public_git
/
bitnami-containers
mirror of https://github.com/bitnami/containers.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

6.15.2-6-debian-10-r1 release

This commit is contained in:
Bitnami Bot 2020-06-30 04:36:44 +00:00
parent 921e9e2137
commit ff896593ad
24 changed files with 2962 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
bitnami/ejbca/6/debian-10/Dockerfile Normal file
View File

@ -0,0 +1,52 @@
FROM docker.io/bitnami/minideb:buster
LABEL maintainer "Bitnami <containers@bitnami.com>"
ENV HOME="/" \
OS_ARCH="amd64" \
OS_FLAVOUR="debian-10" \
OS_NAME="linux"
COPY prebuildfs /
# Install required system packages and dependencies
RUN install_packages acl ca-certificates curl gzip libaio1 libaudit1 libc6 libcap-ng0 libgcc1 libicu63 libjemalloc2 liblzma5 libncurses6 libpam0g libssl1.1 libstdc++6 libtinfo6 libxml2 procps tar zlib1g
RUN . /opt/bitnami/scripts/libcomponent.sh && component_unpack "java" "1.8.252-4" --checksum 8e9a23094ea1ce6360b905552e55dacb1e27de4b99df7bc01ea83ea4c3fafa49
RUN . /opt/bitnami/scripts/libcomponent.sh && component_unpack "wildfly" "14.0.1-3" --checksum 729600e457302e10cf1207744f27172e90273096231c7d62a933c3c07f09010b
RUN . /opt/bitnami/scripts/libcomponent.sh && component_unpack "mysql-client" "10.3.23-1" --checksum efab843077267af6a8cde53440a1fef0acf8cb67ab1dcd0b6da2e9cbe050c7e1
RUN . /opt/bitnami/scripts/libcomponent.sh && component_unpack "gosu" "1.12.0-1" --checksum 51cfb1b7fd7b05b8abd1df0278c698103a9b1a4964bdacd87ca1d5c01631d59c
RUN . /opt/bitnami/scripts/libcomponent.sh && component_unpack "ejbca" "6.15.2-6-2" --checksum fe1d5bc79637a061cf84924a24ed148067ad7b9d14b2f5e14b3c24257c4872c0
RUN apt-get update && apt-get upgrade -y && \
rm -r /var/lib/apt/lists /var/cache/apt/archives
COPY rootfs /
RUN /opt/bitnami/scripts/ejbca/postunpack.sh
ENV ALLOW_EMPTY_PASSWORD="no" \
BITNAMI_APP_NAME="ejbca" \
BITNAMI_IMAGE_VERSION="6.15.2-6-debian-10-r1" \
MARIADB_HOST="mariadb" \
MARIADB_PORT_NUMBER="3306" \
MARIADB_ROOT_PASSWORD="" \
MARIADB_ROOT_USER="root" \
MYSQL_CLIENT_CREATE_DATABASE_NAME="" \
MYSQL_CLIENT_CREATE_DATABASE_PASSWORD="" \
MYSQL_CLIENT_CREATE_DATABASE_PRIVILEGES="ALL" \
MYSQL_CLIENT_CREATE_DATABASE_USER="" \
MYSQL_CLIENT_ENABLE_SSL="no" \
MYSQL_CLIENT_SSL_CA_FILE="" \
PATH="/opt/bitnami/java/bin:/opt/bitnami/wildfly/bin:/opt/bitnami/mysql/bin:/opt/bitnami/common/bin:/opt/bitnami/ejbca/bin:$PATH" \
WILDFLY_JAVA_HOME="" \
WILDFLY_JAVA_OPTS="" \
WILDFLY_MANAGEMENT_HTTP_PORT_NUMBER="9990" \
WILDFLY_PASSWORD="bitnami" \
WILDFLY_PUBLIC_CONSOLE="true" \
WILDFLY_SERVER_AJP_PORT_NUMBER="8009" \
WILDFLY_SERVER_HTTP_PORT_NUMBER="8080" \
WILDFLY_SERVER_INTERFACE="0.0.0.0" \
WILDFLY_USERNAME="user" \
WILDFLY_WILDFLY_HOME="/home/wildfly" \
WILDFLY_WILDFLY_OPTS="-Dwildfly.as.deployment.ondemand=false"
EXPOSE 8080 9990
USER 1001
ENTRYPOINT [ "/opt/bitnami/scripts/ejbca/entrypoint.sh" ]
CMD [ "/opt/bitnami/scripts/ejbca/run.sh" ]

28
bitnami/ejbca/6/debian-10/docker-compose.yml Normal file
View File

@ -0,0 +1,28 @@
version: '2'
services:
mariadb:
image: 'docker.io/bitnami/mariadb:10.3-debian-10'
volumes:
- 'mariadb_data:/bitnami/mariadb'
environment:
- ALLOW_EMPTY_PASSWORD=yes
- MARIADB_USER=bn_ejbca
- MARIADB_DATABASE=bitnami_ejbca
- MARIADB_PASSWORD=Bitnami1234
ejbca:
image: 'docker.io/bitnami/ejbca:6-debian-10'
ports:
- 8080:8080
- 8443:8443
volumes:
- 'ejbca_data:/bitnami/ejbca'
environment:
- EJBCA_DATABASE_HOST=mariadb
- EJBCA_DATABASE_NAME=bitnami_ejbca
- EJBCA_DATABASE_USERNAME=bn_ejbca
- EJBCA_DATABASE_PASSWORD=Bitnami1234
volumes:
mariadb_data:
driver: local
ejbca_data:
driver: local

3
bitnami/ejbca/6/debian-10/prebuildfs/opt/bitnami/licenses/licenses.txt Normal file
View File

@ -0,0 +1,3 @@
Bitnami containers ship with software bundles. You can find the licenses under:
/opt/bitnami/nami/COPYING
/opt/bitnami/[name-of-bundle]/licenses/[bundle-version].txt

51
bitnami/ejbca/6/debian-10/prebuildfs/opt/bitnami/scripts/libbitnami.sh Normal file
View File

@ -0,0 +1,51 @@
#!/bin/bash
#
# Bitnami custom library
# shellcheck disable=SC1091
# Load Generic Libraries
. /opt/bitnami/scripts/liblog.sh
# Constants
BOLD='\033[1m'
# Functions
########################
# Print the welcome page
# Globals:
# DISABLE_WELCOME_MESSAGE
# BITNAMI_APP_NAME
# Arguments:
# None
# Returns:
# None
#########################
print_welcome_page() {
if [[ -z "${DISABLE_WELCOME_MESSAGE:-}" ]]; then
if [[ -n "$BITNAMI_APP_NAME" ]]; then
print_image_welcome_page
fi
fi
}
########################
# Print the welcome page for a Bitnami Docker image
# Globals:
# BITNAMI_APP_NAME
# Arguments:
# None
# Returns:
# None
#########################
print_image_welcome_page() {
local github_url="https://github.com/bitnami/bitnami-docker-${BITNAMI_APP_NAME}"
log ""
log "${BOLD}Welcome to the Bitnami ${BITNAMI_APP_NAME} container${RESET}"
log "Subscribe to project updates by watching ${BOLD}${github_url}${RESET}"
log "Submit issues and feature requests at ${BOLD}${github_url}/issues${RESET}"
log ""
}

69
bitnami/ejbca/6/debian-10/prebuildfs/opt/bitnami/scripts/libcomponent.sh Normal file
View File

@ -0,0 +1,69 @@
#!/bin/bash
#
# Library for managing Bitnami components
# Constants
CACHE_ROOT="/tmp/bitnami/pkg/cache"
DOWNLOAD_URL="https://downloads.bitnami.com/files/stacksmith"
# Functions
########################
# Download and unpack a Bitnami package
# Globals:
# OS_NAME
# OS_ARCH
# OS_FLAVOUR
# Arguments:
# $1 - component's name
# $2 - component's version
# Returns:
# None
#########################
component_unpack() {
local name="${1:?name is required}"
local version="${2:?version is required}"
local base_name="${name}-${version}-${OS_NAME}-${OS_ARCH}-${OS_FLAVOUR}"
local package_sha256=""
local directory="/opt/bitnami"
# Validate arguments
shift 2
while [ "$#" -gt 0 ]; do
case "$1" in
-c|--checksum)
shift
package_sha256="${1:?missing package checksum}"
;;
*)
echo "Invalid command line flag $1" >&2
return 1
;;
esac
shift
done
echo "Downloading $base_name package"
if [ -f "${CACHE_ROOT}/${base_name}.tar.gz" ]; then
echo "${CACHE_ROOT}/${base_name}.tar.gz already exists, skipping download."
cp "${CACHE_ROOT}/${base_name}.tar.gz" .
rm "${CACHE_ROOT}/${base_name}.tar.gz"
if [ -f "${CACHE_ROOT}/${base_name}.tar.gz.sha256" ]; then
echo "Using the local sha256 from ${CACHE_ROOT}/${base_name}.tar.gz.sha256"
package_sha256="$(< "${CACHE_ROOT}/${base_name}.tar.gz.sha256")"
rm "${CACHE_ROOT}/${base_name}.tar.gz.sha256"
fi
else
curl --remote-name --silent "${DOWNLOAD_URL}/${base_name}.tar.gz"
fi
if [ -n "$package_sha256" ]; then
echo "Verifying package integrity"
echo "$package_sha256 ${base_name}.tar.gz" | sha256sum --check -
fi
tar --directory "${directory}" --extract --gunzip --file "${base_name}.tar.gz" --no-same-owner --strip-components=2 "${base_name}/files/"
rm "${base_name}.tar.gz"
# Include metadata about the package
touch "${directory}/.bitnami_packages"
echo "$base_name" >> "${directory}/.bitnami_packages"
}

