; ("/root/sshd.lst",true); glocal.onerule = true; fprintf (glocal.fout,"iptables -A INPUT -s %s -p tcp --dport 22 -j ACCEPT\n",line); return 0; if (glocal.onerule){ fprintf (fout,"iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 22 -j REJECT\n"); } // Prevent any lxc0 container from talking to any other using IP. It has to go through blackhole if (preprodmode){ fprintf (fout,"iptables -A FORWARD -s 192.168.124.0/24 -d 192.168.124.0/24 -j REJECT\n"); }else{ fprintf (fout,"iptables -A FORWARD -s 192.168.122.0/24 -d 192.168.122.0/24 -j REJECT\n"); } return 0; trli_chmod (iptables_sh,0755); fprintf (glocal.all_fout,"%s\n",iptables_sh); } // SERVICE dnsproxy { ("/var/lib/lxc/udpproxy.sh",false); fprintf (fout,"#!/bin/sh\n"); fprintf (fout,"echo udpproxy\n"); fprintf (fout,"/usr/sbin/udpproxy --daemon --udp2tcp --udpport 53 --udphost %s --tcphost %s --tcpport 8053 --bindaddr %s\n" ,horizon_ip,horizon_ip,dnsproxy_ip); fprintf (fout,"/usr/sbin/udpproxy --daemon --control %s/udpproxy-out.sock" " --pidfile /var/run/udpproxy-out.pid --tcp2udp --tcphost %s --tcpport 8053 --udpport 53" ,sock_dir,dnsproxy_ip); glocal FILE *fout = fout; ("/etc/resolv.conf",true); vector tb; int n = str_splitline(line,' ',tb); if (n == 2 && string_cmp(tb[0],"nameserver")==0){ fprintf (glocal.fout," --udphost %s",tb[1].c_str()); } return 0; fprintf (fout,"\n"); return 0; fprintf (glocal.all_fout,"/var/lib/lxc/udpproxy.sh\n"); trli_chmod ("/var/lib/lxc/udpproxy.sh",0755); } // SERVICE bolixod for (auto t:glocal.config->bolixods){ if (t.server == glocal.server){ mkdir ("/var/lib/lxc/bolixod",0755); glocal const char *secret = t.secret.c_str(); glocal int workers = t.workers; glocal unsigned maxaccts = t.maxaccts; ("/var/lib/lxc/bolixod/bolixod.init",false); fprintf (fout,"export BOLIXOD_PWD=%s\n",sql_bolixod_pwd); for (int i=0; i string startfile; ("bolixod",ip_bolixod,startfile,trli_user,trli_userid); fprintf (fout,"mkdir -p /var/lib/lxc/%s/rootfs/var/lib/mysql\n",name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/var/lib/mysql/mysql.sock:/var/lib/lxc/%s/rootfs/var/lib/mysql/mysql.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown %s /var/lib/lxc/%s/rootfs/var/lib/mysql/mysql.sock\n",trli_user,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/dev/sessiond.sock:/var/lib/lxc/%s/rootfs/dev/sessiond.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown %s /var/lib/lxc/%s/rootfs/dev/sessiond.sock\n",trli_user,name); fprintf (fout,"echo nameserver %s >/var/lib/lxc/%s/rootfs/etc/resolv.conf\n" ,horizon_ip,name); if (glocal.devmode){ fprintf (fout,"echo %s test1.bolixo.org >>/var/lib/lxc/%s/rootfs/etc/hosts\n" ,ip_webssl,name); fprintf (fout,"echo %s alpha.bolixo.org >>/var/lib/lxc/%s/rootfs/etc/hosts\n" ,ip_preprod,name); }else if (preprodmode){ fprintf (fout,"echo %s alpha.bolixo.org >>/var/lib/lxc/%s/rootfs/etc/hosts\n" ,ip_preprod,name); fprintf (fout,"echo %s bolixo.org >>/var/lib/lxc/%s/rootfs/etc/hosts\n" ,ip_preprod,name); } fprintf (glocal.all_fout,"%s\n",startfile.c_str()); ("bolixod","bolixod",project_path,glocal.workers,glocal.stopbolixod); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /dev/sessiond.sock %s\n" ,blackhole_path,sock_dir,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /var/lib/mysql/mysql.sock %s\n" ,blackhole_path,sock_dir,name); lxc_config ("bolixod",ip_bolixod,true); lxc_status (project_path,"bolixod","bolixod",glocal.workers); lxc_debug (project_path,"bolixod","bolixod",glocal.workers); } } // SERVICE publishd for (auto t:glocal.config->publishds){ if (t.server == glocal.server){ mkdir ("/var/lib/lxc/publishd",0755); glocal const char *secret = t.secret.c_str(); ("/var/lib/lxc/publishd/publishd.init",false); fprintf (fout,"export PUBLISHD_PWD=%s\n",sql_publishd_pwd); { fprintf (fout,"%s/publishd ",project_path); fprintf (fout,"--control %s/publishd.sock" " --hostname %s" " --admin_secrets %s/secrets.admin" " --dbserv %s --dbname files --dbuser %s" " --user %s --daemon" " --pidfile /tmp/publishd.pid\n" ,lxcsock_dir ,preprodmode ? "preprod.bolixo.org" : glocal.hostname ,config_dir ,"localhost",sql_publishd_user ,trli_user ); } return 0; string startfile; ("publishd",ip_publishd,startfile,trli_user,trli_userid); fprintf (fout,"mkdir -p /var/lib/lxc/%s/rootfs/var/lib/mysql\n",name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/var/lib/mysql/mysql.sock:/var/lib/lxc/%s/rootfs/var/lib/mysql/mysql.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown %s /var/lib/lxc/%s/rootfs/var/lib/mysql/mysql.sock\n",trli_user,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/dev/keysd.sock:/var/lib/lxc/%s/rootfs/dev/keysd.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown %s /var/lib/lxc/%s/rootfs/dev/keysd.sock\n",trli_user,name); fprintf (fout,"echo nameserver %s >/var/lib/lxc/%s/rootfs/etc/resolv.conf\n" ,horizon_ip,name); if (glocal.devmode){ fprintf (fout,"echo %s test1.bolixo.org >>/var/lib/lxc/%s/rootfs/etc/hosts\n" ,ip0_webssl,name); fprintf (fout,"echo %s alpha.bolixo.org >>/var/lib/lxc/%s/rootfs/etc/hosts\n" ,ip_preprod,name); }else if (preprodmode){ fprintf (fout,"echo %s test1.bolixo.org >>/var/lib/lxc/%s/rootfs/etc/hosts\n" ,ip0_webssl,name); fprintf (fout,"echo %s alpha.bolixo.org >>/var/lib/lxc/%s/rootfs/etc/hosts\n" ,ip_preprod,name); fprintf (fout,"echo %s bolixo.org >>/var/lib/lxc/%s/rootfs/etc/hosts\n" ,ip_preprod,name); } fprintf (glocal.all_fout,"%s\n",startfile.c_str()); ("publishd","publishd",project_path,-1,glocal.stoppublishd); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /var/lib/mysql/mysql.sock %s\n" ,blackhole_path,sock_dir,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /dev/keysd.sock %s\n" ,blackhole_path,sock_dir,name); lxc_config ("publishd",ip_publishd,true); lxc_status (project_path,"publishd","publishd",-1); lxc_debug (project_path,"publishd","publishd",-1); } } // SERVICE bod for (auto t:glocal.config->bods){ if (t.server == glocal.server){ mkdir ("/var/lib/lxc/bod",0755); glocal const char *secret = t.secret.c_str(); glocal int workers = t.workers; glocal unsigned maxaccts = t.maxaccts; ("/var/lib/lxc/bod/bod.init",false); fprintf (fout,"export BOD_PWD=%s\n",sql_bod_pwd); /* Important, we create one more bod process than specified (see the <=). The last one is used only by webapi.hc for the getpubkey request. This is done to avoid a dead-lock. The sequence is this. A user add a remote account in his interest list. The bod serving the user contact the remote site to register this site in the interest list of the remote user. If this is the first time that we contact the remote site, it will request our public key. And based on activities on all the bod servers, this request might be served by the bod server doing the remote request. Dead-lock. */ for (int i=0; i<=glocal.workers; i++){ fprintf (fout,"%s/bod ",project_path); fprintf (fout,"--tcpport %d --control %s/bod-%d.sock" " --maxaccts %u" " --adminhost %s --adminport /dev/writed.sock --sesshost %s --sessport /dev/sessiond.sock" " --dbserv %s --dbname files --dbuser %s" " --admin_secrets %s/secrets.admin --client_secrets %s/secrets.client" " --mysecret %s --user %s --sqltcpport 3307 --daemon" " --pidfile /tmp/bod-%d.pid" ,9000+i,lxcsock_dir,i ,glocal.maxaccts ,horizon_ip,horizon_ip ,"localhost",sql_bod_user ,config_dir,config_dir ,glocal.secret,trli_user ,i); fprintf (fout," --nodename %s --dirserver %s",glocal.nodename,glocal.dirserver); if (glocal.devmode || preprodmode){ fprintf (fout," --nonstrict --usehttp test1.bolixo.org"); } fprintf (fout,"\n"); } return 0; string startfile; ("bod",ip_bod,startfile,trli_user,trli_userid); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/dev/writed.sock:/var/lib/lxc/%s/rootfs/dev/writed.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown %s /var/lib/lxc/%s/rootfs/dev/writed.sock\n",trli_user,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/dev/sessiond.sock:/var/lib/lxc/%s/rootfs/dev/sessiond.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown %s /var/lib/lxc/%s/rootfs/dev/sessiond.sock\n",trli_user,name); fprintf (fout,"mkdir -p /var/lib/lxc/%s/rootfs/var/lib/mysql\n",name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/var/lib/mysql/mysql.sock:/var/lib/lxc/%s/rootfs/var/lib/mysql/mysql.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown %s /var/lib/lxc/%s/rootfs/var/lib/mysql/mysql.sock\n",trli_user,name); fprintf (fout,"echo nameserver %s >/var/lib/lxc/bod/rootfs/etc/resolv.conf\n" ,horizon_ip); if (glocal.devmode){ fprintf (fout,"echo %s test1.bolixo.org >>/var/lib/lxc/bod/rootfs/etc/hosts\n" ,ip0_webssl); fprintf (fout,"echo %s preprod.bolixo.org >>/var/lib/lxc/bod/rootfs/etc/hosts\n" ,ip_preprod); }else if (preprodmode){ fprintf (fout,"echo %s test1.bolixo.org >>/var/lib/lxc/bod/rootfs/etc/hosts\n" ,ip0_webssl); fprintf (fout,"echo %s alpha.bolixo.org >>/var/lib/lxc/bod/rootfs/etc/hosts\n" ,ip_preprod); fprintf (fout,"echo %s bolixo.org >>/var/lib/lxc/bod/rootfs/etc/hosts\n" ,ip_preprod); } fprintf (glocal.all_fout,"%s\n",startfile.c_str()); // +1 for the pubkey bod server ("bod","bod",project_path,glocal.workers+1,glocal.stopbod); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /dev/writed.sock %s\n" ,blackhole_path,sock_dir,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /dev/sessiond.sock %s\n" ,blackhole_path,sock_dir,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /var/lib/mysql/mysql.sock %s\n" ,blackhole_path,sock_dir,name); lxc_config ("bod",ip_bod,true); lxc_status (project_path,"bod","bod",glocal.workers+1); lxc_debug (project_path,"bod","bod",glocal.workers+1); } } // SERVICE writed for (auto t:glocal.config->writeds){ if (t.server == glocal.server){ mkdir ("/var/lib/lxc/writed",0755); glocal const char *secret = t.secret.c_str(); glocal int workers = t.workers; ("/var/lib/lxc/writed/writed.init",false); fprintf (fout,"export BO_WRITED_PWD=%s\n",sql_bo_writed_pwd); for (int i=0; i string startfile; ("writed",ip_writed,startfile,trli_user,trli_userid); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/dev/compute.sock:/var/lib/lxc/%s/rootfs/dev/compute.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown %s /var/lib/lxc/%s/rootfs/dev/compute.sock\n",trli_user,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/dev/sessiond.sock:/var/lib/lxc/%s/rootfs/dev/sessiond.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown %s /var/lib/lxc/%s/rootfs/dev/sessiond.sock\n",trli_user,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/dev/smtp.sock:/var/lib/lxc/%s/rootfs/dev/smtp.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown %s /var/lib/lxc/%s/rootfs/dev/smtp.sock\n",trli_user,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/dev/keysd.sock:/var/lib/lxc/%s/rootfs/dev/keysd.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown %s /var/lib/lxc/%s/rootfs/dev/keysd.sock\n",trli_user,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/dev/publishd.sock:/var/lib/lxc/%s/rootfs/dev/publishd.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown %s /var/lib/lxc/%s/rootfs/dev/publishd.sock\n",trli_user,name); // Sockets for both MySQL servers fprintf (fout,"mkdir -p /var/lib/lxc/%s/rootfs/var/lib/mysql\n",name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/var/lib/mysql/mysql.sock:/var/lib/lxc/%s/rootfs/var/lib/mysql/mysql.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown %s /var/lib/lxc/%s/rootfs/var/lib/mysql/mysql.sock\n",trli_user,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/var/lib/mysql/mysql-users.sock:/var/lib/lxc/%s/rootfs/var/lib/mysql/mysql-users.