Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add improved handling for TLS certificates for static builds. #17605

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
+88 −12
Open

Add improved handling for TLS certificates for static builds. #17605

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
a7a4ed9
Add improved handling for TLS certificates for static builds.
Ferroin May 6, 2024
9f47334
Properly replace symlinks.
Ferroin May 31, 2024
e6fdae3
Fix shellcheck warning.
Ferroin Jun 3, 2024
fd51df6
Fix option handling.
Ferroin Jun 5, 2024
26d3748
Add five minute hard timeout on certificate check.
Ferroin Jun 5, 2024
7c9f552
Differentiate specific error results from curl.
Ferroin Jun 7, 2024
7d35ccf
Persist cert handling options regardless of how they’re passed in.
Ferroin Jun 10, 2024
162ad59
Escape slashes in REINSTALL_OPTIONS.
Ferroin Jun 10, 2024
d571a8d
Fix escaping of reinstall options.
Ferroin Jun 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 7 additions & 1 deletion packaging/installer/kickstart.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1811,9 +1811,15 @@ try_static_install() {
opts="${opts} --accept"
fi

env_cmd="env NETDATA_CERT_TEST_URL=${NETDATA_CLAIM_URL} NETDATA_CERT_MODE=check"

if [ -n "${NETDATA_OFFLINE_INSTALL_SOURCE}" ]; then
env_cmd="env NETDATA_CERT_TEST_URL=${NETDATA_CLAIM_URL} NETDATA_CERT_MODE=auto"
fi

progress "Installing netdata"
# shellcheck disable=SC2086
if ! run_as_root sh "${tmpdir}/${netdata_agent}" ${opts} -- ${NETDATA_INSTALLER_OPTIONS}; then
if ! run_as_root ${env_cmd} /bin/sh "${tmpdir}/${netdata_agent}" ${opts} -- ${NETDATA_INSTALLER_OPTIONS}; then
ilyam8 marked this conversation as resolved.
Show resolved Hide resolved
warning "Failed to install static build of Netdata on ${SYSARCH}."
run rm -rf /opt/netdata
return 2
Expand Down
92 changes: 81 additions & 11 deletions packaging/makeself/install-or-update.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ fi

STARTIT=1
REINSTALL_OPTIONS=""
NETDATA_CERT_MODE="${NETDATA_CERT_MODE:-auto}"
NETDATA_CERT_TEST_URL="${NETDATA_CERT_TEST_URL:-https://app.netdata.cloud}"
RELEASE_CHANNEL="nightly"

while [ "${1}" ]; do
Expand All @@ -48,6 +50,19 @@ while [ "${1}" ]; do
NETDATA_DISABLE_TELEMETRY=1
REINSTALL_OPTIONS="${REINSTALL_OPTIONS} ${1}"
;;
"--certificates")
case "${2}" in
auto|system) NETDATA_CERT_MODE="auto" ;;
check) NETDATA_CERT_MODE="check" ;;
bundled) NETDATA_CERT_MODE="bundled" ;;
*) run_failed "Unknown certificate handling mode '${2}'. Supported modes are auto, check, system, and bundled."; exit 1 ;;
esac
shift 1
;;
"--certificate-test-url")
NETDATA_CERT_TEST_URL="${2}"
shift 1
;;

*) echo >&2 "Unknown option '${1}'. Ignoring it." ;;
esac
Expand All @@ -62,6 +77,14 @@ if [ ! "${DISABLE_TELEMETRY:-0}" -eq 0 ] ||
REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --disable-telemetry"
fi

if [ -n "${NETDATA_CERT_MODE}" ]; then
REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --certificates ${NETDATA_CERT_MODE}"
fi

if [ -n "${NETDATA_CERT_TEST_URL}" ]; then
REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --certificate-test-url ${NETDATA_CERT_TEST_URL}"
fi
ilyam8 marked this conversation as resolved.
Show resolved Hide resolved

