setup/container.sh

#!/bin/bash

set -eu -o pipefail

# This file can be used in Dockerfile

readonly USER=yellowtent

readonly USER_DATA_FILE="/root/user_data.img"
readonly USER_DATA_DIR="/home/yellowtent/data"

readonly container_files="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/container"

readonly CONFIG_DIR="/home/yellowtent/configs"
readonly DATA_DIR="/home/yellowtent/data"
readonly provider="${1:-generic}"

sed -e 's/^#NTP=/NTP=0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org/' -i /etc/systemd/timesyncd.conf
timedatectl set-ntp 1
timedatectl set-timezone UTC

echo "==> Setting up firewall"
iptables -t filter -N CLOUDRON || true
iptables -t filter -F CLOUDRON # empty any existing rules

# NOTE: keep these in sync with src/apps.js validatePortBindings
# allow ssh, http, https, ping, dns
iptables -t filter -I CLOUDRON -m state --state RELATED,ESTABLISHED -j ACCEPT
# caas has ssh on port 202
if [[ "${provider}" == "caas" ]]; then
    iptables -A CLOUDRON -p tcp -m tcp -m multiport --dports 25,80,202,443,587,993,4190 -j ACCEPT
else
    iptables -A CLOUDRON -p tcp -m tcp -m multiport --dports 25,80,22,443,587,993,4190 -j ACCEPT
fi
iptables -t filter -A CLOUDRON -p icmp --icmp-type echo-request -j ACCEPT
iptables -t filter -A CLOUDRON -p icmp --icmp-type echo-reply -j ACCEPT
iptables -t filter -A CLOUDRON -p udp --sport 53 -j ACCEPT
iptables -t filter -A CLOUDRON -s 172.18.0.0/16 -j ACCEPT # required to accept any connections from apps to our IP:<public port>
iptables -t filter -A CLOUDRON -i lo -j ACCEPT # required for localhost connections (mysql)

# log dropped incoming. keep this at the end of all the rules
iptables -t filter -A CLOUDRON -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -t filter -A CLOUDRON -j DROP

if ! iptables -t filter -C INPUT -j CLOUDRON 2>/dev/null; then
    iptables -t filter -I INPUT -j CLOUDRON
fi

# so it gets restored across reboot
mkdir -p /etc/iptables && iptables-save > /etc/iptables/rules.v4

echo "==> Configuring docker"
cp "${container_files}/docker-cloudron-app.apparmor" /etc/apparmor.d/docker-cloudron-app
systemctl restart apparmor

usermod yellowtent -a -G docker
sed -e 's,^ExecStart=.*$,ExecStart=/usr/bin/docker daemon -H fd:// --log-driver=journald --exec-opt native.cgroupdriver=cgroupfs,' -i /lib/systemd/system/docker.service
systemctl enable docker
systemctl restart docker

# caas has ssh on port 202 and we disable password login
if [[ "${provider}" == "caas" ]]; then
    # https://stackoverflow.com/questions/4348166/using-with-sed on why ? must be escaped
    sed -e 's/^#\?PermitRootLogin .*/PermitRootLogin without-password/g' \
        -e 's/^#\?PermitEmptyPasswords .*/PermitEmptyPasswords no/g' \
        -e 's/^#\?PasswordAuthentication .*/PasswordAuthentication no/g' \
        -e 's/^#\?Port .*/Port 202/g' \
        -i /etc/ssh/sshd_config

    # required so we can connect to this machine since port 22 is blocked by iptables by now
    systemctl reload sshd
fi

echo "==> Setup btrfs data"
if ! grep -q loop.ko /lib/modules/`uname -r`/modules.builtin; then
    # on scaleway loop is not built-in
    echo "loop" >> /etc/modules
    modprobe loop
fi

if [[ ! -d "${USER_DATA_DIR}" ]]; then
    truncate -s "8192m" "${USER_DATA_FILE}" # 8gb start (this will get resized dynamically by cloudron-system-setup.service)
    mkfs.btrfs -L UserDataHome "${USER_DATA_FILE}"
    mkdir -p "${USER_DATA_DIR}"
    mount -t btrfs -o loop,nosuid "${USER_DATA_FILE}" ${USER_DATA_DIR}
fi

echo "==> Configuring journald"
sed -e "s/^#SystemMaxUse=.*$/SystemMaxUse=100M/" \
    -e "s/^#ForwardToSyslog=.*$/ForwardToSyslog=no/" \
    -i /etc/systemd/journald.conf