80
bitnami/ejbca/6/debian-10/prebuildfs/opt/bitnami/scripts/libfile.sh Normal file
View File

@ -0,0 +1,80 @@
#!/bin/bash
#
# Library for managing files
# Functions
########################
# Replace a regex in a file
# Arguments:
# $1 - filename
# $2 - match regex
# $3 - substitute regex
# $4 - use POSIX regex. Default: true
# Returns:
# None
#########################
replace_in_file() {
local filename="${1:?filename is required}"
local match_regex="${2:?match regex is required}"
local substitute_regex="${3:?substitute regex is required}"
local posix_regex=${4:-true}
local result
# We should avoid using 'sed in-place' substitutions
# 1) They are not compatible with files mounted from ConfigMap(s)
# 2) We found incompatibility issues with Debian10 and "in-place" substitutions
del=$'\001' # Use a non-printable character as a 'sed' delimiter to avoid issues
if [[ $posix_regex = true ]]; then
result="$(sed -E "s${del}${match_regex}${del}${substitute_regex}${del}g" "$filename")"
else
result="$(sed "s${del}${match_regex}${del}${substitute_regex}${del}g" "$filename")"
fi
echo "$result" > "$filename"
}
########################
# Remove a line in a file based on a regex
# Arguments:
# $1 - filename
# $2 - match regex
# $3 - use POSIX regex. Default: true
# Returns:
# None
#########################
remove_in_file() {
local filename="${1:?filename is required}"
local match_regex="${2:?match regex is required}"
local posix_regex=${3:-true}
local result
# We should avoid using 'sed in-place' substitutions
# 1) They are not compatible with files mounted from ConfigMap(s)
# 2) We found incompatibility issues with Debian10 and "in-place" substitutions
if [[ $posix_regex = true ]]; then
result="$(sed -E "/$match_regex/d" "$filename")"
else
result="$(sed "/$match_regex/d" "$filename")"
fi
echo "$result" > "$filename"
}
########################
# Appends text after the last line matching a pattern
# Arguments:
# $1 - file
# $2 - match regex
# $3 - contents to add
# Returns:
# None
#########################
append_file_after_last_match() {
local file="${1:?missing file}"
local match_regex="${2:?missing pattern}"
local value="${3:?missing value}"
# We read the file in reverse, replace the first match (0,/pattern/s) and then reverse the results again
result="$(tac "$file" | sed -E "0,/($match_regex)/s||${value}\n\1|" | tac)"
echo "$result" > "$file"
}

183
bitnami/ejbca/6/debian-10/prebuildfs/opt/bitnami/scripts/libfs.sh Normal file
View File

@ -0,0 +1,183 @@
#!/bin/bash
#
# Library for file system actions
# shellcheck disable=SC1091
# Load Generic Libraries
. /opt/bitnami/scripts/liblog.sh
# Functions
########################
# Ensure a file/directory is owned (user and group) but the given user
# Arguments:
# $1 - filepath
# $2 - owner
# Returns:
# None
#########################
owned_by() {
local path="${1:?path is missing}"
local owner="${2:?owner is missing}"
chown "$owner":"$owner" "$path"
}
########################
# Ensure a directory exists and, optionally, is owned by the given user
# Arguments:
# $1 - directory
# $2 - owner
# Returns:
# None
#########################
ensure_dir_exists() {
local dir="${1:?directory is missing}"
local owner="${2:-}"
mkdir -p "${dir}"
if [[ -n $owner ]]; then
owned_by "$dir" "$owner"
fi
}
########################
# Checks whether a directory is empty or not
# arguments:
# $1 - directory
# returns:
# boolean
#########################
is_dir_empty() {
local dir="${1:?missing directory}"
if [[ ! -e "$dir" ]] || [[ -z "$(ls -A "$dir")" ]]; then
true
else
false
fi
}
########################
# Checks whether a mounted directory is empty or not
# arguments:
# $1 - directory
# returns:
# boolean
#########################
is_mounted_dir_empty() {
local dir="${1:?missing directory}"
if is_dir_empty "$dir" || find "$dir" -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" -exec false {} +; then
true
else
false
fi
}
########################
# Checks whether a file can be written to or not
# arguments:
# $1 - file
# returns:
# boolean
#########################
is_file_writable() {
local file="${1:?missing file}"
local dir
dir="$(dirname "$file")"
if [[ ( -f "$file" && -w "$file" ) || ( ! -f "$file" && -d "$dir" && -w "$dir" ) ]]; then
true
else
false
fi
}
########################
# Relativize a path
# arguments:
# $1 - path
# $2 - base
# returns:
# None
#########################
relativize() {
local -r path="${1:?missing path}"
local -r base="${2:?missing base}"
pushd "$base" >/dev/null
realpath -q --no-symlinks --relative-base="$base" "$path" | sed -e 's|^/$|.|' -e 's|^/||'
popd >/dev/null
}
########################
# Configure permisions and ownership recursively
# Globals:
# None
# Arguments:
# $1 - paths (as a string).
# Flags:
# -f|--file-mode - mode for directories.
# -d|--dir-mode - mode for files.
# -u|--user - user
# -g|--group - group
# Returns:
# None
#########################
configure_permissions_ownership() {
local -r paths="${1:?paths is missing}"
local dir_mode=""
local file_mode=""
local user=""
local group=""
# Validate arguments
shift 1
while [ "$#" -gt 0 ]; do
case "$1" in
-f|--file-mode)
shift
file_mode="${1:?missing mode for files}"
;;
-d|--dir-mode)
shift
dir_mode="${1:?missing mode for directories}"
;;
-u|--user)
shift
user="${1:?missing user}"
;;
-g|--group)
shift
group="${1:?missing group}"
;;
*)
echo "Invalid command line flag $1" >&2
return 1
;;
esac
shift
done
read -r -a filepaths <<< "$paths"
for p in "${filepaths[@]}"; do
if [[ -e "$p" ]]; then
if [[ -n $dir_mode ]]; then
find -L "$p" -type d -exec chmod "$dir_mode" {} \;
fi
if [[ -n $file_mode ]]; then
find -L "$p" -type f -exec chmod "$file_mode" {} \;
fi
if [[ -n $user ]] && [[ -n $group ]]; then
chown -LR "$user":"$group" "$p"
elif [[ -n $user ]] && [[ -z $group ]]; then
chown -LR "$user" "$p"
elif [[ -z $user ]] && [[ -n $group ]]; then
chgrp -LR "$group" "$p"
fi
else
stderr_print "$p does not exist"
fi
done
}

110
bitnami/ejbca/6/debian-10/prebuildfs/opt/bitnami/scripts/liblog.sh Normal file
View File

@ -0,0 +1,110 @@
#!/bin/bash
#
# Library for logging functions
# Constants
RESET='\033[0m'
RED='\033[38;5;1m'
GREEN='\033[38;5;2m'
YELLOW='\033[38;5;3m'
MAGENTA='\033[38;5;5m'
CYAN='\033[38;5;6m'
# Functions
########################
# Print to STDERR
# Arguments:
# Message to print
# Returns:
# None
#########################
stderr_print() {
# 'is_boolean_yes' is defined in libvalidations.sh, but depends on this file so we cannot source it
local bool="${BITNAMI_QUIET:-false}"
# comparison is performed without regard to the case of alphabetic characters
shopt -s nocasematch
if ! [[ "$bool" = 1 || "$bool" =~ ^(yes|true)$ ]]; then
printf "%b\\n" "${*}" >&2
fi
}
########################
# Log message
# Arguments:
# Message to log
# Returns:
# None
#########################
log() {
stderr_print "${CYAN}${MODULE:-} ${MAGENTA}$(date "+%T.%2N ")${RESET}${*}"
}
########################
# Log an 'info' message
# Arguments:
# Message to log
# Returns:
# None
#########################
info() {
log "${GREEN}INFO ${RESET} ==> ${*}"
}
########################
# Log message
# Arguments:
# Message to log
# Returns:
# None
#########################
warn() {
log "${YELLOW}WARN ${RESET} ==> ${*}"
}
########################
# Log an 'error' message
# Arguments:
# Message to log
# Returns:
# None
#########################
error() {
log "${RED}ERROR${RESET} ==> ${*}"
}
########################
# Log a 'debug' message
# Globals:
# BITNAMI_DEBUG
# Arguments:
# None
# Returns:
# None
#########################
debug() {
# 'is_boolean_yes' is defined in libvalidations.sh, but depends on this file so we cannot source it
local bool="${BITNAMI_DEBUG:-false}"
# comparison is performed without regard to the case of alphabetic characters
shopt -s nocasematch
if [[ "$bool" = 1 || "$bool" =~ ^(yes|true)$ ]]; then
log "${MAGENTA}DEBUG${RESET} ==> ${*}"
fi
}
########################
# Indent a string
# Arguments:
# $1 - string
# $2 - number of indentation characters (default: 4)
# $3 - indentation character (default: " ")
# Returns:
# None
#########################
indent() {
local string="${1:-}"
local num="${2:?missing num}"
local char="${3:-" "}"
# Build the indentation unit string
local indent_unit=""
for ((i = 0; i < num; i++)); do
indent_unit="${indent_unit}${char}"
done
echo "$string" | sed "s/^/${indent_unit}/"
}