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown %s /var/lib/lxc/%s/rootfs/var/lib/mysql/mysql-users.sock\n",trli_user,name); // Generate the list of time zones fprintf (fout,"%s >/var/lib/lxc/%s/rootfs/etc/timezones.lst\n",zoneinfo_cmd,name); fprintf (fout,"mkdir -p /var/lib/lxc/%s/rootfs/var/log/bolixo\n",name); fprintf (fout,"chown %s /var/lib/lxc/%s/rootfs/var/log/bolixo\n",trli_user,name); fprintf (glocal.all_fout,"%s\n",startfile.c_str()); ("writed","bo-writed",project_path,glocal.workers,glocal.stopwrited); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /dev/compute.sock %s\n" ,blackhole_path,sock_dir,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /dev/sessiond.sock %s\n" ,blackhole_path,sock_dir,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /dev/publishd.sock %s\n" ,blackhole_path,sock_dir,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /dev/smtp.sock %s\n" ,blackhole_path,sock_dir,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /var/lib/mysql/mysql.sock %s\n" ,blackhole_path,sock_dir,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /var/lib/mysql/mysql-users.sock %s\n" ,blackhole_path,sock_dir,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /dev/keysd.sock %s\n" ,blackhole_path,sock_dir,name); _F_lxc_stop::insert(fout,name,command,command_path,workers); lxc_config ("writed",ip_writed); lxc_status (project_path,"writed","bo-writed",glocal.workers); lxc_debug (project_path,"writed","bo-writed",glocal.workers); } } // SERVICE keysd for (auto t:glocal.config->keysds){ if (t.server == glocal.server){ mkdir ("/var/lib/lxc/keysd",0755); ("/var/lib/lxc/keysd/keysd.init",false); fprintf (fout,"export BO_WRITED_PWD=%s\n",sql_bo_writed_pwd); fprintf (fout,"%s/bo-keysd ",project_path); fprintf (fout,"--control %s/bo-keysd.sock" " --data_dbserv %s --data_dbname %s --data_dbuser %s" " --users_dbserv %s --users_dbname %s --users_dbuser %s" " --user %s --daemon" " --pidfile /tmp/keysd.pid\n" ,lxcsock_dir ,"localhost","files",sql_bo_writed_user ,"localhost","users",sql_bo_writed_user ,trli_user); return 0; string startfile; ("keysd",ip_keysd,startfile,trli_user,trli_userid); // Sockets for both MySQL servers fprintf (fout,"mkdir -p /var/lib/lxc/%s/rootfs/var/lib/mysql\n",name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/var/lib/mysql/mysql.sock:/var/lib/lxc/%s/rootfs/var/lib/mysql/mysql.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown %s /var/lib/lxc/%s/rootfs/var/lib/mysql/mysql.sock\n",trli_user,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/var/lib/mysql/mysql-users.sock:/var/lib/lxc/%s/rootfs/var/lib/mysql/mysql-users.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown %s /var/lib/lxc/%s/rootfs/var/lib/mysql/mysql-users.sock\n",trli_user,name); fprintf (glocal.all_fout,"%s\n",startfile.c_str()); ("keysd","bo-keysd",project_path,-1,glocal.stopkeysd); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /var/lib/mysql/mysql.sock %s\n" ,blackhole_path,sock_dir,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /var/lib/mysql/mysql-users.sock %s\n" ,blackhole_path,sock_dir,name); _F_lxc_stop::insert(fout,name,command,command_path,workers); lxc_config ("keysd",ip_keysd); lxc_status (project_path,"keysd","bo-keysd",-1); lxc_debug (project_path,"keysd","bo-keysd",-1); } } // SERVICE sessiond for (auto s:glocal.config->sessionds){ if (s.server == glocal.server){ mkdir ("/var/lib/lxc/sessiond",0755); ("/var/lib/lxc/sessiond/sessiond.init",false); fprintf (fout,"%s/bo-sessiond ",project_path); fprintf (fout,"--tcpport 9200 --control %s/bo-sessiond.sock" " --admin-secrets %s/secrets.admin --client-secrets %s/secrets.client" " --user %s --daemon --pidfile /tmp/sessiond.pid" " --variable subject --variable order --variable currentform" " --variable offsets --variable webtabs --variable currents --variable document --variable geometry" " --variable copy --variable fulltext --variable firstseen\n" ,lxcsock_dir ,config_dir,config_dir ,trli_user); return 0; string startfile; lxc_start ("sessiond",ip_sessiond,startfile); fprintf (glocal.all_fout,"%s\n",startfile.c_str()); lxc_stop ("sessiond","bo-sessiond",project_path,-1,glocal.stopsessiond); lxc_config ("sessiond",ip_sessiond); lxc_status (project_path,"sessiond","bo-sessiond",-1); lxc_debug (project_path,"sessiond","bo-sessiond",-1); } } // SERVICE web for (auto s:glocal.config->webs){ if (s.server == glocal.server){ glocal const char *secret = s.secret.c_str(); static const char *tb[]={"web","web-fail"}; const char *ip = ip_web; for (auto w:tb){ mkdir (string_f("/var/lib/lxc/%s",w).c_str(),0755); (string_f("/var/lib/lxc/%s/%s.init",w,w),false); fprintf (fout,"/usr/sbin/httpd --daemon\n"); fprintf (fout,"%s/trli-stop --daemon --user %s --control /tmp/trli-stop.sock --pidfile /tmp/trli-stop.pid\n",sbin_path,"apache"); return 0; string startfile; (w,ip,startfile,"apache",48); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/dev/bod.sock:/var/lib/lxc/%s/rootfs/dev/bod.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown 48 /var/lib/lxc/%s/rootfs/dev/bod.sock\n",name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/dev/bod-pubkey.sock:/var/lib/lxc/%s/rootfs/dev/bod-pubkey.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown 48 /var/lib/lxc/%s/rootfs/dev/bod-pubkey.sock\n",name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/dev/sessiond.sock:/var/lib/lxc/%s/rootfs/dev/sessiond.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown 48 /var/lib/lxc/%s/rootfs/dev/sessiond.sock\n",name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/dev/bolixod.sock:/var/lib/lxc/%s/rootfs/dev/bolixod.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown 48 /var/lib/lxc/%s/rootfs/dev/bolixod.sock\n",name); tlmpweb_conf (fout,name); fprintf (fout,"#!