# When rotating logs, systemd kills journald too soon sometimes
# See https://github.com/systemd/systemd/issues/1353 (this is upstream default)
sed -e "s/^WatchdogSec=.*$/WatchdogSec=3min/" \
    -i /lib/systemd/system/systemd-journald.service

# Give user access to system logs
usermod -a -G systemd-journal yellowtent
mkdir -p /var/log/journal  # in some images, this directory is not created making system log to /run/systemd instead
chown root:systemd-journal /var/log/journal
systemctl restart systemd-journald
setfacl -n -m u:yellowtent:r /var/log/journal/*/system.journal

echo "==> Creating config directory"
rm -rf "${CONFIG_DIR}" && mkdir "${CONFIG_DIR}"
chown yellowtent:yellowtent "${CONFIG_DIR}"

echo "==> Adding systemd services"
cp -r "${container_files}/systemd/." /etc/systemd/system/
systemctl daemon-reload
systemctl enable cloudron.target
systemctl enable iptables-restore
systemctl enable cloudron-system-setup

rm -rf /etc/collectd
ln -sfF "${DATA_DIR}/collectd" /etc/collectd
systemctl restart collectd

echo "==> Configuring system"
rm -f /etc/sudoers.d/yellowtent
cp "${container_files}/sudoers" /etc/sudoers.d/yellowtent

# For logrotate
systemctl enable cron

# DO uses Google nameservers by default. This causes RBL queries to fail (host 2.0.0.127.zen.spamhaus.org)
# We do not use dnsmasq because it is not a recursive resolver and defaults to the value in the interfaces file (which is Google DNS!)
systemctl enable unbound

# link nginx config to system config
unlink /etc/nginx 2>/dev/null || rm -rf /etc/nginx
ln -s "${DATA_DIR}/nginx" /etc/nginx

cp "${container_files}/mysql.cnf" /etc/mysql/mysql.cnf
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`#!/bin/bash`

			`set -eu -o pipefail`

			`# This file can be used in Dockerfile`

Give user access to system logs in container.sh Part of #152 2016-12-20 20:49:57 -08:00			`readonly USER=yellowtent`

Mount the btrfs user home data in container.sh This allows it to be configurable easily at some point Part of #152 2016-12-21 09:50:32 -08:00			`readonly USER_DATA_FILE="/root/user_data.img"`
			`readonly USER_DATA_DIR="/home/yellowtent/data"`

app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`readonly container_files="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/container"`

			`readonly CONFIG_DIR="/home/yellowtent/configs"`
			`readonly DATA_DIR="/home/yellowtent/data"`
move ssh configuration to container.sh Note: appstore requires to be fixed to start the provisioning on port 22 Part of #152 2016-12-21 09:41:42 -08:00			`readonly provider="${1:-generic}"`

Prettify container.sh 2016-12-27 22:06:11 -08:00			`sed -e 's/^#NTP=/NTP=0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org/' -i /etc/systemd/timesyncd.conf`
			`timedatectl set-ntp 1`
			`timedatectl set-timezone UTC`
Use the installer.sh from the source tarball This redesigns how update works. installer.sh now rebuild the package, stops the old code and starts the new code. Importantly, it does not download the new package, this is left to the caller. cloudron-setup downloads the code and calls installer.sh of the downloaded code. Same goes for updater.sh. This means that installer.sh itself is now easily updatable. Part of #152 2016-12-23 18:28:18 -08:00
Prettify container.sh 2016-12-27 22:06:11 -08:00			`echo "==> Setting up firewall"`
Move firewall setup to container.sh Part of #152 2016-12-21 11:31:58 -08:00			`iptables -t filter -N CLOUDRON \|\| true`
			`iptables -t filter -F CLOUDRON # empty any existing rules`