140
bitnami/ejbca/6/debian-10/prebuildfs/opt/bitnami/scripts/libnet.sh Normal file
View File

@ -0,0 +1,140 @@
#!/bin/bash
#
# Library for network functions
# shellcheck disable=SC1091
# Load Generic Libraries
. /opt/bitnami/scripts/liblog.sh
# Functions
########################
# Resolve dns
# Arguments:
# $1 - Hostname to resolve
# Returns:
# IP
#########################
dns_lookup() {
local host="${1:?host is missing}"
getent ahosts "$host" | awk '/STREAM/ {print $1 }'
}
#########################
# Wait for a hostname and return the IP
# Arguments:
# $1 - hostname
# $2 - number of retries
# $3 - seconds to wait between retries
# Returns:
# - IP address that corresponds to the hostname
#########################
wait_for_dns_lookup() {
local hostname="${1:?hostname is missing}"
local retries="${2:-5}"
local seconds="${3:-1}"
check_host() {
if [[ $(dns_lookup "$hostname") == "" ]]; then
false
else
true
fi
}
# Wait for the host to be ready
retry_while "check_host ${hostname}" "$retries" "$seconds"
dns_lookup "$hostname"
}
########################
# Get machine's IP
# Arguments:
# None
# Returns:
# Machine IP
#########################
get_machine_ip() {
local -a ip_addresses
local hostname
hostname="$(hostname)"
read -r -a ip_addresses <<< "$(dns_lookup "$hostname" | xargs echo)"
if [[ "${#ip_addresses[@]}" -gt 1 ]]; then
warn "Found more than one IP address associated to hostname ${hostname}: ${ip_addresses[*]}, will use ${ip_addresses[0]}"
elif [[ "${#ip_addresses[@]}" -lt 1 ]]; then
error "Could not find any IP address associated to hostname ${hostname}"
exit 1
fi
echo "${ip_addresses[0]}"
}
########################
# Check if the provided argument is a resolved hostname
# Arguments:
# $1 - Value to check
# Returns:
# Boolean
#########################
is_hostname_resolved() {
local -r host="${1:?missing value}"
if [[ -n "$(dns_lookup "$host")" ]]; then
true
else
false
fi
}
########################
# Parse URL
# Globals:
# None
# Arguments:
# $1 - uri - String
# $2 - component to obtain. Valid options (scheme, authority, userinfo, host, port, path, query or fragment) - String
# Returns:
# String
parse_uri() {
local uri="${1:?uri is missing}"
local component="${2:?component is missing}"
# Solution based on https://tools.ietf.org/html/rfc3986#appendix-B with
# additional sub-expressions to split authority into userinfo, host and port
# Credits to Patryk Obara (see https://stackoverflow.com/a/45977232/6694969)
local -r URI_REGEX='^(([^:/?#]+):)?(//((([^@/?#]+)@)?([^:/?#]+)(:([0-9]+))?))?(/([^?#]*))?(\?([^#]*))?(#(.*))?'
# || | ||| | | | | | | | | |
# |2 scheme | ||6 userinfo 7 host | 9 port | 11 rpath | 13 query | 15 fragment
# 1 scheme: | |5 userinfo@ 8 :... 10 path 12 ?... 14 #...
# | 4 authority
# 3 //...
local index=0
case "$component" in
scheme)
index=2
;;
authority)
index=4
;;
userinfo)
index=6
;;
host)
index=7
;;
port)
index=9
;;
path)
index=10
;;
query)
index=13
;;
fragment)
index=14
;;
*)
stderr_print "unrecognized component $component"
return 1
;;
esac
[[ "$uri" =~ $URI_REGEX ]] && echo "${BASH_REMATCH[${index}]}"
}

279
bitnami/ejbca/6/debian-10/prebuildfs/opt/bitnami/scripts/libos.sh Normal file
View File

@ -0,0 +1,279 @@
#!/bin/bash
#
# Library for operating system actions
# shellcheck disable=SC1091
# Load Generic Libraries
. /opt/bitnami/scripts/liblog.sh
# Functions
########################
# Check if an user exists in the system
# Arguments:
# $1 - user
# Returns:
# Boolean
#########################
user_exists() {
local user="${1:?user is missing}"
id "$user" >/dev/null 2>&1
}
########################
# Check if a group exists in the system
# Arguments:
# $1 - group
# Returns:
# Boolean
#########################
group_exists() {
local group="${1:?group is missing}"
getent group "$group" >/dev/null 2>&1
}
########################
# Create a group in the system if it does not exist already
# Arguments:
# $1 - group
# Returns:
# None
#########################
ensure_group_exists() {
local group="${1:?group is missing}"
if ! group_exists "$group"; then
groupadd "$group" >/dev/null 2>&1
fi
}
########################
# Create an user in the system if it does not exist already
# Arguments:
# $1 - user
# $2 - group
# Returns:
# None
#########################
ensure_user_exists() {
local user="${1:?user is missing}"
local group="${2:-}"
if ! user_exists "$user"; then
useradd "$user" >/dev/null 2>&1
fi
if [[ -n "$group" ]]; then
ensure_group_exists "$group"
usermod -a -G "$group" "$user" >/dev/null 2>&1
fi
}
########################
# Check if the script is currently running as root
# Arguments:
# $1 - user
# $2 - group
# Returns:
# Boolean
#########################
am_i_root() {
if [[ "$(id -u)" = "0" ]]; then
true
else
false
fi
}
########################
# Get total memory available
# Arguments:
# None
# Returns:
# Memory in bytes
#########################
get_total_memory() {
echo $(($(grep MemTotal /proc/meminfo | awk '{print $2}') / 1024))
}
########################
# Get machine size depending on specified memory
# Globals:
# None
# Arguments:
# None
# Flags:
# --memory - memory size (optional)
# Returns:
# Detected instance size
#########################
get_machine_size() {
local memory=""
# Validate arguments
while [[ "$#" -gt 0 ]]; do
case "$1" in
--memory)
shift
memory="${1:?missing memory}"
;;
*)
echo "Invalid command line flag $1" >&2
return 1
;;
esac
shift
done
if [[ -z "$memory" ]]; then
debug "Memory was not specified, detecting available memory automatically"
memory="$(get_total_memory)"
fi
sanitized_memory=$(convert_to_mb "$memory")
if [[ "$sanitized_memory" -gt 26000 ]]; then
echo 2xlarge
elif [[ "$sanitized_memory" -gt 13000 ]]; then
echo xlarge
elif [[ "$sanitized_memory" -gt 6000 ]]; then
echo large
elif [[ "$sanitized_memory" -gt 3000 ]]; then
echo medium
elif [[ "$sanitized_memory" -gt 1500 ]]; then
echo small
else
echo micro
fi
}
########################
# Get machine size depending on specified memory
# Globals:
# None
# Arguments:
# $1 - memory size (optional)
# Returns:
# Detected instance size
#########################
get_supported_machine_sizes() {
echo micro small medium large xlarge 2xlarge
}
########################
# Convert memory size from string to amount of megabytes (i.e. 2G -> 2048)
# Globals:
# None
# Arguments:
# $1 - memory size
# Returns:
# Result of the conversion
#########################
convert_to_mb() {
local amount="${1:-}"
if [[ $amount =~ ^([0-9]+)(m|M|g|G) ]]; then
size="${BASH_REMATCH[1]}"
unit="${BASH_REMATCH[2]}"
if [[ "$unit" = "g" || "$unit" = "G" ]]; then
amount="$((size * 1024))"
else
amount="$size"
fi
fi
echo "$amount"
}
#########################
# Redirects output to /dev/null if debug mode is disabled
# Globals:
# BITNAMI_DEBUG
# Arguments:
# $@ - Command to execute
# Returns:
# None
#########################
debug_execute() {
if ${BITNAMI_DEBUG:-false}; then
"$@"
else
"$@" >/dev/null 2>&1
fi
}
########################
# Retries a command a given number of times
# Arguments:
# $1 - cmd (as a string)
# $2 - max retries. Default: 12
# $3 - sleep between retries (in seconds). Default: 5
# Returns:
# Boolean
#########################
retry_while() {
local cmd="${1:?cmd is missing}"
local retries="${2:-12}"
local sleep_time="${3:-5}"
local return_value=1
read -r -a command <<< "$cmd"
for ((i = 1 ; i <= retries ; i+=1 )); do
"${command[@]}" && return_value=0 && break
sleep "$sleep_time"
done
return $return_value
}
########################
# Generate a random string
# Arguments:
# -t|--type - String type (ascii, alphanumeric, numeric), defaults to ascii
# -c|--count - Number of characters, defaults to 32
# Arguments:
# None
# Returns:
# None
# Returns:
# String
#########################
generate_random_string() {
local type="ascii"
local count="32"
local filter
local result
# Validate arguments
while [[ "$#" -gt 0 ]]; do
case "$1" in
-t|--type)
shift
type="$1"
;;
-c|--count)
shift
count="$1"
;;
*)
echo "Invalid command line flag $1" >&2
return 1
;;
esac
shift
done
# Validate type
case "$type" in
ascii)
filter="[:print:]"
;;
alphanumeric)
filter="a-zA-Z0-9"
;;
numeric)
filter="0-9"
;;
*)
echo "Invalid type ${type}" >&2
return 1
esac
# Obtain count + 10 lines from /dev/urandom to ensure that the resulting string has the expected size
# Note there is a very small chance of strings starting with EOL character
# Therefore, the higher amount of lines read, this will happen less frequently
result="$(head -n "$((count + 10))" /dev/urandom | tr -dc "$filter" | head -c "$count")"
echo "$result"
}

