scripts/installer.sh

#!/bin/bash

# This script is run before the box code is switched. This means that we can
# put network related/curl downloads here. If the script fails, the old code
# will continue to run

set -eu -o pipefail

if [[ ${EUID} -ne 0 ]]; then
    echo "This script should be run as root." > /dev/stderr
    exit 1
fi

function log() {
  echo -e "$(date +'%Y-%m-%dT%H:%M:%S')" "==> installer: $1"
}

apt_ready="no"
function prepare_apt_once() {
    [[ "${apt_ready}" == "yes" ]] && return

    log "Making sure apt is in a good state"

    log "Waiting for all dpkg tasks to finish..."
    while fuser /var/lib/dpkg/lock; do
        sleep 1
    done

    # it's unclear what needs to be run first or whether both these command should be run. so keep trying both
    for count in {1..3}; do
        # alternative to apt-install -y --fix-missing ?
        if ! dpkg --force-confold --configure -a; then
            log "dpkg reconfigure failed (try $count)"
            dpkg_configure="no"
        else
            dpkg_configure="yes"
        fi

        if ! apt update -y; then
            log "apt update failed (try $count)"
            apt_update="no"
        else
            apt_update="yes"
        fi

        [[ "${dpkg_configure}" == "yes" && "${apt_update}" == "yes" ]] && break

        sleep 1
    done

    apt_ready="yes"

    if [[ "${dpkg_configure}" == "yes" && "${apt_update}" == "yes" ]]; then
        log "apt is ready"
    else
        log "apt is not ready but proceeding anyway"
    fi
}

readonly user=yellowtent
readonly box_src_dir=/home/${user}/box

readonly curl="curl --fail --connect-timeout 20 --retry 10 --retry-delay 2 --max-time 2400"
readonly script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
readonly box_src_tmp_dir="$(realpath ${script_dir}/..)"

readonly ubuntu_version=$(lsb_release -rs)
readonly ubuntu_codename=$(lsb_release -cs)

readonly is_update=$(systemctl is-active -q box && echo "yes" || echo "no")

log "Updating from $(cat $box_src_dir/VERSION) to $(cat $box_src_tmp_dir/VERSION)"

# https://docs.docker.com/engine/installation/linux/ubuntulinux/
readonly docker_version=20.10.12
if ! which docker 2>/dev/null || [[ $(docker version --format {{.Client.Version}}) != "${docker_version}" ]]; then
    log "installing/updating docker"

    # create systemd drop-in file already to make sure images are with correct driver
    mkdir -p /etc/systemd/system/docker.service.d
    echo -e "[Service]\nExecStart=\nExecStart=/usr/bin/dockerd -H fd:// --log-driver=journald --exec-opt native.cgroupdriver=cgroupfs --storage-driver=overlay2 --experimental --ip6tables" > /etc/systemd/system/docker.service.d/cloudron.conf

    # there are 3 packages for docker - containerd, CLI and the daemon
    $curl -sL "https://download.docker.com/linux/ubuntu/dists/${ubuntu_codename}/pool/stable/amd64/containerd.io_1.4.9-1_amd64.deb" -o /tmp/containerd.deb
    $curl -sL "https://download.docker.com/linux/ubuntu/dists/${ubuntu_codename}/pool/stable/amd64/docker-ce-cli_${docker_version}~3-0~ubuntu-${ubuntu_codename}_amd64.deb" -o /tmp/docker-ce-cli.deb
    $curl -sL "https://download.docker.com/linux/ubuntu/dists/${ubuntu_codename}/pool/stable/amd64/docker-ce_${docker_version}~3-0~ubuntu-${ubuntu_codename}_amd64.deb" -o /tmp/docker.deb

    log "installing docker"
    prepare_apt_once
    apt install -y /tmp/containerd.deb  /tmp/docker-ce-cli.deb /tmp/docker.deb
    rm /tmp/containerd.deb /tmp/docker-ce-cli.deb /tmp/docker.deb
fi

readonly nginx_version=$(nginx -v 2>&1)
if ! which nginx 2>/dev/null || [[ "${nginx_version}" != *"1.20."* ]]; then
    log "installing/updating nginx 1.20"
    $curl -sL http://nginx.org/packages/ubuntu/pool/nginx/n/nginx/nginx_1.20.0-1~${ubuntu_codename}_amd64.deb -o /tmp/nginx.deb

    prepare_apt_once

    # apt install with install deps (as opposed to dpkg -i)
    apt install -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --force-yes /tmp/nginx.deb
    rm /tmp/nginx.deb
fi

readonly node_version=16.13.1
if ! which node 2>/dev/null || [[ "$(node --version)" != "v${node_version}" ]]; then
    log "installing/updating node ${node_version}"
    mkdir -p /usr/local/node-${node_version}
    $curl -sL https://nodejs.org/dist/v${node_version}/node-v${node_version}-linux-x64.tar.gz | tar zxvf - --strip-components=1 -C /usr/local/node-${node_version}
    ln -sf /usr/local/node-${node_version}/bin/node /usr/bin/node
    ln -sf /usr/local/node-${node_version}/bin/npm /usr/bin/npm
    rm -rf /usr/local/node-14.17.6
fi