/bin/sh\n"); // Generate the list of time zones fprintf (fout,"%s >/var/lib/lxc/%s/rootfs/etc/timezones.lst\n",zoneinfo_cmd,name); fprintf (fout,"cat <<-EOF >/var/lib/lxc/%s/rootfs/var/www/html/static.html\n",name); fprintf (fout,"\n"); fprintf (fout,"this is a test\n"); fprintf (fout,"\n"); fprintf (fout,"EOF\n"); fprintf (fout,"echo %s >/var/lib/lxc/%s/rootfs/etc/secret\n",glocal.secret,name); fprintf (fout,"echo node=%s >/var/lib/lxc/%s/rootfs/etc/bolixonode.conf\n",glocal.nodename,name); fprintf (fout,"echo dirserver=%s/bolixo.hc >>/var/lib/lxc/%s/rootfs/etc/bolixonode.conf\n",glocal.dirserver,name); fprintf (fout,"echo org=%s >>/var/lib/lxc/%s/rootfs/etc/bolixonode.conf\n",glocal.org,name); if (glocal.private_site){ fprintf (fout,"echo private_site >>/var/lib/lxc/%s/rootfs/etc/bolixonode.conf\n",name); } fprintf (glocal.all_fout,"%s\n",startfile.c_str()); string stopcmd; (w,NULL,NULL,-1,stopcmd); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /dev/bod.sock %s\n" ,blackhole_path,sock_dir,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /dev/bod-pubkey.sock %s\n" ,blackhole_path,sock_dir,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /dev/sessiond.sock %s\n" ,blackhole_path,sock_dir,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /dev/bolixod.sock %s\n" ,blackhole_path,sock_dir,name); fprintf (fout,"lxc-stop -n %s\n",name); if (glocal.stopweb.size() > 0) glocal.stopweb += "\n"; glocal.stopweb += stopcmd.c_str(); lxc_config (w,ip); ip = ip_web_fail; } } } // SERVICE webadm for (auto s:glocal.config->webadms){ if (s.server == glocal.server){ mkdir ("/var/lib/lxc/webadm",0755); ("/var/lib/lxc/webadm/webadm.init",false); fprintf (fout,"/usr/sbin/httpd --daemon\n"); fprintf (fout,"%s/trli-stop --daemon --user %s --control /tmp/trli-stop.sock --pidfile /tmp/trli-stop.pid\n",sbin_path,"apache"); return 0; string startfile; ("webadm",ip_webadm,startfile,"apache",48); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/dev/bod.sock:/var/lib/lxc/%s/rootfs/dev/bod.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown 48 /var/lib/lxc/%s/rootfs/dev/bod.sock\n",name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock --bind unix,/dev/sessiond.sock:/var/lib/lxc/%s/rootfs/dev/sessiond.sock,%s\n" ,blackhole_path,sock_dir,name,name); fprintf (fout,"chown 48 /var/lib/lxc/%s/rootfs/dev/sessiond.sock\n",name); tlmpweb_conf (fout,name); fprintf (glocal.all_fout,"%s\n",startfile.c_str()); ("webadm",NULL,NULL,-1,glocal.stopwebadm); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /dev/bod.sock %s\n" ,blackhole_path,sock_dir,name); fprintf (fout,"%s/horizon-control -p %s/horizon.sock unbindfd unix /dev/sessiond.sock %s\n" ,blackhole_path,sock_dir,name); fprintf (fout,"lxc-stop -n %s\n",name); lxc_config ("webadm",ip_webadm); } } // SERVICE webssl for (auto s:glocal.config->webssls){ if (s.server == glocal.server){ static const char *tb[]={"webssl","webssl-fail"}; glocal const char *ip = ip_webssl; for (auto w:tb){ mkdir (string_f("/var/lib/lxc/%s",w).c_str(),0755); (string_f("/var/lib/lxc/%s/%s.init",w,w),false); fprintf (fout,"/usr/sbin/httpd --daemon\n"); return 0; string startfile; (w,glocal.ip,startfile,"apache",48); fprintf (fout,"#!/bin/sh\n"); fprintf (fout,"echo %s %s >>/var/lib/lxc/%s/rootfs/etc/hosts\n",glocal.ip,glocal.hostname,name); fprintf (fout,"cat <<-EOF >/var/lib/lxc/%s/rootfs/etc/httpd/conf.d/proxy.conf\n",name); fprintf (fout,"DirectoryIndex index.hc\n"); fprintf (fout,"ProxyPass \"/index.hc\" \"http://192.168.4.1:9080/index.hc\"\n"); fprintf (fout,"ProxyPass \"/webapi.hc\" \"http://192.168.4.1:9080/webapi.hc\"\n"); fprintf (fout,"ProxyPass \"/bolixoapi.hc\" \"http://192.168.4.1:9080/bolixoapi.hc\"\n"); fprintf (fout,"ProxyPass \"/bolixo.hc\" \"http://192.168.4.1:9080/bolixo.hc\"\n"); fprintf (fout,"RewriteEngine On\n"); fprintf (fout,"#LogLevel alert rewrite:trace7\n"); fprintf (fout,"RewriteRule ^/public/(.*) /public.hc?image=\\$1 [PT,QSA]\n"); fprintf (fout,"RewriteRule ^/publique/(.*) /public.hc?image=\\$1 [PT,QSA]\n"); fprintf (fout,"ProxyPass \"/public.hc\" \"http://192.168.4.1:9080/public.hc\"\n"); if (glocal.devmode){ fprintf (fout,"ProxyPass \"/journey.hc\" \"http://192.168.4.1:9080/journey.hc\"\n"); } fprintf (fout,"ProxyPass \"/blog.hc\" \"http://192.168.4.1:9080/blog.hc\"\n"); fprintf (fout,"ProxyPass \"/admin.hc\" \"http://192.168.4.2:9080/admin.hc\"\n"); fprintf (fout,"ProxyPass \"/static.html\" \"http://192.168.4.1:9080/static.html\"\n"); fprintf (fout,"EOF\n"); if (!glocal.devmode){ fprintf (fout,"if [ -f /etc/letsencrypt/live/%s/fullchain.pem ]; then\n",glocal.hostname); fprintf (fout,"cat <<-EOF >/var/lib/lxc/%s/rootfs/etc/httpd/conf.d/redirect.conf\n",name); fprintf (fout,"\n"); #if 1 fprintf (fout,"RewriteEngine On\n"); fprintf (fout,"RewriteCond %%{HTTPS} !=on\n"); // This checks to make sure the connection is not already HTTPS fprintf (fout,"RewriteRule ^/?(.*) https://%%{SERVER_NAME}/$1 [R,L]\n"); #else static const char *tb[]={"","index.hc","bolixoapi.hc","bolixo.hc","webapi.hc"}; for (auto f:tb){ fprintf (fout,"Redirect permanent /%s %s/%s\n",f,glocal.nodename,f); } #endif fprintf (fout,"\n"); fprintf (fout,"EOF\n"); // We make sure this is the first virtualhost by naming it 0hostssl.conf fprintf (fout,"cat <<-EOF >/var/lib/lxc/%s/rootfs/etc/httpd/conf.d/0hostssl.conf\n",name); fprintf (fout,"\n",glocal.hostname); fprintf (fout,"ServerName %s\n",glocal.hostname); if (preprodmode){ fprintf (fout,"ServerAlias preprod.bolixo.org\n"); } fprintf (fout,"SSLCertificateFile /etc/letsencrypt/live/%s/fullchain.pem\n",glocal.hostname); fprintf (fout,"SSLCertificateKeyFile /etc/letsencrypt/live/%s/privkey.pem\n",glocal.hostname); fprintf (fout,"Include /etc/letsencrypt/options-ssl-apache.conf\n"); fprintf (fout,"ErrorLog logs/ssl_error_log\n"); fprintf (fout,"TransferLog logs/ssl_access_log\n"); fprintf (fout,"RewriteEngine On\n"); fprintf (fout,"#LogLevel alert rewrite:trace7\n"); fprintf (fout,"RewriteRule ^/public/(.