120
bitnami/ejbca/6/debian-10/prebuildfs/opt/bitnami/scripts/libpersistence.sh Normal file
View File

@ -0,0 +1,120 @@
#!/bin/bash
#
# Bitnami persistence library
# Used for bringing persistence capabilities to applications that don't have clear separation of data and logic
# shellcheck disable=SC1091
# Load Generic Libraries
. /opt/bitnami/scripts/libfs.sh
. /opt/bitnami/scripts/libos.sh
. /opt/bitnami/scripts/liblog.sh
. /opt/bitnami/scripts/libversion.sh
# Functions
########################
# Persist an application directory
# Globals:
# BITNAMI_ROOT_DIR
# BITNAMI_VOLUME_DIR
# Arguments:
# $1 - App folder name
# $2 - List of app files to persist
# Returns:
# true if all steps succeeded, false otherwise
#########################
persist_app() {
local -r app="${1:?missing app}"
local -a files_to_restore
read -r -a files_to_persist <<< "$2"
local -r install_dir="${BITNAMI_ROOT_DIR}/${app}"
local -r persist_dir="${BITNAMI_VOLUME_DIR}/${app}"
# Persist the individual files
if [[ "${#files_to_persist[@]}" -lt 0 ]]; then
warn "No files are configured to be persisted"
return
fi
pushd "$install_dir" >/dev/null
local file_to_persist_relative file_to_persist_destination file_to_persist_destination_folder
local -r tmp_file="/tmp/perms.acl"
for file_to_persist in "${files_to_persist[@]}"; do
if [[ ! -f "$file_to_persist" && ! -d "$file_to_persist" ]]; then
error "Cannot persist '${file_to_persist}' because it does not exist"
return 1
fi
file_to_persist_relative="$(relativize "$file_to_persist" "$install_dir")"
file_to_persist_destination="${persist_dir}/${file_to_persist_relative}"
file_to_persist_destination_folder="$(dirname "$file_to_persist_destination")"
# Get original permissions (except for the root directory, to avoid issues with volumes)
find "$file_to_persist_relative" | grep -E -v '^\.$' | xargs getfacl -R > "$tmp_file"
# Copy directories to the volume
ensure_dir_exists "$file_to_persist_destination_folder"
cp -Lr --preserve=links "$file_to_persist_relative" "$file_to_persist_destination_folder"
# Restore permissions
pushd "$persist_dir" >/dev/null
if am_i_root; then
setfacl --restore="$tmp_file"
else
# When running as non-root, don't change ownership
setfacl --restore=<(grep -E -v '^# (owner|group):' "$tmp_file")
fi
popd >/dev/null
done
popd >/dev/null
# Install the persisted files into the installation directory, via symlinks
restore_persisted_app "$@"
}
########################
# Restore a persisted application directory
# Globals:
# BITNAMI_ROOT_DIR
# BITNAMI_VOLUME_DIR
# FORCE_MAJOR_UPGRADE
# Arguments:
# $1 - App folder name
# $2 - List of app files to restore
# Returns:
# true if all steps succeeded, false otherwise
#########################
restore_persisted_app() {
local -r app="${1:?missing app}"
local -a files_to_restore
read -r -a files_to_restore <<< "$2"
local -r install_dir="${BITNAMI_ROOT_DIR}/${app}"
local -r persist_dir="${BITNAMI_VOLUME_DIR}/${app}"
# Restore the individual persisted files
if [[ "${#files_to_restore[@]}" -lt 0 ]]; then
warn "No persisted files are configured to be restored"
return
fi
local file_to_restore_relative file_to_restore_origin file_to_restore_destination
for file_to_restore in "${files_to_restore[@]}"; do
file_to_restore_relative="$(relativize "$file_to_restore" "$install_dir")"
# We use 'realpath --no-symlinks' to ensure that the case of '.' is covered and the directory is removed
file_to_restore_origin="$(realpath --no-symlinks "${install_dir}/${file_to_restore_relative}")"
file_to_restore_destination="$(realpath --no-symlinks "${persist_dir}/${file_to_restore_relative}")"
rm -rf "$file_to_restore_origin"
ln -sfn "$file_to_restore_destination" "$file_to_restore_origin"
done
}
########################
# Check if an application directory was already persisted
# Globals:
# BITNAMI_VOLUME_DIR
# Arguments:
# $1 - App folder name
# Returns:
# true if all steps succeeded, false otherwise
#########################
is_app_initialized() {
local -r app="${1:?missing app}"
local -r persist_dir="${BITNAMI_VOLUME_DIR}/${app}"
if ! is_mounted_dir_empty "$persist_dir"; then
true
else
false
fi
}

147
bitnami/ejbca/6/debian-10/prebuildfs/opt/bitnami/scripts/libservice.sh Normal file
View File

@ -0,0 +1,147 @@
#!/bin/bash
#
# Library for managing services
# shellcheck disable=SC1091
# Load Generic Libraries
. /opt/bitnami/scripts/libvalidations.sh
# Functions
########################
# Read the provided pid file and returns a PID
# Arguments:
# $1 - Pid file
# Returns:
# PID
#########################
get_pid_from_file() {
local pid_file="${1:?pid file is missing}"
if [[ -f "$pid_file" ]]; then
if [[ -n "$(< "$pid_file")" ]] && [[ "$(< "$pid_file")" -gt 0 ]]; then
echo "$(< "$pid_file")"
fi
fi
}
########################
# Check if a provided PID corresponds to a running service
# Arguments:
# $1 - PID
# Returns:
# Boolean
#########################
is_service_running() {
local pid="${1:?pid is missing}"
kill -0 "$pid" 2>/dev/null
}
########################
# Stop a service by sending a termination signal to its pid
# Arguments:
# $1 - Pid file
# $2 - Signal number (optional)
# Returns:
# None
#########################
stop_service_using_pid() {
local pid_file="${1:?pid file is missing}"
local signal="${2:-}"
local pid
pid="$(get_pid_from_file "$pid_file")"
[[ -z "$pid" ]] || ! is_service_running "$pid" && return
if [[ -n "$signal" ]]; then
kill "-${signal}" "$pid"
else
kill "$pid"
fi
local counter=10
while [[ "$counter" -ne 0 ]] && is_service_running "$pid"; do
sleep 1
counter=$((counter - 1))
done
}
########################
# Generate a monit configuration file for a given service
# Arguments:
# $1 - Service name
# $2 - Pid file
# $3 - Start command
# $4 - Stop command
# Flags:
# --disabled - Whether to disable the monit configuration
# Returns:
# None
#########################
generate_monit_conf() {
local service_name="${1:?service name is missing}"
local pid_file="${2:?pid file is missing}"
local start_command="${3:?start command is missing}"
local stop_command="${4:?stop command is missing}"
local monit_conf_dir="/etc/monit/conf.d"
local disabled="no"
# Parse optional CLI flags
shift 4
while [[ "$#" -gt 0 ]]; do
case "$1" in
--disabled)
shift
disabled="$1"
;;
*)
echo "Invalid command line flag ${1}" >&2
return 1
;;
esac
shift
done
is_boolean_yes "$disabled" && conf_suffix=".disabled"
mkdir -p "$monit_conf_dir"
cat >"${monit_conf_dir}/${service_name}.conf${conf_suffix:-}" <<EOF
check process ${service_name}
with pidfile "${pid_file}"
start program = "${start_command}" with timeout 90 seconds
stop program = "${stop_command}" with timeout 90 seconds
EOF
}
########################
# Generate a logrotate configuration file
# Arguments:
# $1 - Log path
# $2 - Period
# $3 - Number of rotations to store
# $4 - Extra options (Optional)
# Returns:
# None
#########################
generate_logrotate_conf() {
local service_name="${1:?service name is missing}"
local log_path="${2:?log path is missing}"
local period="${3:-weekly}"
local rotations="${4:-150}"
local extra_options="${5:-}"
local logrotate_conf_dir="/etc/logrotate.d"
mkdir -p "$logrotate_conf_dir"
cat >"${logrotate_conf_dir}/${service_name}" <<EOF
${log_path} {
${period}
rotate ${rotations}
dateext
compress
copytruncate
missingok
${extra_options}
}
EOF
}