# note that rebuild requires the above node
for try in `seq 1 10`; do
    # for reasons unknown, the dtrace package will fail. but rebuilding second time will work

    # We need --unsafe-perm as we run as root and the folder is owned by root,
    # however by default npm drops privileges for npm rebuild
    # https://docs.npmjs.com/misc/config#unsafe-perm
    if cd "${box_src_tmp_dir}" && npm rebuild --unsafe-perm; then break; fi
    log "Failed to rebuild, trying again"
    sleep 5
done

if [[ ${try} -eq 10 ]]; then
    log "npm rebuild failed, giving up"
    exit 4
fi

log "downloading new addon images"
images=$(node -e "var i = require('${box_src_tmp_dir}/src/infra_version.js'); console.log(i.baseImages.map(function (x) { return x.tag; }).join(' '), Object.keys(i.images).map(function (x) { return i.images[x].tag; }).join(' '));")

log "\tPulling docker images: ${images}"
for image in ${images}; do
    while ! docker pull "${image}"; do           # this pulls the image using the sha256
        log "Could not pull ${image}"
        sleep 5
    done
    while ! docker pull "${image%@sha256:*}"; do  # this will tag the image for readability
        log "Could not pull ${image%@sha256:*}"
        sleep 5
   done
done

log "update cloudron-syslog"
CLOUDRON_SYSLOG_DIR=/usr/local/cloudron-syslog
CLOUDRON_SYSLOG="${CLOUDRON_SYSLOG_DIR}/bin/cloudron-syslog"
CLOUDRON_SYSLOG_VERSION="1.1.0"
while [[ ! -f "${CLOUDRON_SYSLOG}" || "$(${CLOUDRON_SYSLOG} --version)" != ${CLOUDRON_SYSLOG_VERSION} ]]; do
    rm -rf "${CLOUDRON_SYSLOG_DIR}"
    mkdir -p "${CLOUDRON_SYSLOG_DIR}"
    if npm install --unsafe-perm -g --prefix "${CLOUDRON_SYSLOG_DIR}" cloudron-syslog@${CLOUDRON_SYSLOG_VERSION}; then break; fi
    log "Failed to install cloudron-syslog, trying again"
    sleep 5
done

log "creating cloudron-support user"
if ! id cloudron-support 2>/dev/null; then
    useradd --system --comment "Cloudron Support (support@cloudron.io)" --create-home --no-user-group --shell /bin/bash cloudron-support
fi

log "locking the ${user} account"
usermod --shell /usr/sbin/nologin "${user}"
passwd --lock "${user}"

if [[ "${is_update}" == "yes" ]]; then
    log "stop box service for update"
    ${box_src_dir}/setup/stop.sh
fi

# ensure we are not inside the source directory, which we will remove now
cd /root

log "switching the box code"
rm -rf "${box_src_dir}"
mv "${box_src_tmp_dir}" "${box_src_dir}"
chown -R "${user}:${user}" "${box_src_dir}"

log "calling box setup script"
"${box_src_dir}/setup/start.sh"
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00			`#!/bin/bash`

Add comment for installer.sh and start.sh 2018-10-26 10:13:27 -07:00			`# This script is run before the box code is switched. This means that we can`
			`# put network related/curl downloads here. If the script fails, the old code`
			`# will continue to run`

list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00			`set -eu -o pipefail`

Ensure various scripts are run as root 2016-11-01 15:13:20 +01:00			`if [[ ${EUID} -ne 0 ]]; then`
			`echo "This script should be run as root." > /dev/stderr`
			`exit 1`
			`fi`

timestamp the setup and installer logs 2021-03-02 23:05:41 -08:00			`function log() {`
			`echo -e "$(date +'%Y-%m-%dT%H:%M:%S')" "==> installer: $1"`
			`}`

installer: prepare apt before installing more packages 2021-06-25 12:00:38 -07:00			`apt_ready="no"`
			`function prepare_apt_once() {`
			`[[ "${apt_ready}" == "yes" ]] && return`