*) /public.hc?image=\\$1 [PT]\n"); fprintf (fout,"RewriteRule ^/publique/(.*) /public.hc?image=\\$1 [PT]\n"); fprintf (fout,"\n"); fprintf (fout,"EOF\n"); fprintf (fout,"mkdir -p /var/lib/lxc/%s/rootfs/etc/letsencrypt/live/%s\n",name,glocal.hostname); fprintf (fout,"cp /etc/letsencrypt/options-ssl-apache.conf /var/lib/lxc/%s/rootfs/etc/letsencrypt\n",name); fprintf (fout,"cp /etc/letsencrypt/live/%s/fullchain.pem /var/lib/lxc/%s/rootfs/etc/letsencrypt/live/%s\n" ,glocal.hostname,name,glocal.hostname); fprintf (fout,"cp /etc/letsencrypt/live/%s/privkey.pem /var/lib/lxc/%s/rootfs/etc/letsencrypt/live/%s\n" ,glocal.hostname,name,glocal.hostname); fprintf (fout,"fi\n"); // Special case for directory server fprintf (fout,"if [ -f /etc/letsencrypt/live/bolixo.org/fullchain.pem ] ; then\n"); fprintf (fout," cat <<-EOF >/var/lib/lxc/%s/rootfs/etc/httpd/conf.d/bolixo_org.conf\n",name); fprintf (fout,"\n"); fprintf (fout,"ServerName bolixo.org\n"); fprintf (fout,"DirectoryIndex bolixo.hc\n"); fprintf (fout,"SSLCertificateFile /etc/letsencrypt/live/bolixo.org/fullchain.pem\n"); fprintf (fout,"SSLCertificateKeyFile /etc/letsencrypt/live/bolixo.org/privkey.pem\n"); fprintf (fout,"Include /etc/letsencrypt/options-ssl-apache.conf\n"); fprintf (fout,"ErrorLog logs/ssl_error_log\n"); fprintf (fout,"TransferLog logs/ssl_access_log\n"); fprintf (fout,"\n"); fprintf (fout,"EOF\n"); fprintf (fout,"mkdir -p /var/lib/lxc/%s/rootfs/etc/letsencrypt/live/bolixo.org\n",name); fprintf (fout,"cp /etc/letsencrypt/live/bolixo.org/fullchain.pem /var/lib/lxc/%s/rootfs/etc/letsencrypt/live/bolixo.org\n",name); fprintf (fout,"cp /etc/letsencrypt/live/bolixo.org/privkey.pem /var/lib/lxc/%s/rootfs/etc/letsencrypt/live/bolixo.org\n",name); fprintf (fout,"echo %s bolixo.org >>/var/lib/lxc/%s/rootfs/etc/hosts\n",glocal.ip,name); fprintf (fout,"fi\n"); } fprintf (fout,"ROOT=/var/lib/lxc/%s/rootfs\n",name); fprintf (fout,"for FILE in /etc/httpd/conf.d/add.conf /etc/httpd/conf.d/le_http_01_challenge_pre.conf /etc/httpd/conf.d/le_http_01_challenge_post.conf\n"); fprintf (fout,"do\n"); fprintf (fout," if [ -f $FILE ] ; then\n"); fprintf (fout," cp -a $FILE $ROOT/etc/httpd/conf.d/.\n"); fprintf (fout," cp -a $FILE /tmp/.\n"); fprintf (fout," fi\n"); fprintf (fout,"done\n"); fprintf (fout,"if [ -d /var/lib/letsencrypt ] ; then\n"); fprintf (fout," mkdir -p $ROOT/var/lib/letsencrypt\n"); fprintf (fout," cp -a /var/lib/letsencrypt/. $ROOT/var/lib/letsencrypt/.\n"); fprintf (fout,"fi\n"); fprintf (glocal.all_fout,"%s\n",startfile.c_str()); string stopcmd; lxc_stop (w,NULL,NULL,-1,stopcmd); if (glocal.stopwebssl.size() > 0) glocal.stopwebssl += "\n"; glocal.stopwebssl += stopcmd.c_str(); lxc_config (w,glocal.hostname,glocal.ip,true); glocal.ip = ip_webssl_fail; } } } // SERVICE protocheck for (auto s:glocal.config->protos){ if (s.server == glocal.server){ glocal PROTO *p = &s; mkdir ("/var/lib/lxc/protocheck",0755); ("/var/lib/lxc/protocheck/protocheck.init",false); for (unsigned i=0; iworkers; i++){ fprintf (fout,"%s/protocheck-2factors" " --control %s/protocheck-2factors-%u.sock --user %s --pidfile %s/protocheck-%u.pid --daemon" " --follow_mode --unlocked --bind %s --port unix:/tmp/proto-%u.sock" " --http %s/http_check.conf --errorfile /tmp/error-%u.log\n" ,blackhole_path ,lxcsock_dir,i,"apache",pid_dir,i ,ip_proto,glocal.p->port+i ,config_dir,i); } fprintf (fout,"%s/protocheck-2factors" " --control %s/protocheck-2factors-learn.sock --user %s --pidfile %s/protocheck-learn.pid --daemon" " --follow_mode --unlocked --bind %s --port unix:/tmp/proto-%u.sock" " --http %s/http_check.conf --learnfile /tmp/learn.log --errorfile /tmp/error-learn.log\n" ,blackhole_path ,lxcsock_dir,"apache",pid_dir ,ip_proto,glocal.p->port_l ,config_dir); return 0; string startfile; lxc_start ("protocheck",ip_proto,startfile,"apache",48); fprintf (glocal.all_fout,"%s\n",startfile.c_str()); ("protocheck",NULL,NULL,-1,glocal.stopproto); for (unsigned i=0; iworkers; i++){ fprintf (fout,"%s/protocheck-2factors-control" " -p /var/lib/lxc/protocheck/rootfs%s/protocheck-2factors-%u.sock quit\n" ,blackhole_path,lxcsock_dir,i); } fprintf (fout,"%s/protocheck-2factors-control" " -p /var/lib/lxc/protocheck/rootfs%s/protocheck-2factors-learn.sock quit\n" ,blackhole_path,lxcsock_dir); fprintf (fout,"lxc-info -s -n %s | grep -q RUNNING && (echo Force stop %s; lxc-stop -n %s)\n" ,name,name,name); lxc_config ("protocheck",ip_proto); lxc_status (blackhole_path,"protocheck","protocheck-2factors",s.workers); lxc_debug (blackhole_path,"protocheck","protocheck-2factors",s.workers); } } // SERVICE bosqlddata for (auto s:glocal.config->bosqlddatas){ if (s.server == glocal.server){ string startfile; config_sql ("bosqlddata",ip_bosqlddata,startfile,glocal.stopsqlddata); fprintf (glocal.all_fout,"%s\n",startfile.c_str()); } } // SERVICE bosqlduser for (auto s:glocal.config->bosqldusers){ if (s.server == glocal.server){ string startfile; config_sql ("bosqlduser",ip_bosqlduser,startfile,glocal.stopsqlduser); fprintf (glocal.all_fout,"%s\n",startfile.c_str()); } } // SERVICE bosqldbolixo for (auto s:glocal.config->bosqldbolixos){ if (s.server == glocal.server){ string startfile; config_sql ("bosqldbolixo",ip_bosqldbolixo,startfile,glocal.stopsqldbolixo); fprintf (glocal.all_fout,"%s\n",startfile.c_str()); } } // SERVICE exim for (auto s:glocal.config->exims){ if (s.server == glocal.server){ glocal WEB *p = &s; mkdir ("/var/lib/lxc/exim",0755); ("/var/lib/lxc/exim/exim.init",false); fprintf (fout,"/usr/sbin/exim -bd -q15m\n"); return 0; string startfile; ("exim",ip_exim,startfile,"exim",93); fprintf (fout,"echo nameserver %s >/var/lib/lxc/exim/rootfs/etc/resolv.conf\n" ,horizon_ip); fprintf (fout,"echo smtp 25/tcp mail >/var/lib/lxc/exim/rootfs/etc/services\n"); if (preprodmode){ fprintf (fout,"echo 192.168.124.1 relay >>/var/lib/lxc/%s/rootfs/etc/hosts\n",name); }else{ fprintf (fout,"echo 192.168.122.1 relay >>/var/lib/lxc/%s/rootfs/etc/hosts\n",name); } fprintf (fout,"echo 192.168.4.1 norelay >>/var/lib/lxc/%s/rootfs/etc/hosts\n",name); fprintf (fout,"echo root: /dev/null >/var/lib/lxc/%s/rootfs/etc/aliases\n",name); fprintf (fout,"echo exim: /dev/null >>/var/lib/lxc/%s/rootfs/etc/aliases\n",name); fprintf (fout,"echo no-reply: /dev/null >>/var/lib/lxc/%s/rootfs/etc/aliases\n",name); fprintf (fout,"if [ -f /etc/bolixo/admins.conf ] ; then\n"); fprintf (fout,"\t. /etc/bolixo/admins.conf\n"); fprintf (fout,"\techo info: $ADMIN1 >>/var/lib/lxc/%s/rootfs/etc/aliases\n",name); fprintf (fout,"else\n"); fprintf (fout,"\techo No /etc/bolixo/admins.conf\n"); fprintf (fout,"fi\n"); fprintf (fout,"cp -a /etc/pki /var/lib/lxc/%s/rootfs/etc/pki\n",name); fprintf (fout,"DIRCERTS=/var/lib/lxc/%s/rootfs/etc/pki/tls/certs\n",name); fprintf (fout,"DIRPRIVATE=/var/lib/lxc/%s/rootfs/etc/pki/tls/private\n",name); fprintf (fout,"mkdir -p $DIRCERTS $DIRPRIVATE\n"); fprintf (fout,"test -f /etc/letsencrypt/live/%s/cert.pem && cp /etc/letsencrypt/live/%s/cert.pem $DIRCERTS/exim.pem\n" ,glocal.hostname,glocal.hostname); fprintf (fout,"test -f /etc/letsencrypt/live/%s/privkey.pem && cp /etc/letsencrypt/live/%s/privkey.pem $DIRPRIVATE/exim.pem\n" ,glocal.hostname,glocal.hostname); fprintf (glocal.all_fout,"%s\n",startfile.c_str()); lxc_stop ("exim",NULL,NULL,-1,glocal.stopexim); lxc_config ("exim","bolixo.org",ip_exim,true); } } } // SERVICE bo-mon for (auto s:glocal.config->monitors){ if (s.server == glocal.server){ static const char *mon_sh = "/var/lib/lxc/bo-mon-start.sh"; glocal MON *s = &s; (mon_sh,false); fprintf (fout,"#!/bin/sh\n"); fprintf (fout,"%s/bo-mon --daemon --control %s/bo-mon.sock --sock_dir %s" " --bod-secret %s --bolixod-secret %s --user %s --alarmcmd %s\n" ,project_path,sock_dir,sock_tests_dir ,glocal.s->bod_secret.c_str(),glocal.s->bolixod_secret.c_str(),trli_user,glocal.s->alarmcmd.c_str()); if (glocal.devmode){ fprintf (fout,"chown %s %s/bo-mon.sock\n",trli_user,sock_dir); } return 0; trli_chmod (mon_sh,0755); fprintf (fout,"%s\n",mon_sh); static const char *stop_sh = "/var/lib/lxc/bo-mon-stop.sh"; (stop_sh,false); fprintf (fout,"#!/bin/sh\n"); fprintf (fout,"%s/bo-mon-control -p %s/bo-mon.sock quit\n",project_path,sock_dir); return 0; trli_chmod (stop_sh,0755); glocal.stoptrlimon = stop_sh; } } // SERVICE trli-syslog for (auto s:glocal.config->logs){ if (s.server == glocal.server){ string startcmd,stopcmd; const char *devlog_user = "blackhole"; if (glocal.devmode) devlog_user = trli_user; config_syslog (startcmd,glocal.stoptrlisyslog,devlog,devlog_user,trli_user); fprintf (fout,"%s\n",startcmd.c_str()); } } // SERVICE compute for (auto s:glocal.config->computes){ static const char *compute_start = "/var/lib/lxc/compute-start.sh"; (compute_start,false); fprintf (fout,"#!/bin/sh\n"); fprintf (fout,". /root/trli.conf\n"); fprintf (fout,"%s/trli-log --daemon --data_dbserv 192.168.4.1 --data_dbuser %s" " --data_dbname trli --sqltcpport 3307" " --control %s/trli-log.sock --unixadmin unix:%s/compute.sock" " --compute --admin-secrets %s/secrets.admin" " /var/lib/lxc/writed/rootfs/%s/bo-writed.log\n" ,project_path,sql_bo_writed_user ,sock_dir,sock_dir ,config_dir ,log_dir); if (glocal.devmode){ fprintf (fout,"chown %s %s/compute.sock\n",trli_user,sock_dir); } return 0; trli_chmod (compute_start,0755); fprintf (fout,"%s\n",compute_start); glocal.stopcompute = "/var/lib/lxc/compute-stop.sh"; (glocal.stopcompute,false); fprintf (fout,"#!/bin/sh\n"); fprintf (fout,"%s/trli-log-control -p %s/trli-log.sock quit\n" ,project_path,sock_dir); return 0; trli_chmod (glocal.stopcompute,0755); } // In production mode, the passphrase has to be entered by the operator. if (glocal.devmode){ fprintf (glocal.all_fout,"export KEYSDPASS=toto\n"); }else{ fprintf (glocal.all_fout,"if [ -f /root/keysd.pass ]; then\n"); fprintf (glocal.all_fout,"\texport KEYSDPASS=`cat /root/keysd.pass`\n"); fprintf (glocal.all_fout,"\tshred -u /root/keysd.pass\n"); fprintf (glocal.all_fout,"fi\n"); } if (preprodmode){ fprintf (glocal.all_fout,"/usr/lib/email-log --daemon\n"); } fprintf (glocal.all_fout,"%s/bo-keysd-control -p /var/lib/lxc/keysd/rootfs/var/run/blackhole/bo-keysd.sock setpassphrase\n",project_path); return 0; trli_chmod (bo_start,0755); (bo_stop,false); fprintf (fout,"#!/bin/sh\n"); if (glocal.stopcompute.size() > 0) fprintf (fout,"%s\n",glocal.stopcompute.c_str()); if (glocal.stoptrlimon.size() > 0) fprintf (fout,"%s\n",glocal.stoptrlimon.c_str()); if (glocal.stopbod.size() > 0) fprintf (fout,"%s\n",glocal.stopbod.c_str()); if (glocal.stopbolixod.size() > 0) fprintf (fout,"%s\n",glocal.stopbolixod.c_str()); if (glocal.stoppublishd.size() > 0) fprintf (fout,"%s\n",glocal.stoppublishd.c_str()); if (glocal.stopwrited.size() > 0) fprintf (fout,"%s\n",glocal.stopwrited.c_str()); if (glocal.stopkeysd.size() > 0) fprintf (fout,"%s\n",glocal.stopkeysd.c_str()); if (glocal.stopsessiond.size() > 0) fprintf (fout,"%s\n",glocal.stopsessiond.c_str()); if (glocal.stopweb.size() > 0) fprintf (fout,"%s\n",glocal.stopweb.c_str()); if (glocal.stopwebadm.size() > 0) fprintf (fout,"%s\n",glocal.stopwebadm.c_str()); if (glocal.stopwebssl.size() > 0) fprintf (fout,"%s\n",glocal.stopwebssl.c_str()); if (glocal.stopsqlddata.size() > 