248
bitnami/ejbca/6/debian-10/prebuildfs/opt/bitnami/scripts/libvalidations.sh Normal file
View File

@ -0,0 +1,248 @@
#!/bin/bash
#
# Validation functions library
# shellcheck disable=SC1091
# Load Generic Libraries
. /opt/bitnami/scripts/liblog.sh
# Functions
########################
# Check if the provided argument is an integer
# Arguments:
# $1 - Value to check
# Returns:
# Boolean
#########################
is_int() {
local -r int="${1:?missing value}"
if [[ "$int" =~ ^-?[0-9]+ ]]; then
true
else
false
fi
}
########################
# Check if the provided argument is a positive integer
# Arguments:
# $1 - Value to check
# Returns:
# Boolean
#########################
is_positive_int() {
local -r int="${1:?missing value}"
if is_int "$int" && (( "${int}" >= 0 )); then
true
else
false
fi
}
########################
# Check if the provided argument is a boolean or is the string 'yes/true'
# Arguments:
# $1 - Value to check
# Returns:
# Boolean
#########################
is_boolean_yes() {
local -r bool="${1:-}"
# comparison is performed without regard to the case of alphabetic characters
shopt -s nocasematch
if [[ "$bool" = 1 || "$bool" =~ ^(yes|true)$ ]]; then
true
else
false
fi
}
########################
# Check if the provided argument is a boolean yes/no value
# Arguments:
# $1 - Value to check
# Returns:
# Boolean
#########################
is_yes_no_value() {
local -r bool="${1:-}"
if [[ "$bool" =~ ^(yes|no)$ ]]; then
true
else
false
fi
}
########################
# Check if the provided argument is a boolean true/false value
# Arguments:
# $1 - Value to check
# Returns:
# Boolean
#########################
is_true_false_value() {
local -r bool="${1:-}"
if [[ "$bool" =~ ^(true|false)$ ]]; then
true
else
false
fi
}
########################
# Check if the provided argument is an empty string or not defined
# Arguments:
# $1 - Value to check
# Returns:
# Boolean
#########################
is_empty_value() {
local -r val="${1:-}"
if [[ -z "$val" ]]; then
true
else
false
fi
}
########################
# Validate if the provided argument is a valid port
# Arguments:
# $1 - Port to validate
# Returns:
# Boolean and error message
#########################
validate_port() {
local value
local unprivileged=0
# Parse flags
while [[ "$#" -gt 0 ]]; do
case "$1" in
-unprivileged)
unprivileged=1
;;
--)
shift
break
;;
-*)
stderr_print "unrecognized flag $1"
return 1
;;
*)
break
;;
esac
shift
done
if [[ "$#" -gt 1 ]]; then
echo "too many arguments provided"
return 2
elif [[ "$#" -eq 0 ]]; then
stderr_print "missing port argument"
return 1
else
value=$1
fi
if [[ -z "$value" ]]; then
echo "the value is empty"
return 1
else
if ! is_int "$value"; then
echo "value is not an integer"
return 2
elif [[ "$value" -lt 0 ]]; then
echo "negative value provided"
return 2
elif [[ "$value" -gt 65535 ]]; then
echo "requested port is greater than 65535"
return 2
elif [[ "$unprivileged" = 1 && "$value" -lt 1024 ]]; then
echo "privileged port requested"
return 3
fi
fi
}
########################
# Validate if the provided argument is a valid IPv4 address
# Arguments:
# $1 - IP to validate
# Returns:
# Boolean
#########################
validate_ipv4() {
local ip="${1:?ip is missing}"
local stat=1
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
read -r -a ip_array <<< "$(tr '.' ' ' <<< "$ip")"
[[ ${ip_array[0]} -le 255 && ${ip_array[1]} -le 255 \
&& ${ip_array[2]} -le 255 && ${ip_array[3]} -le 255 ]]
stat=$?
fi
return $stat
}
########################
# Validate a string format
# Arguments:
# $1 - String to validate
# Returns:
# Boolean
#########################
validate_string() {
local string
local min_length=-1
local max_length=-1
# Parse flags
while [ "$#" -gt 0 ]; do
case "$1" in
-min-length)
shift
min_length=${1:-}
;;
-max-length)
shift
max_length=${1:-}
;;
--)
shift
break
;;
-*)
stderr_print "unrecognized flag $1"
return 1
;;
*)
break
;;
esac
shift
done
if [ "$#" -gt 1 ]; then
stderr_print "too many arguments provided"
return 2
elif [ "$#" -eq 0 ]; then
stderr_print "missing string"
return 1
else
string=$1
fi
if [[ "$min_length" -ge 0 ]] && [[ "${#string}" -lt "$min_length" ]]; then
echo "string length is less than $min_length"
return 1
fi
if [[ "$max_length" -ge 0 ]] && [[ "${#string}" -gt "$max_length" ]]; then
echo "string length is great than $max_length"
return 1
fi
}

49
bitnami/ejbca/6/debian-10/prebuildfs/opt/bitnami/scripts/libversion.sh Normal file
View File

@ -0,0 +1,49 @@
#!/bin/bash
#
# Library for managing versions strings
# shellcheck disable=SC1091
# Load Generic Libraries
. /opt/bitnami/scripts/liblog.sh
# Functions
########################
# Gets semantic version
# Arguments:
# $1 - version: string to extract major.minor.patch
# $2 - section: 1 to extract major, 2 to extract minor, 3 to extract patch
# Returns:
# array with the major, minor and release
#########################
get_sematic_version () {
local version="${1:?version is required}"
local section="${2:?section is required}"
local -a version_sections
#Regex to parse versions: x.y.z
local -r regex='([0-9]+)(\.([0-9]+)(\.([0-9]+))?)?'
if [[ "$version" =~ $regex ]]; then
local i=1
local j=1
local n=${#BASH_REMATCH[*]}
while [[ $i -lt $n ]]; do
if [[ -n "${BASH_REMATCH[$i]}" ]] && [[ "${BASH_REMATCH[$i]:0:1}" != '.' ]]; then
version_sections[$j]=${BASH_REMATCH[$i]}
((j++))
fi
((i++))
done
local number_regex='^[0-9]+$'
if [[ "$section" =~ $number_regex ]] && (( $section > 0 )) && (( $section <= 3 )); then
echo "${version_sections[$section]}"
return
else
stderr_print "Section allowed values are: 1, 2, and 3"
return 1
fi
fi
}

320
bitnami/ejbca/6/debian-10/prebuildfs/opt/bitnami/scripts/libwebserver.sh Normal file
View File