# -----------------------------------------------------------------------------
progress "Attempt to create user/group netdata/netadata"

Expand Down Expand Up @@ -208,26 +231,73 @@ done

# -----------------------------------------------------------------------------

echo "Configure TLS certificate paths"
if [ ! -L /opt/netdata/etc/ssl ] && [ -d /opt/netdata/etc/ssl ] ; then
echo "Preserving existing user configuration for TLS"
else
replace_symlink() {
target="${1}"
name="${2}"
ilyam8 marked this conversation as resolved.
Show resolved Hide resolved
rm -f "${name}"
ln -s "${target}" "${name}"
}

select_system_certs() {
if [ -d /etc/pki/tls ] ; then
echo "Using /etc/pki/tls for TLS configuration and certificates"
ln -sf /etc/pki/tls /opt/netdata/etc/ssl
echo "${1} /etc/pki/tls for TLS configuration and certificates"
replace_symlink /etc/pki/tls /opt/netdata/etc/ssl
elif [ -d /etc/ssl ] ; then
echo "Using /etc/ssl for TLS configuration and certificates"
ln -sf /etc/ssl /opt/netdata/etc/ssl
else
echo "Using bundled TLS configuration and certificates"
ln -sf /opt/netdata/share/ssl /opt/netdata/etc/ssl
echo "${1} /etc/ssl for TLS configuration and certificates"
replace_symlink /etc/ssl /opt/netdata/etc/ssl
fi
}

select_internal_certs() {
echo "Using bundled TLS configuration and certificates"
replace_symlink /opt/netdata/share/ssl /opt/netdata/etc/ssl
}

certs_selected() {
[ -L /opt/netdata/etc/ssl ] || return 1
}

test_certs() {
/opt/netdata/bin/curl --fail --max-time 300 --silent --output /dev/null "${NETDATA_CERT_TEST_URL}"

case "$?" in
35|77) echo "Failed to load certificate files for test." ; return 1 ;;
60|82|83) echo "Certificates cannot be used to connect to ${NETDATA_CERT_TEST_URL}" ; return 1 ;;
53|54|66) echo "Unable to use OpenSSL configuration associated with certificates" ; return 1 ;;
0) echo "Successfully connected to ${NETDATA_CERT_TEST_URL} using certificates" ;;
*) echo "Unable to test certificates due to networking problems, blindly assuming they work" ;;
esac
}

# If the user has manually set up certificates, don’t mess with it.
if [ ! -L /opt/netdata/etc/ssl ] && [ -d /opt/netdata/etc/ssl ] ; then
ilyam8 marked this conversation as resolved.
Show resolved Hide resolved
echo "Preserving existing user configuration for TLS"
else
echo "Configure TLS certificate paths (mode: ${NETDATA_CERT_MODE})"
case "${NETDATA_CERT_MODE}" in
check)
select_system_certs "Testing"
if certs_selected && test_certs; then
select_system_certs "Using"
else
select_internal_certs
fi
;;
bundled) select_internal_certs ;;
*)
select_system_certs "Using"
if ! certs_selected; then
select_internal_certs
fi
;;
ilyam8 marked this conversation as resolved.
Show resolved Hide resolved
esac
fi

# -----------------------------------------------------------------------------

echo "Save install options"
grep -qv 'IS_NETDATA_STATIC_BINARY="yes"' "${NETDATA_PREFIX}/etc/netdata/.environment" || echo IS_NETDATA_STATIC_BINARY=\"yes\" >> "${NETDATA_PREFIX}/etc/netdata/.environment"
REINSTALL_OPTIONS="$(echo "${REINSTALL_OPTIONS}" | awk '{gsub("/", "\\/"); print}')"
sed -i "s/REINSTALL_OPTIONS=\".*\"/REINSTALL_OPTIONS=\"${REINSTALL_OPTIONS}\"/" "${NETDATA_PREFIX}/etc/netdata/.environment"

# -----------------------------------------------------------------------------
Expand Down