			`log "Making sure apt is in a good state"`

			`log "Waiting for all dpkg tasks to finish..."`
			`while fuser /var/lib/dpkg/lock; do`
			`sleep 1`
			`done`

			`# it's unclear what needs to be run first or whether both these command should be run. so keep trying both`
			`for count in {1..3}; do`
			`# alternative to apt-install -y --fix-missing ?`
			`if ! dpkg --force-confold --configure -a; then`
			`log "dpkg reconfigure failed (try $count)"`
			`dpkg_configure="no"`
			`else`
			`dpkg_configure="yes"`
			`fi`

			`if ! apt update -y; then`
			`log "apt update failed (try $count)"`
			`apt_update="no"`
			`else`
			`apt_update="yes"`
			`fi`

			`[[ "${dpkg_configure}" == "yes" && "${apt_update}" == "yes" ]] && break`

			`sleep 1`
			`done`

			`apt_ready="yes"`

			`if [[ "${dpkg_configure}" == "yes" && "${apt_update}" == "yes" ]]; then`
			`log "apt is ready"`
			`else`
			`log "apt is not ready but proceeding anyway"`
			`fi`
			`}`

installer: print from and to versions 2020-05-17 21:34:39 -07:00			`readonly user=yellowtent`
			`readonly box_src_dir=/home/${user}/box`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
wrap curl command with retry and timeouts 2017-04-18 11:17:27 -07:00			`readonly curl="curl --fail --connect-timeout 20 --retry 10 --retry-delay 2 --max-time 2400"`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00			`readonly script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"`
Use the installer.sh from the source tarball 2016-12-23 18:28:18 -08:00			`readonly box_src_tmp_dir="$(realpath ${script_dir}/..)"`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
Update docker to 18.09 2019-02-21 13:36:46 -08:00			`readonly ubuntu_version=$(lsb_release -rs)`
			`readonly ubuntu_codename=$(lsb_release -cs)`

installer: is_update is not set correctly 2021-03-04 23:14:00 -08:00			`readonly is_update=$(systemctl is-active -q box && echo "yes" \|\| echo "no")`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
timestamp the setup and installer logs 2021-03-02 23:05:41 -08:00			`log "Updating from $(cat $box_src_dir/VERSION) to $(cat $box_src_tmp_dir/VERSION)"`
installer: print from and to versions 2020-05-17 21:34:39 -07:00
installer.sh: move installation of docker/node/nginx etc 2022-03-29 22:11:43 -07:00			`# https://docs.docker.com/engine/installation/linux/ubuntulinux/`
Update docker to 20.10.12 2022-02-08 10:57:10 -08:00			`readonly docker_version=20.10.12`
installer.sh: move installation of docker/node/nginx etc 2022-03-29 22:11:43 -07:00			`if ! which docker 2>/dev/null \|\| [[ $(docker version --format {{.Client.Version}}) != "${docker_version}" ]]; then`
			`log "installing/updating docker"`

			`# create systemd drop-in file already to make sure images are with correct driver`
			`mkdir -p /etc/systemd/system/docker.service.d`
			`echo -e "[Service]\nExecStart=\nExecStart=/usr/bin/dockerd -H fd:// --log-driver=journald --exec-opt native.cgroupdriver=cgroupfs --storage-driver=overlay2 --experimental --ip6tables" > /etc/systemd/system/docker.service.d/cloudron.conf`

Update docker to 18.09 2019-02-21 13:36:46 -08:00			`# there are 3 packages for docker - containerd, CLI and the daemon`
Update docker to 20.10.12 2022-02-08 10:57:10 -08:00			`$curl -sL "https://download.docker.com/linux/ubuntu/dists/${ubuntu_codename}/pool/stable/amd64/containerd.io_1.4.9-1_amd64.deb" -o /tmp/containerd.deb`
use the curl that retries 2021-03-04 12:09:09 -08:00			`$curl -sL "https://download.docker.com/linux/ubuntu/dists/${ubuntu_codename}/pool/stable/amd64/docker-ce-cli_${docker_version}~3-0~ubuntu-${ubuntu_codename}_amd64.deb" -o /tmp/docker-ce-cli.deb`
			`$curl -sL "https://download.docker.com/linux/ubuntu/dists/${ubuntu_codename}/pool/stable/amd64/docker-ce_${docker_version}~3-0~ubuntu-${ubuntu_codename}_amd64.deb" -o /tmp/docker.deb`
Update docker to 17.09 2017-11-10 18:23:22 -08:00
do not retry forever if dpkg install fails 2022-01-13 11:04:43 -08:00			`log "installing docker"`
installer: prepare apt before installing more packages 2021-06-25 12:00:38 -07:00			`prepare_apt_once`
do not retry forever if dpkg install fails 2022-01-13 11:04:43 -08:00			`apt install -y /tmp/containerd.deb /tmp/docker-ce-cli.deb /tmp/docker.deb`
Update docker to 18.09 2019-02-21 13:36:46 -08:00			`rm /tmp/containerd.deb /tmp/docker-ce-cli.deb /tmp/docker.deb`
Update docker to 17.09 2017-11-10 18:23:22 -08:00			`fi`