@ -0,0 +1,320 @@
#!/bin/bash
#
# Bitnami web server handler library
# shellcheck disable=SC1091
# Load generic libraries
. /opt/bitnami/scripts/liblog.sh
# Load web server libraries
[[ -f "/opt/bitnami/scripts/libapache.sh" ]] && . /opt/bitnami/scripts/libapache.sh
[[ -f "/opt/bitnami/scripts/libnginx.sh" ]] && . /opt/bitnami/scripts/libnginx.sh
# Load environment for all configured web servers
[[ -f "/opt/bitnami/scripts/apache-env.sh" ]] && . /opt/bitnami/scripts/apache-env.sh
[[ -f "/opt/bitnami/scripts/nginx-env.sh" ]] && . /opt/bitnami/scripts/nginx-env.sh
########################
# Prints the currently-enabled web server type
# Globals:
# WEB_SERVER_TYPE
# Arguments:
# None
# Returns:
# None
#########################
web_server_type() {
echo "$WEB_SERVER_TYPE"
}
########################
# Validate that a supported web server is configured
# Globals:
# WEB_SERVER_*
# Arguments:
# None
# Returns:
# None
#########################
web_server_validate() {
local error_code=0
local supported_web_servers=("apache" "nginx")
# Auxiliary functions
print_validation_error() {
error "$1"
error_code=1
}
if [[ -z "$(web_server_type)" || ! " ${supported_web_servers[*]} " == *" $(web_server_type) "* ]]; then
print_validation_error "Could not detect any supported web servers. It must be one of: ${supported_web_servers[*]}"
elif ! type -t "is_$(web_server_type)_running" >/dev/null; then
print_validation_error "Could not load the $(web_server_type) web server library from /opt/bitnami/scripts. Check that it exists and is readable."
fi
return "$error_code"
}
########################
# Check whether the web server is running
# Globals:
# *
# Arguments:
# None
# Returns:
# true if the web server is running, false otherwise
#########################
is_web_server_running() {
"is_$(web_server_type)_running"
}
########################
# Start web server
# Globals:
# *
# Arguments:
# None
# Returns:
# None
#########################
web_server_start() {
"${BITNAMI_ROOT_DIR}/scripts/$(web_server_type)/start.sh"
}
########################
# Stop web server
# Globals:
# *
# Arguments:
# None
# Returns:
# None
#########################
web_server_stop() {
"${BITNAMI_ROOT_DIR}/scripts/$(web_server_type)/stop.sh"
}
########################
# Restart web server
# Globals:
# *
# Arguments:
# None
# Returns:
# None
#########################
web_server_restart() {
"${BITNAMI_ROOT_DIR}/scripts/$(web_server_type)/restart.sh"
}
########################
# Reload web server
# Globals:
# *
# Arguments:
# None
# Returns:
# None
#########################
web_server_reload() {
"${BITNAMI_ROOT_DIR}/scripts/$(web_server_type)/reload.sh"
}
########################
# Ensure a web server application configuration exists (i.e. Apache virtual host format or NGINX server block)
# It serves as a wrapper for the specific web server function
# Globals:
# *
# Arguments:
# $1 - App name
# Flags:
# --hosts - Hosts to enable
# --type - Application type, which has an effect on which configuration template to use
# --allow-remote-connections - Whether to allow remote connections or to require local connections
# --disabled - Whether to render the file with a .disabled prefix
# --enable-https - Enable app configuration on HTTPS port
# --http-port - HTTP port number
# --https-port - HTTPS port number
# --document-root - Path to document root directory
# Apache-specific flags:
# --apache-additional-configuration - Additional vhost configuration (no default)
# --apache-allow-override - Whether to allow .htaccess files (only allowed when --move-htaccess is set to 'no')
# --apache-extra-directory-configuration - Extra configuration for the document root directory
# --apache-move-htaccess - Move .htaccess files to a common place so they can be loaded during Apache startup
# NGINX-specific flags:
# --nginx-additional-configuration - Additional server block configuration (no default)
# Returns:
# true if the configuration was enabled, false otherwise
########################
ensure_web_server_app_configuration_exists() {
local app="${1:?missing app}"
local -a args=()
# Validate arguments
shift
while [[ "$#" -gt 0 ]]; do
case "$1" in
# Common flags
--hosts \
| --type \
| --allow-remote-connections \
| --disabled \
| --enable-https \
| --http-port \
| --https-port \
| --document-root \
)
args+=("$1" "$2")
shift
;;
# Specific Apache flags
--apache-additional-configuration \
| --apache-allow-override \
| --apache-extra-directory-configuration \
| --apache-move-htaccess \
)
[[ "$(web_server_type)" == "apache" ]] && args+=("${1//apache-/}" "$2")
shift
;;
# Specific NGINX flags
--nginx-additional-configuration)
[[ "$(web_server_type)" == "nginx" ]] && args+=("${1//nginx-/}" "$2")
shift
;;
*)
echo "Invalid command line flag $1" >&2
return 1
;;
esac
shift
done
"ensure_$(web_server_type)_app_configuration_exists" "$app" "${args[@]}"
}
########################
# Ensure a web server application configuration does not exist anymore (i.e. Apache virtual host format or NGINX server block)
# It serves as a wrapper for the specific web server function
# Globals:
# *
# Arguments:
# $1 - App name
# Returns:
# true if the configuration was disabled, false otherwise
########################
ensure_web_server_app_configuration_not_exists() {
local app="${1:?missing app}"
"ensure_$(web_server_type)_app_configuration_not_exists" "$app"
}
########################
# Ensure the web server loads the configuration for an application in a URL prefix
# It serves as a wrapper for the specific web server function
# Globals:
# *
# Arguments:
# $1 - App name
# Flags:
# --allow-remote-connections - Whether to allow remote connections or to require local connections
# --document-root - Path to document root directory
# --prefix - URL prefix from where it will be accessible (i.e. /myapp)
# --type - Application type, which has an effect on what configuration template will be used
# Apache-specific flags:
# --apache-additional-configuration - Additional vhost configuration (no default)
# --apache-allow-override - Whether to allow .htaccess files (only allowed when --move-htaccess is set to 'no')
# --apache-extra-directory-configuration - Extra configuration for the document root directory
# --apache-move-htaccess - Move .htaccess files to a common place so they can be loaded during Apache startup
# NGINX-specific flags:
# --nginx-additional-configuration - Additional server block configuration (no default)
# Returns:
# true if the configuration was enabled, false otherwise
########################
ensure_web_server_prefix_configuration_exists() {
local app="${1:?missing app}"
local -a args=()
# Validate arguments
shift
while [[ "$#" -gt 0 ]]; do
case "$1" in
# Common flags
--allow-remote-connections \
| --document-root \
| --prefix \
| --type \
)
args+=("$1" "$2")
shift
;;
# Specific Apache flags
--apache-additional-configuration \
| --apache-allow-override \
| --apache-extra-directory-configuration \
| --apache-move-htaccess \
)
[[ "$(web_server_type)" == "apache" ]] && args+=("${1//apache-/}" "$2")
shift
;;
# Specific NGINX flags
--nginx-additional-configuration)
[[ "$(web_server_type)" == "nginx" ]] && args+=("${1//nginx-/}" "$2")
shift
;;
*)
echo "Invalid command line flag $1" >&2
return 1
;;
esac
shift
done
"ensure_$(web_server_type)_prefix_configuration_exists" "$app" "${args[@]}"
}
########################
# Enable loading page, which shows users that the initialization process is not yet completed
# Globals:
# *
# Arguments:
# None
# Returns:
# None
#########################
web_server_enable_loading_page() {
ensure_web_server_app_configuration_exists "__loading" --hosts "_default_" \
--apache-additional-configuration "
# Show a HTTP 503 Service Unavailable page by default
RedirectMatch 503 ^/$
# Show index.html if server is answering with 404 Not Found or 503 Service Unavailable status codes
ErrorDocument 404 /index.html
ErrorDocument 503 /index.html" \
--nginx-additional-configuration "
# Show a HTTP 503 Service Unavailable page by default
location / {
return 503;
}
# Show index.html if server is answering with 404 Not Found or 503 Service Unavailable status codes
error_page 404 @installing;
error_page 503 @installing;
location @installing {
rewrite ^(.*)$ /index.html break;
}"
web_server_reload
}
########################
# Enable loading page, which shows users that the initialization process is not yet completed
# Globals:
# *
# Arguments:
# None
# Returns:
# None
#########################
web_server_disable_install_page() {
ensure_web_server_app_configuration_not_exists "__loading"
web_server_reload
}

24
bitnami/ejbca/6/debian-10/prebuildfs/usr/sbin/install_packages Executable file
View File

@ -0,0 +1,24 @@
#!/bin/sh
set -e
set -u
export DEBIAN_FRONTEND=noninteractive
n=0
max=2
until [ $n -gt $max ]; do
set +e
(
apt-get update -qq &&
apt-get install -y --no-install-recommends "$@"
)
CODE=$?
set -e
if [ $CODE -eq 0 ]; then
break
fi
if [ $n -eq $max ]; then
exit $CODE
fi
echo "apt failed, retrying"
n=$(($n + 1))
done
rm -r /var/lib/apt/lists /var/cache/apt/archives

108
bitnami/ejbca/6/debian-10/rootfs/opt/bitnami/scripts/ejbca-env.sh Normal file
View File