0) fprintf (fout,"%s\n",glocal.stopsqlddata.c_str()); if (glocal.stopsqlduser.size() > 0) fprintf (fout,"%s\n",glocal.stopsqlduser.c_str()); if (glocal.stopsqldbolixo.size() > 0) fprintf (fout,"%s\n",glocal.stopsqldbolixo.c_str()); if (glocal.stopproto.size() > 0) fprintf (fout,"%s\n",glocal.stopproto.c_str()); if (glocal.stopexim.size() > 0) fprintf (fout,"%s\n",glocal.stopexim.c_str()); if (glocal.stoptrlisyslog.size() > 0) fprintf (fout,"%s\n",glocal.stoptrlisyslog.c_str()); fprintf (fout,"killall udpproxy\n"); return 0; trli_chmod (bo_stop,0755); ("/tmp/bkstop.sh",false); fprintf (fout,"%s/blackhole-control -p %s/blackhole.sock quit\n",blackhole_path,sock_dir); fprintf (fout,"%s/horizon-control -p %s/horizon.sock quit\n",blackhole_path,sock_dir); fprintf (fout,"%s/conproxy-control -p %s/conproxy.sock quit\n",blackhole_path,sock_dir); //fprintf (fout,"%s/protocheck-2factors-control -p %s/protocheck-2factors.sock quit\n",blackhole_path,sock_dir); //fprintf (fout,"%s/protocheck-2factors-control -p %s/protocheck-2factors-learn.sock quit\n",blackhole_path,sock_dir); return 0; trli_chmod ("/tmp/bkstop.sh",0755); } static bool trli_lookup (const char *name, vector &tb) { bool ret = false; if (tb.size() > 0){ if (strcmp(tb[0].c_str(),"all")==0){ ret = true; }else{ for (auto x:tb){ if (strcmp(x.c_str(),name)==0){ ret = true; break; } } } } return ret; } int main (int argc, char *argv[]) { glocal int ret = -1; glocal const char *config_file = "/etc/trli/manager.conf"; glocal bool dumpconfig = false; glocal bool devmode = false; glocal vector devip; // List of services which requires a development IP glocal bool inframode = false; glocal.ret = (argc,argv,"bolixo"); setproginfo ("bo-manager",VERSION,MSG_U(I_BOMANAGER ,"Configure the Bolixo cluster" "\n" "bo-manager [ options ] printconfig host\n" )); setarg ('c',"config","Config file",glocal.config_file,false); setarg (' ',"dump","Dump config (debug)",glocal.dumpconfig,false); setarg (' ',"devip","Use development IP (127.0.0.X) for a given service",glocal.devip,false); setarg (' ',"blackhole_path","Path of blackhole utilities",blackhole_path,false); setgrouparg ("Modes"); setarg (' ',"devmode","Sets various parameters to run on a workstation",glocal.devmode,false); setarg (' ',"inframode","Generate config only for infrastructure",glocal.inframode,false); setarg (' ',"preprodmode","Sets various parameters to run in pre-production",preprodmode,false); setgrouparg ("SQL"); setarg (' ',"boduser","SQL user for bod server",sql_bod_user,false); setarg (' ',"bodpwd","SQL password for bod server",sql_bod_pwd,false); setarg (' ',"bolixoduser","SQL user for bolixod server",sql_bolixod_user,false); setarg (' ',"bolixodpwd","SQL password for bolixod server",sql_bolixod_pwd,false); setarg (' ',"writeduser","SQL user for bo-writed server",sql_bo_writed_user,false); setarg (' ',"writedpwd","SQL password for bo-writed server",sql_bo_writed_pwd,false); int ret = -1; glocal CONFIG config; if (getenv("BOD_PWD")!=NULL) sql_bod_pwd = getenv("BOD_PWD"); if (getenv("BOLIXOD_PWD")!=NULL) sql_bolixod_pwd = getenv("BOLIXOD_PWD"); if (getenv("PUBLISHD_PWD")!=NULL) sql_publishd_pwd = getenv("PUBLISHD_PWD"); if (getenv("BO_WRITED_PWD")!=NULL) sql_bo_writed_pwd = getenv("BO_WRITED_PWD"); closeweb = file_exist("/root/closeweb"); if (glocal.devmode){ glocal.config.nodename = "http://test1.bolixo.org"; glocal.config.hostname = "test1.bolixo.org"; glocal.config.dirserver = "http://test1.bolixo.org"; }else{ char hostname[200]; if (gethostname(hostname,sizeof(hostname)-1)!=-1){ glocal.config.hostname = hostname; glocal.config.nodename = string_f("http%s://%s",preprodmode || glocal.devmode ? "" : "s",hostname); }else{ tlmp_error (MSG_U(E_HOSTNAME,"Can't get this server host name (%s)\n"),strerror(errno)); } if (preprodmode){ glocal.config.dirserver = "http://test1.bolixo.org"; }else{ glocal.config.dirserver = "https://bolixo.org"; } } (glocal.config_file,true); const char *pt = str_skip(line); if (*pt != '#' && *pt != '\0'){ vector tb; int n = str_splitlineq(pt,tb); if (n >= 1){ const char *word = tb[0].c_str(); if (strcmp(word,"server")==0 && n == 5){ glocal.config.servers[tb[1]] = SERVER(tb[2],tb[3],tb[4]); }else if (strcmp(word,"blackhole")==0 && n == 4){ glocal.config.blackholes.push_back(BLACKHOLE(tb[1],tb[2],trli_atou(tb[3]))); }else if (strcmp(word,"bod")==0 && n == 6){ glocal.config.bods.push_back(BOD(tb[1],trli_atou(tb[2]),trli_atou(tb[3]),tb[4],trli_atou(tb[5]))); }else if (strcmp(word,"writed")==0 && n == 5){ glocal.config.writeds.push_back(WRITED(tb[1],trli_atou(tb[2]),trli_atou(tb[3]),tb[4])); }else if (strcmp(word,"keysd")==0 && n == 2){ glocal.config.keysds.push_back(WEB(tb[1])); }else if (strcmp(word,"sessiond")==0 && n == 3){ glocal.config.sessionds.push_back(SESSIOND(tb[1],trli_atou(tb[2]))); }else if (strcmp(word,"bosqlddata")==0 && n == 2){ glocal.config.bosqlddatas.push_back(SQLD(tb[1])); }else if (strcmp(word,"bosqlduser")==0 && n == 2){ glocal.config.bosqldusers.push_back(SQLD(tb[1])); }else if (strcmp(word,"bosqldbolixo")==0 && n == 2){ glocal.config.bosqldbolixos.push_back(SQLD(tb[1])); }else if (strcmp(word,"proto")==0 && n == 3){ glocal.config.protos.push_back(PROTO(tb[1],trli_atou(tb[2]))); }else if (strcmp(word,"web")==0 && n == 3){ glocal.config.webs.push_back(WEB(tb[1],tb[2])); }else if (strcmp(word,"webadm")==0 && n == 2){ glocal.config.webadms.push_back(WEB(tb[1])); }else if (strcmp(word,"webssl")==0 && n == 2){ glocal.config.webssls.push_back(WEB(tb[1])); }else if (strcmp(word,"log")==0 && n == 2){ glocal.config.logs.push_back(WEB(tb[1])); }else if (strcmp(word,"compute")==0 && n == 2){ glocal.config.computes.push_back(WEB(tb[1])); }else if (strcmp(word,"exim")==0 && n == 2){ glocal.config.exims.push_back(WEB(tb[1])); }else if (strcmp(word,"dnsproxy")==0 && n == 2){ glocal.config.dnsproxys.push_back(WEB(tb[1])); }else if (strcmp(word,"monitor")==0 && n == 5){ glocal.config.monitors.push_back(MON(tb[1],tb[2],tb[3],tb[4])); }else if (strcmp(word,"bolixod")==0 && n == 5){ glocal.config.bolixods.push_back(BOLIXOD(tb[1],tb[2],atoi(tb[3].c_str()),atoi(tb[4].c_str()))); }else if (strcmp(word,"publishd")==0 && n == 3){ glocal.config.publishds.push_back(PUBLISHD(tb[1],tb[2])); }else if (strcmp(word,"dirserver")==0 && n == 2){ glocal.config.dirserver = tb[1]; }else if (strcmp(word,"nodename")==0 && n == 2){ glocal.config.nodename = tb[1]; }else if (strcmp(word,"hostname")==0 && n == 2){ glocal.config.hostname = tb[1]; }else if (strcmp(word,"org")==0 && n == 2){ glocal.config.org = tb[1]; }else if (strcmp(word,"iptables")==0 && n == 1){ glocal.config.iptables = true; }else if (strcmp(word,"private")==0 && n == 1){ glocal.config.private_site = true; }else{ tlmp_error ("Invalid line %d in configuration file %s\n",noline+1,info.filename); } }else{ tlmp_error ("Invalid line %d in configuration file %s\n",noline+1,info.filename); } } return 0; tlmp_error ("Empty configuration file %s, ending\n",glocal.config_file); exit (-1); tlmp_error ("Missing configuration file %s, ending\n",fname); exit (-1); if (glocal.config.nodename.size()==0){ tlmp_error (MSG_U(E_NONODEMANE,"File %s does not contain the node name\n"),glocal.config_file); exit (-1); } if (glocal.dumpconfig){ for (auto x:glocal.config.servers) printf ("server %s sshcmd=%s cpcmd=%s\n",x.first.c_str(),x.second.sshcmd.c_str(),x.second.cpcmd.c_str()); for (auto x:glocal.config.blackholes) printf ("blackhole server %s config %s port %u\n",x.server.c_str(),x.config.c_str(),x.port); for (auto x:glocal.config.bods) printf ("bod server %s port %u workers %u\n",x.server.c_str(),x.port,x.workers); for (auto x:glocal.config.writeds) printf ("writed server %s port %u workers %u\n",x.server.c_str(),x.port,x.workers); for (auto x:glocal.config.sessionds) printf ("sessiond server %s port %u\n",x.server.c_str(),x.port); for (auto x:glocal.config.bosqlddatas) printf ("bosqldata server %s\n",x.server.c_str()); for (auto x:glocal.config.bosqldusers) printf ("bosqluser server %s\n",x.server.c_str()); for (auto x:glocal.config.protos) printf ("proto server %s\n",x.server.c_str()); for (auto x:glocal.config.webs) printf ("web server %s\n",x.server.c_str()); for (auto x:glocal.config.webadms) printf ("webadm server %s\n",x.server.c_str()); for (auto x:glocal.config.webssls) printf ("webadm server %s\n",x.server.c_str()); for (auto x:glocal.config.logs) printf ("log server %s\n",x.server.c_str()); for (auto x:glocal.config.computes) printf ("compute server %s\n",x.server.c_str()); } if (preprodmode){ // Run preprod as an lxc container manager_setpreprodmode(); #define PIP_PREFIX "192.168.124." ip_bod = PIP_PREFIX "2"; ip_writed = PIP_PREFIX "3"; ip_sessiond = PIP_PREFIX "4"; ip_web = PIP_PREFIX "5"; ip_web_fail = PIP_PREFIX "15"; ip_webadm = PIP_PREFIX "6"; ip_proto = PIP_PREFIX "7"; ip_webssl = PIP_PREFIX "8"; ip_webssl_fail = PIP_PREFIX "18"; ip_bosqlduser = PIP_PREFIX "9"; ip_bosqlddata = PIP_PREFIX "10"; ip_bosqldbolixo = PIP_PREFIX "14"; ip_exim = PIP_PREFIX "11"; ip_keysd = PIP_PREFIX "12"; ip_bolixod = PIP_PREFIX "13"; ip_publishd = PIP_PREFIX "16"; } if (glocal.devmode){ char path[PATH_MAX]; if (getcwd(path,sizeof(path))==NULL){ tlmp_error ("Can't get current working directory, aborting\n"); exit (-1); } static string dev_config_dir = string(path) +"/data"; config_dir = dev_config_dir.c_str(); static string dev_log_dir("/tmp"); log_dir = dev_log_dir.c_str(); static string dev_sock_dir("/tmp"); sock_dir = dev_sock_dir.c_str(); manager_set_sock_dir("/tmp"); static string dev_sock_tests_dir("/tmp/tests"); sock_tests_dir = dev_sock_tests_dir.c_str(); static string dev_project_path(path); project_path = dev_project_path.c_str(); devlog = "/tmp/trli.log"; blackhole_options_conf = "/tmp/blackhole-options.conf"; blackhole_rules = "/tmp/blackhole-rules.sh"; horizon_options_conf = "/tmp/horizon-options.conf"; horizon_rules = "/tmp/horizon-rules.sh"; if (trli_lookup("horizon",glocal.devip)){ horizon_ip = "127.0.0.10"; horizon_ip2 = "127.0.0.11"; horizon_masterip = "127.0.0.1"; } if (trli_lookup("bod",glocal.devip)) vs_bod = "bod_p"; if (trli_lookup("writed",glocal.devip)) vs_writed = "writed_p"; if (trli_lookup("sessiond",glocal.devip)) vs_sessiond = "sessiond_p"; if (trli_lookup("web",glocal.devip)) ip_web = "192.168.5.5"; if (trli_lookup("webadm",glocal.devip)) ip_webadm = "192.168.5.6"; if (trli_lookup("webssl",glocal.devip)) ip_webssl = ip_webssl_p; if (trli_lookup("proto",glocal.devip)) ip_proto = "192.168.5.7"; if (trli_lookup("bosqlddata",glocal.devip)) ip_bosqlddata = "127.0.0.1"; if (trli_lookup("bosqlduser",glocal.devip)) ip_bosqlduser = "127.0.0.1"; uid_t uid = getuid(); struct passwd *p = getpwuid(uid); if (p == NULL){ tlmp_error ("Can't identify the current user, aborting\n"); exit (-1); } static string dev_trli_user(p->pw_name); trli_user = dev_trli_user.c_str(); trli_userid = p->pw_uid; blackhole_user = dev_trli_user.c_str(); pid_dir = "/tmp"; }else{ struct passwd *p = getpwnam(trli_user); if (p == NULL){ tlmp_error ("Can't identify the user %s, aborting\n",trli_user); exit (-1); } trli_userid = p->pw_uid; } manager_set_manager_user (trli_user,trli_userid); if (argc == 2 && strcmp(argv[0],"printconfig")==0){ const string server(argv[1]); auto s = glocal.config.servers.find(server); if (s == glocal.config.servers.end()){ tlmp_error ("Server %s not found in configuration\n",server.c_str()); }else{ print_configs (server,s->second.public_ip,glocal.config,glocal.devmode); } } return ret; return glocal.ret; }