nginx displays version in stderr 2020-07-22 17:57:55 -07:00			`readonly nginx_version=$(nginx -v 2>&1)`
installer.sh: move installation of docker/node/nginx etc 2022-03-29 22:11:43 -07:00			`if ! which nginx 2>/dev/null \|\| [[ "${nginx_version}" != "1.20." ]]; then`
			`log "installing/updating nginx 1.20"`
Update nginx to 1.20.0-1 2022-03-28 13:24:56 -07:00			`$curl -sL http://nginx.org/packages/ubuntu/pool/nginx/n/nginx/nginx_1.20.0-1~${ubuntu_codename}_amd64.deb -o /tmp/nginx.deb`
installer: prepare apt before installing more packages 2021-06-25 12:00:38 -07:00
			`prepare_apt_once`

install custom nginx only on xenial 2020-04-02 09:52:56 -07:00			`# apt install with install deps (as opposed to dpkg -i)`
			`apt install -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --force-yes /tmp/nginx.deb`
			`rm /tmp/nginx.deb`
			`fi`

Update node to 16.13.1 2021-12-14 20:49:10 -08:00			`readonly node_version=16.13.1`
installer.sh: move installation of docker/node/nginx etc 2022-03-29 22:11:43 -07:00			`if ! which node 2>/dev/null \|\| [[ "$(node --version)" != "v${node_version}" ]]; then`
			`log "installing/updating node ${node_version}"`
update node to 14.15.4 2021-02-04 10:41:47 -08:00			`mkdir -p /usr/local/node-${node_version}`
			`$curl -sL https://nodejs.org/dist/v${node_version}/node-v${node_version}-linux-x64.tar.gz \| tar zxvf - --strip-components=1 -C /usr/local/node-${node_version}`
			`ln -sf /usr/local/node-${node_version}/bin/node /usr/bin/node`
			`ln -sf /usr/local/node-${node_version}/bin/npm /usr/bin/npm`
Update node to 16.13.1 2021-12-14 20:49:10 -08:00			`rm -rf /usr/local/node-14.17.6`
Update to node 6.11.1 2017-07-13 08:51:34 -05:00			`fi`

initializeBaseUbuntuImage: create yellowtent user 2022-03-29 21:41:46 -07:00			`# note that rebuild requires the above node`
Only retry 10 times in installer.sh 2016-11-01 17:01:16 +01:00			for try in `seq 1 10`; do
just keep rebuilding 2016-01-14 10:48:44 -08:00			`# for reasons unknown, the dtrace package will fail. but rebuilding second time will work`
set --unsafe-perm for npm rebuild 2016-11-01 16:57:43 +01:00
			`# We need --unsafe-perm as we run as root and the folder is owned by root,`
			`# however by default npm drops privileges for npm rebuild`
			`# https://docs.npmjs.com/misc/config#unsafe-perm`
			`if cd "${box_src_tmp_dir}" && npm rebuild --unsafe-perm; then break; fi`
timestamp the setup and installer logs 2021-03-02 23:05:41 -08:00			`log "Failed to rebuild, trying again"`
just keep rebuilding 2016-01-14 10:48:44 -08:00			`sleep 5`
			`done`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
Only retry 10 times in installer.sh 2016-11-01 17:01:16 +01:00			`if [[ ${try} -eq 10 ]]; then`
timestamp the setup and installer logs 2021-03-02 23:05:41 -08:00			`log "npm rebuild failed, giving up"`
Only retry 10 times in installer.sh 2016-11-01 17:01:16 +01:00			`exit 4`
			`fi`