@ -0,0 +1,108 @@
#!/bin/bash
#
# Environment configuration for ejbca
# The values for all environment variables will be set in the below order of precedence
# 1. Custom environment variables defined below after Bitnami defaults
# 2. Constants defined in this file (environment variables with no default), i.e. BITNAMI_ROOT_DIR
# 3. Environment variables overridden via external files using *_FILE variables (see below)
# 4. Environment variables set externally (i.e. current Bash context/Dockerfile/userdata)
export BITNAMI_ROOT_DIR="/opt/bitnami"
export BITNAMI_VOLUME_DIR="/bitnami"
# Logging configuration
export MODULE="${MODULE:-ejbca}"
export BITNAMI_DEBUG="${BITNAMI_DEBUG:-false}"
# By setting an environment variable matching *_FILE to a file path, the prefixed environment
# variable will be overridden with the value specified in that file
ejbca_env_vars=(
EJBCA_SERVER_CERT_FILE
EJBCA_SERVER_CERT_PASSWORD
EJBCA_HTTP_PORT_NUMBER
EJBCA_HTTPS_PORT_NUMBER
EJBCA_ADMIN_USERNAME
EJBCA_ADMIN_PASSWORD
EJBCA_DATABASE_HOST
EJBCA_DATABASE_PORT
EJBCA_DATABASE_NAME
EJBCA_DATABASE_USERNAME
EJBCA_DATABASE_PASSWORD
EJBCA_CA_NAME
JAVA_OPTS
)
for env_var in "${ejbca_env_vars[@]}"; do
file_env_var="${env_var}_FILE"
if [[ -n "${!file_env_var:-}" ]]; then
export "${env_var}=$(< "${!file_env_var}")"
unset "${file_env_var}"
fi
done
unset ejbca_env_vars
# Paths
export BITNAMI_VOLUME_DIR="/bitnami"
export EJBCA_BASE_DIR="/opt/bitnami/ejbca"
export EJBCA_BIN_DIR="${EJBCA_BASE_DIR}/bin"
export EJBCA_TMP_DIR="${EJBCA_BASE_DIR}/tmp"
export EJBCA_DATABASE_SCRIPTS_DIR="${EJBCA_BASE_DIR}/sql-scripts"
# Persitence
export EJBCA_VOLUME_DIR="${BITNAMI_VOLUME_DIR}/ejbca"
export EJBCA_DATA_DIR="${EJBCA_VOLUME_DIR}/tls"
# DB scripts
export EJBCA_DB_SCRIPT_INDEXES="${EJBCA_DATABASE_SCRIPTS_DIR}/create-index-ejbca.sql"
export EJBCA_DB_SCRIPT_TABLES="${EJBCA_DATABASE_SCRIPTS_DIR}/create-tables-ejbca-mysql.sql"
# EJBA deployment
export EJBCA_EAR_FILE="${EJBCA_BASE_DIR}/dist/ejbca.ear"
# Keystores
export EJBCA_KEYSTORE_FILE="${EJBCA_DATA_DIR}/keystore.jks"
export EJBCA_KEYSTORE_PASSWORD_FILE="${EJBCA_DATA_DIR}/keystore.pwd"
export EJBCA_TRUSTSTORE_FILE="${EJBCA_DATA_DIR}/truststore.jks"
export EJBCA_TRUSTSTORE_PASSWORD_FILE="${EJBCA_DATA_DIR}/truststore.pwd"
export EJBCA_TEMP_KEYSTORE_FILE="${EJBCA_TMP_DIR}/keystore.jks"
export EJBCA_TEMP_TRUSTSTORE_FILE="${EJBCA_TMP_DIR}/truststore.jks"
export EJBCA_SERVER_CERT_FILE="${EJBCA_SERVER_CERT_FILE:-}"
export EJBCA_SERVER_CERT_PASSWORD="${EJBCA_SERVER_CERT_PASSWORD:-}"
export EJBCA_TEMP_CERT="${EJBCA_TMP_DIR}/cacert.der"
# Wildfly
export EJBCA_WILDFLY_BASE_DIR="/opt/bitnami/wildfly"
export EJBCA_WILDFLY_BIN_DIR="${EJBCA_WILDFLY_BASE_DIR}/bin"
export EJBCA_WILDFLY_PID_DIR="${EJBCA_TMP_DIR}"
export EJBCA_WILDFLY_PID_FILE="${EJBCA_WILDFLY_PID_DIR}/wildfly.pid"
export EJBCA_WILDFLY_DEPLOY_DIR="${EJBCA_WILDFLY_BASE_DIR}/standalone/deployments"
export EJBCA_WILDFLY_ADMIN_USER="admin"
export EJBCA_WILDFLY_TRUSTSTORE_FILE="${EJBCA_WILDFLY_BASE_DIR}/standalone/configuration/truststore.jks"
export EJBCA_WILDFLY_KEYSTORE_FILE="${EJBCA_WILDFLY_BASE_DIR}/standalone/configuration/keystore.jks"
# Users
export EJBCA_DAEMON_USER="wildfly"
export EJBCA_DAEMON_GROUP="wildfly"
# Settings
export EJBCA_HTTP_PORT_NUMBER="${EJBCA_HTTP_PORT_NUMBER:-8080}"
export EJBCA_HTTPS_PORT_NUMBER="${EJBCA_HTTPS_PORT_NUMBER:-8443}"
export EJBCA_ADMIN_USERNAME="${EJBCA_ADMIN_USERNAME:-superadmin}"
export EJBCA_ADMIN_PASSWORD="${EJBCA_ADMIN_PASSWORD:-Bitnami1234}"
export EJBCA_DATABASE_HOST="${EJBCA_DATABASE_HOST:-}"
export EJBCA_DATABASE_PORT="${EJBCA_DATABASE_PORT:-3306}"
export EJBCA_DATABASE_NAME="${EJBCA_DATABASE_NAME:-}"
export EJBCA_DATABASE_USERNAME="${EJBCA_DATABASE_USERNAME:-}"
export EJBCA_DATABASE_PASSWORD="${EJBCA_DATABASE_PASSWORD:-}"
export EJBCA_CA_NAME="${EJBCA_CA_NAME:-ManagementCA}"
export JAVA_OPTS="${JAVA_OPTS:--Xms2048m -Xmx2048m -XX:MetaspaceSize=192M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Dhibernate.dialect=org.hibernate.dialect.MySQL5Dialect -Dhibernate.dialect.storage_engine=innodb}"
# EJBCA environment variables.
export EJBCA_HOME="${EJBCA_BASE_DIR}"
export JAVA_HOME="/opt/bitnami/java"
export JBOSS_HOME="${EJBCA_WILDFLY_BASE_DIR}"
export LAUNCH_JBOSS_IN_BACKGROUND="true"
export JBOSS_PIDFILE="${EJBCA_WILDFLY_PID_FILE}"
# Custom environment variables may be defined below

27
bitnami/ejbca/6/debian-10/rootfs/opt/bitnami/scripts/ejbca/entrypoint.sh Executable file
View File

@ -0,0 +1,27 @@
#!/bin/bash
# shellcheck disable=SC1091
set -o errexit
set -o nounset
set -o pipefail
#set -o xtrace # Uncomment this line for debugging purposes
# Load libraries
. /opt/bitnami/scripts/libbitnami.sh
. /opt/bitnami/scripts/liblog.sh
. /opt/bitnami/scripts/libejbca.sh
# Load ejbca environment variables
. /opt/bitnami/scripts/ejbca-env.sh
print_welcome_page
if [[ "$*" = *"/opt/bitnami/scripts/ejbca/run.sh"* ]]; then
info "** Starting ejbca setup **"
/opt/bitnami/scripts/ejbca/setup.sh
info "** ejbca setup finished! **"
fi
echo ""
exec "$@"

25
bitnami/ejbca/6/debian-10/rootfs/opt/bitnami/scripts/ejbca/postunpack.sh Executable file
View File

@ -0,0 +1,25 @@
#!/bin/bash
# shellcheck disable=SC1091
set -o errexit
set -o nounset
set -o pipefail
# set -o xtrace # Uncomment this line for debugging purpose
# Load libraries
. /opt/bitnami/scripts/libejbca.sh
. /opt/bitnami/scripts/libfs.sh
. /opt/bitnami/scripts/libos.sh
# Load ejbca environment variables
. /opt/bitnami/scripts/ejbca-env.sh
for dir in "$EJBCA_TMP_DIR" "$EJBCA_VOLUME_DIR"; do
ensure_dir_exists "$dir"
chmod -R g+rwX "$dir"
done
chmod -R g+rwX "$EJBCA_BASE_DIR"
chmod -R g+rwX "$EJBCA_WILDFLY_BASE_DIR"/standalone "$EJBCA_WILDFLY_BASE_DIR"/domain

24
bitnami/ejbca/6/debian-10/rootfs/opt/bitnami/scripts/ejbca/run.sh Executable file
View File

@ -0,0 +1,24 @@
#!/bin/bash
# shellcheck disable=SC1091
set -o errexit
set -o nounset
set -o pipefail
# set -o xtrace # Uncomment this line for debugging purpose
# Load libraries
. /opt/bitnami/scripts/liblog.sh
. /opt/bitnami/scripts/libejbca.sh
# Load ejbca environment variables
. /opt/bitnami/scripts/ejbca-env.sh
info "** Starting ejbca **"
start_command=("${EJBCA_WILDFLY_BIN_DIR}/standalone.sh" "-b" "0.0.0.0")
if am_i_root; then
exec gosu "$EJBCA_DAEMON_USER" "${start_command[@]}"
else
exec "${start_command[@]}"
fi

20
bitnami/ejbca/6/debian-10/rootfs/opt/bitnami/scripts/ejbca/setup.sh Executable file
View File

@ -0,0 +1,20 @@
#!/bin/bash
# shellcheck disable=SC1091
set -o errexit
set -o nounset
set -o pipefail
# set -o xtrace # Uncomment this line for debugging purpose
# Load libraries
. /opt/bitnami/scripts/libejbca.sh
# Load ejbca environment variables
. /opt/bitnami/scripts/ejbca-env.sh
# Ensure ejbca environment variables are valid
ejbca_validate
# Ensure ejbca is initialized
ejbca_initialize