			`# NOTE: keep these in sync with src/apps.js validatePortBindings`
			`# allow ssh, http, https, ping, dns`
			`iptables -t filter -I CLOUDRON -m state --state RELATED,ESTABLISHED -j ACCEPT`
			`# caas has ssh on port 202`
			`if [[ "${provider}" == "caas" ]]; then`
			`iptables -A CLOUDRON -p tcp -m tcp -m multiport --dports 25,80,202,443,587,993,4190 -j ACCEPT`
			`else`
			`iptables -A CLOUDRON -p tcp -m tcp -m multiport --dports 25,80,22,443,587,993,4190 -j ACCEPT`
			`fi`
			`iptables -t filter -A CLOUDRON -p icmp --icmp-type echo-request -j ACCEPT`
			`iptables -t filter -A CLOUDRON -p icmp --icmp-type echo-reply -j ACCEPT`
			`iptables -t filter -A CLOUDRON -p udp --sport 53 -j ACCEPT`
			`iptables -t filter -A CLOUDRON -s 172.18.0.0/16 -j ACCEPT # required to accept any connections from apps to our IP:<public port>`
			`iptables -t filter -A CLOUDRON -i lo -j ACCEPT # required for localhost connections (mysql)`

			`# log dropped incoming. keep this at the end of all the rules`
			`iptables -t filter -A CLOUDRON -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7`
			`iptables -t filter -A CLOUDRON -j DROP`

			`if ! iptables -t filter -C INPUT -j CLOUDRON 2>/dev/null; then`
Add CLOUDRON chain first This allows us to not issue an 'upgrade' yet. Part of #152 2016-12-23 09:53:41 -08:00			`iptables -t filter -I INPUT -j CLOUDRON`
Move firewall setup to container.sh Part of #152 2016-12-21 11:31:58 -08:00			`fi`

			`# so it gets restored across reboot`
			`mkdir -p /etc/iptables && iptables-save > /etc/iptables/rules.v4`

Prettify container.sh 2016-12-27 22:06:11 -08:00			`echo "==> Configuring docker"`
			`cp "${container_files}/docker-cloudron-app.apparmor" /etc/apparmor.d/docker-cloudron-app`
			`systemctl restart apparmor`

			`usermod yellowtent -a -G docker`
Use docker 1.12.5 Docker uses an embedded DNS server (127.0.0.11) for user defined networks (UDN). With the latest releases of docker, specifying 127.0.0.1 as --dns makes the containers resolve 127.0.0.1 _inside_ the container's networking namespace (not sure how it worked before this). The next idea was to only specify --dns-search=. but this does not work. This makes docker setup the containers to use 127.0.0.1 (or 127.0.0.11 for UDN). In my mind, the UDN case should work but doesn't (not sure why). So, the solution is to simply go with no --dns or --dns-search. Sadly, setting dns-search just at container level does not work either :/ Strangely, docker run --network=cloudron --dns-search=. appimage # does not work docker run --network=cloudron appimage # works if you manually remove search from /etc/resolv.conf So clearly, something inside docker triggers when one of the dns* options is set. This means that #130 has to be fixed at app level (For Go, this means to use the cgo resolver). 2016-12-23 10:07:06 -08:00			`sed -e 's,^ExecStart=.*$,ExecStart=/usr/bin/docker daemon -H fd:// --log-driver=journald --exec-opt native.cgroupdriver=cgroupfs,' -i /lib/systemd/system/docker.service`
Prettify container.sh 2016-12-27 22:06:11 -08:00			`systemctl enable docker`
			`systemctl restart docker`
Move firewall setup to container.sh Part of #152 2016-12-21 11:31:58 -08:00
move ssh configuration to container.sh Note: appstore requires to be fixed to start the provisioning on port 22 Part of #152 2016-12-21 09:41:42 -08:00			`# caas has ssh on port 202 and we disable password login`
			`if [[ "${provider}" == "caas" ]]; then`
			`# https://stackoverflow.com/questions/4348166/using-with-sed on why ? must be escaped`
			`sed -e 's/^#\?PermitRootLogin .*/PermitRootLogin without-password/g' \`
			`-e 's/^#\?PermitEmptyPasswords .*/PermitEmptyPasswords no/g' \`
			`-e 's/^#\?PasswordAuthentication .*/PasswordAuthentication no/g' \`
			`-e 's/^#\?Port .*/Port 202/g' \`
			`-i /etc/ssh/sshd_config`

			`# required so we can connect to this machine since port 22 is blocked by iptables by now`
			`systemctl reload sshd`
			`fi`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
Prettify container.sh 2016-12-27 22:06:11 -08:00			`echo "==> Setup btrfs data"`
Mount the btrfs user home data in container.sh This allows it to be configurable easily at some point Part of #152 2016-12-21 09:50:32 -08:00			if ! grep -q loop.ko /lib/modules/`uname -r`/modules.builtin; then
			`# on scaleway loop is not built-in`
			`echo "loop" >> /etc/modules`
			`modprobe loop`
			`fi`