timestamp the setup and installer logs 2021-03-02 23:05:41 -08:00			`log "downloading new addon images"`
typo 2018-10-27 11:28:30 -07:00			`images=$(node -e "var i = require('${box_src_tmp_dir}/src/infra_version.js'); console.log(i.baseImages.map(function (x) { return x.tag; }).join(' '), Object.keys(i.images).map(function (x) { return i.images[x].tag; }).join(' '));")`
Pull images in installer.sh 2018-10-26 15:32:34 -07:00
timestamp the setup and installer logs 2021-03-02 23:05:41 -08:00			`log "\tPulling docker images: ${images}"`
Pull images in installer.sh 2018-10-26 15:32:34 -07:00			`for image in ${images}; do`
while...do 2021-03-04 12:07:35 -08:00			`while ! docker pull "${image}"; do # this pulls the image using the sha256`
timestamp the setup and installer logs 2021-03-02 23:05:41 -08:00			`log "Could not pull ${image}"`
try pulling images in a loop 2021-03-03 21:54:08 -08:00			`sleep 5`
			`done`
while...do 2021-03-04 12:07:35 -08:00			`while ! docker pull "${image%@sha256:*}"; do # this will tag the image for readability`
timestamp the setup and installer logs 2021-03-02 23:05:41 -08:00			`log "Could not pull ${image%@sha256:*}"`
try pulling images in a loop 2021-03-03 21:54:08 -08:00			`sleep 5`
			`done`
Pull images in installer.sh 2018-10-26 15:32:34 -07:00			`done`

timestamp the setup and installer logs 2021-03-02 23:05:41 -08:00			`log "update cloudron-syslog"`
Install cloudron-syslog service file from box repo 2018-06-11 22:13:27 -07:00			`CLOUDRON_SYSLOG_DIR=/usr/local/cloudron-syslog`
Check if syslog binary exists first 2018-08-01 12:18:56 -07:00			`CLOUDRON_SYSLOG="${CLOUDRON_SYSLOG_DIR}/bin/cloudron-syslog"`
Update cloudron-syslog 2022-01-13 16:29:38 -08:00			`CLOUDRON_SYSLOG_VERSION="1.1.0"`
Check if syslog binary exists first 2018-08-01 12:18:56 -07:00			`while [[ ! -f "${CLOUDRON_SYSLOG}" \|\| "$(${CLOUDRON_SYSLOG} --version)" != ${CLOUDRON_SYSLOG_VERSION} ]]; do`
Install cloudron-syslog service file from box repo 2018-06-11 22:13:27 -07:00			`rm -rf "${CLOUDRON_SYSLOG_DIR}"`
			`mkdir -p "${CLOUDRON_SYSLOG_DIR}"`
Update cloudron-syslog 2018-06-25 19:35:11 +02:00			`if npm install --unsafe-perm -g --prefix "${CLOUDRON_SYSLOG_DIR}" cloudron-syslog@${CLOUDRON_SYSLOG_VERSION}; then break; fi`
timestamp the setup and installer logs 2021-03-02 23:05:41 -08:00			`log "Failed to install cloudron-syslog, trying again"`
Install cloudron-syslog service file from box repo 2018-06-11 22:13:27 -07:00			`sleep 5`
Fix syntax 2018-06-18 17:58:35 -07:00			`done`
Install cloudron-syslog 2018-06-06 11:37:00 +02:00
create a separate support user 2022-03-30 14:27:39 -07:00			`log "creating cloudron-support user"`
			`if ! id cloudron-support 2>/dev/null; then`
			`useradd --system --comment "Cloudron Support (support@cloudron.io)" --create-home --no-user-group --shell /bin/bash cloudron-support`
			`fi`

			`log "locking the ${user} account"`
			`usermod --shell /usr/sbin/nologin "${user}"`
			`passwd --lock "${user}"`

Generating the dhparams.pem does not only apply to updates 2017-02-13 10:53:08 +01:00			`if [[ "${is_update}" == "yes" ]]; then`
timestamp the setup and installer logs 2021-03-02 23:05:41 -08:00			`log "stop box service for update"`
installer: print from and to versions 2020-05-17 21:34:39 -07:00			`${box_src_dir}/setup/stop.sh`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00			`fi`

Ensure we run inside a sane folder when switching the codes 2016-12-12 12:43:37 +01:00			`# ensure we are not inside the source directory, which we will remove now`
			`cd /root`

timestamp the setup and installer logs 2021-03-02 23:05:41 -08:00			`log "switching the box code"`
installer: print from and to versions 2020-05-17 21:34:39 -07:00			`rm -rf "${box_src_dir}"`
			`mv "${box_src_tmp_dir}" "${box_src_dir}"`
			`chown -R "${user}:${user}" "${box_src_dir}"`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
timestamp the setup and installer logs 2021-03-02 23:05:41 -08:00			`log "calling box setup script"`
installer: print from and to versions 2020-05-17 21:34:39 -07:00			`"${box_src_dir}/setup/start.sh"`