			`if [[ ! -d "${USER_DATA_DIR}" ]]; then`
			`truncate -s "8192m" "${USER_DATA_FILE}" # 8gb start (this will get resized dynamically by cloudron-system-setup.service)`
			`mkfs.btrfs -L UserDataHome "${USER_DATA_FILE}"`
			`mkdir -p "${USER_DATA_DIR}"`
			`mount -t btrfs -o loop,nosuid "${USER_DATA_FILE}" ${USER_DATA_DIR}`
			`fi`

Prettify container.sh 2016-12-27 22:06:11 -08:00			`echo "==> Configuring journald"`
move journald configuration to container.sh Part of #152 2016-12-20 20:53:42 -08:00			`sed -e "s/^#SystemMaxUse=.*$/SystemMaxUse=100M/" \`
			`-e "s/^#ForwardToSyslog=.*$/ForwardToSyslog=no/" \`
			`-i /etc/systemd/journald.conf`

			`# When rotating logs, systemd kills journald too soon sometimes`
			`# See https://github.com/systemd/systemd/issues/1353 (this is upstream default)`
			`sed -e "s/^WatchdogSec=.*$/WatchdogSec=3min/" \`
			`-i /lib/systemd/system/systemd-journald.service`

Give user access to system logs in container.sh Part of #152 2016-12-20 20:49:57 -08:00			`# Give user access to system logs`
Prettify container.sh 2016-12-27 22:06:11 -08:00			`usermod -a -G systemd-journal yellowtent`
Give user access to system logs in container.sh Part of #152 2016-12-20 20:49:57 -08:00			`mkdir -p /var/log/journal # in some images, this directory is not created making system log to /run/systemd instead`
			`chown root:systemd-journal /var/log/journal`
			`systemctl restart systemd-journald`
Prettify container.sh 2016-12-27 22:06:11 -08:00			`setfacl -n -m u:yellowtent:r /var/log/journal/*/system.journal`
Give user access to system logs in container.sh Part of #152 2016-12-20 20:49:57 -08:00
Prettify container.sh 2016-12-27 22:06:11 -08:00			`echo "==> Creating config directory"`
			`rm -rf "${CONFIG_DIR}" && mkdir "${CONFIG_DIR}"`
			`chown yellowtent:yellowtent "${CONFIG_DIR}"`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
Prettify container.sh 2016-12-27 22:06:11 -08:00			`echo "==> Adding systemd services"`
Move from supervisor to systemd This removes logrotate as well since we use systemd logging 2015-09-07 11:18:44 -07:00			`cp -r "${container_files}/systemd/." /etc/systemd/system/`
			`systemctl daemon-reload`
			`systemctl enable cloudron.target`
Move systemd service creation scripts to container.sh Part of #152 2016-12-20 20:55:54 -08:00			`systemctl enable iptables-restore`
			`systemctl enable cloudron-system-setup`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
			`rm -rf /etc/collectd`
			`ln -sfF "${DATA_DIR}/collectd" /etc/collectd`
prettify init base image script 2016-12-27 14:12:31 -08:00			`systemctl restart collectd`

Prettify container.sh 2016-12-27 22:06:11 -08:00			`echo "==> Configuring system"`
			`rm -f /etc/sudoers.d/yellowtent`
			`cp "${container_files}/sudoers" /etc/sudoers.d/yellowtent`

prettify init base image script 2016-12-27 14:12:31 -08:00			`# For logrotate`
			`systemctl enable cron`

			`# DO uses Google nameservers by default. This causes RBL queries to fail (host 2.0.0.127.zen.spamhaus.org)`
			`# We do not use dnsmasq because it is not a recursive resolver and defaults to the value in the interfaces file (which is Google DNS!)`
			`systemctl enable unbound`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
Prettify container.sh 2016-12-27 22:06:11 -08:00			`# link nginx config to system config`
			`unlink /etc/nginx 2>/dev/null \|\| rm -rf /etc/nginx`
			`ln -s "${DATA_DIR}/nginx" /etc/nginx`

			`cp "${container_files}/mysql.cnf" /etc/mysql/mysql.cnf`