593
bitnami/ejbca/6/debian-10/rootfs/opt/bitnami/scripts/libejbca.sh Normal file
View File

@ -0,0 +1,593 @@
#!/bin/bash
#
# Bitnami EBJCA library
# shellcheck disable=SC1091
# Load Generic Libraries
. /opt/bitnami/scripts/libfs.sh
. /opt/bitnami/scripts/liblog.sh
. /opt/bitnami/scripts/libos.sh
. /opt/bitnami/scripts/libvalidations.sh
########################
# Validate settings in EJBCA_* env. variables
# Globals:
# EJBCA_*
# Arguments:
# None
# Returns:
# None
#########################
ejbca_validate() {
info "Validating settings in EJBCA_* env vars..."
local error_code=0
# Auxiliary functions
print_validation_error() {
error "$1"
error_code=1
}
if [[ -z "$EJBCA_ADMIN_USERNAME" ]] || [[ -z "$EJBCA_ADMIN_PASSWORD" ]]; then
print_validation_error "The EJBCA administrator user's credentials are mandatory. Set the environment variables EJBCA_ADMIN_USERNAME and EJBCA_ADMIN_PASSWORD with the EJBCA administrator user's credentials."
fi
if [[ -n "$EJBCA_SERVER_CERT_FILE" ]] && [[ -z "$EJBCA_SERVER_CERT_PASSWORD" ]]; then
print_validation_error "If you indicate a Certificate file, you need to provide its password in EJBCA_SERVER_CERT_PASSWORD."
fi
if [[ -z "$EJBCA_DATABASE_HOST" ]]; then
print_validation_error "The EJBCA database host is mandatory. Set the environment variables EJBCA_DATABASE_HOST."
fi
if [[ -z "$EJBCA_DATABASE_PORT" ]]; then
print_validation_error "The EJBCA database port is mandatory. Set the environment variables EJBCA_DATABASE_PORT."
fi
if [[ -z "$EJBCA_DATABASE_USERNAME" ]]; then
print_validation_error "The EJBCA database username is mandatory. Set the environment variables EJBCA_DATABASE_USERNAME."
fi
if [[ -z "$EJBCA_DATABASE_PASSWORD" ]]; then
print_validation_error "The EJBCA database password is mandatory. Set the environment variables EJBCA_DATABASE_PASSWORD."
fi
[[ "$error_code" -eq 0 ]] || exit "$error_code"
}
########################
# Run wildfly CLI
# Globals:
# EJBCA_*
# Arguments:
# None
# Returns:
# None
#########################
ejbca_wildfly_command() {
"$EJBCA_WILDFLY_BIN_DIR"/jboss-cli.sh --connect -u="$EJBCA_WILDFLY_ADMIN_USER" -p="$EJBCA_WILDFLY_ADMIN_PASSWORD" "$1"
}
########################
# Wait until wildfly is ready
# Globals:
# EJBCA_*
# Arguments:
# None
# Returns:
# None
#########################
wait_for_wildfly() {
retry_while wildfly_not_ready
}
########################
# Check if the console is not ready
# Globals:
# EJBCA_*
# Arguments:
# None
# Returns:
# None
#########################
wildfly_not_ready() {
local status
status=$(ejbca_wildfly_command ":read-attribute(name=server-state)" | grep "result")
[[ "$status" =~ "running" ]] && return 0 || return 1
}
########################
# Configure Wildfly
# Globals:
# EJBCA_*
# Arguments:
# None
# Returns:
# None
#########################
ejbca_configure_wildfly() {
info "Creating data source"
ejbca_wildfly_command "data-source add --name=ejbcads --driver-name=\"mariadb-java-client-2.6.1.jar\" --connection-url=\"jdbc:mysql://${EJBCA_DATABASE_HOST}:${EJBCA_DATABASE_PORT}/${EJBCA_DATABASE_NAME}\" --jndi-name=\"java:/EjbcaDS\" --use-ccm=true --driver-class=\"org.mariadb.jdbc.Driver\" --user-name=\"${EJBCA_DATABASE_USERNAME}\" --password=\"${EJBCA_DATABASE_PASSWORD}\" --validate-on-match=true --background-validation=false --prepared-statements-cache-size=50 --share-prepared-statements=true --min-pool-size=5 --max-pool-size=150 --pool-prefill=true --transaction-isolation=TRANSACTION_READ_COMMITTED --check-valid-connection-sql=\"select 1;\""
ejbca_wildfly_command ":reload"
wait_for_wildfly
info "Configure WildFly Remoting"
ejbca_wildfly_command "/subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=connector-ref,value=remoting)"
ejbca_wildfly_command "/socket-binding-group=standard-sockets/socket-binding=remoting:add(port=4447,interface=management)"
ejbca_wildfly_command "/subsystem=undertow/server=default-server/http-listener=remoting:add(socket-binding=remoting,enable-http2=true)"
ejbca_wildfly_command "/subsystem=infinispan/cache-container=ejb:remove()"
ejbca_wildfly_command "/subsystem=infinispan/cache-container=server:remove()"
ejbca_wildfly_command "/subsystem=infinispan/cache-container=web:remove()"
ejbca_wildfly_command "/subsystem=ejb3/cache=distributable:remove()"
ejbca_wildfly_command "/subsystem=ejb3/passivation-store=infinispan:remove()"
ejbca_wildfly_command ":reload"
wait_for_wildfly
info "Configure logging"
ejbca_wildfly_command "/subsystem=logging/logger=org.ejbca:add(level=INFO)"
ejbca_wildfly_command "/subsystem=logging/logger=org.cesecore:add(level=INFO)"
info "Remove the ExampleDS DataSource"
ejbca_wildfly_command '/subsystem=ee/service=default-bindings:remove()'
ejbca_wildfly_command 'data-source remove --name=ExampleDS'
ejbca_wildfly_command ':reload'
wait_for_wildfly
info "Configure redirection"
ejbca_wildfly_command '/subsystem=undertow/server=default-server/host=default-host/location="\/":remove()'
ejbca_wildfly_command '/subsystem=undertow/configuration=handler/file=welcome-content:remove()'
ejbca_wildfly_command ':reload'
ejbca_wildfly_command '/subsystem=undertow/configuration=filter/rewrite=redirect-to-app:add(redirect=true,target="/ejbca/")'
ejbca_wildfly_command "/subsystem=undertow/server=default-server/host=default-host/filter-ref=redirect-to-app:add(predicate=\"method(GET) and not path-prefix('/ejbca/','/crls','/certificates','/.well-known/') and not equals({%{LOCAL_PORT}, 4447})\")"
ejbca_wildfly_command ':reload'
wait_for_wildfly
}
########################
# Configure wildfly https parameters
# Globals:
# EJBCA_*
# Arguments:
# None
# Returns:
# None
#########################
ejbca_configure_wildfly_https() {
info "HTTP(S) Listener Configuration"
ejbca_wildfly_command "/subsystem=undertow/server=default-server/http-listener=default:remove()"
ejbca_wildfly_command "/subsystem=undertow/server=default-server/https-listener=https:remove()"
ejbca_wildfly_command "/socket-binding-group=standard-sockets/socket-binding=http:remove()"
ejbca_wildfly_command "/socket-binding-group=standard-sockets/socket-binding=https:remove()"
ejbca_wildfly_command ":reload"
wait_for_wildfly
info "Add New Interfaces and Sockets"
ejbca_wildfly_command '/interface=http:add(inet-address="0.0.0.0")'
ejbca_wildfly_command '/interface=httpspub:add(inet-address="0.0.0.0")'
ejbca_wildfly_command '/interface=httpspriv:add(inet-address="0.0.0.0")'
ejbca_wildfly_command "/socket-binding-group=standard-sockets/socket-binding=http:add(port=\"$EJBCA_HTTP_PORT_NUMBER\",interface=\"http\")"
ejbca_wildfly_command '/socket-binding-group=standard-sockets/socket-binding=httpspub:add(port="8442",interface="httpspub")'
ejbca_wildfly_command "/socket-binding-group=standard-sockets/socket-binding=httpspriv:add(port=\"$EJBCA_HTTPS_PORT_NUMBER\",interface=\"httpspriv\")"
info "Configure TLS"
ejbca_wildfly_command "/subsystem=elytron/key-store=httpsKS:add(path=\"keystore.jks\",relative-to=jboss.server.config.dir,credential-reference={clear-text=\"$EJBCA_KEYSTORE_PASSWORD\"},type=JKS)"
ejbca_wildfly_command "/subsystem=elytron/key-store=httpsTS:add(path=\"truststore.jks\",relative-to=jboss.server.config.dir,credential-reference={clear-text=\"$EJBCA_TRUSTSTORE_PASSWORD\"},type=JKS)"
ejbca_wildfly_command "/subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,algorithm=\"SunX509\",credential-reference={clear-text=\"$EJBCA_KEYSTORE_PASSWORD\"})"
ejbca_wildfly_command '/subsystem=elytron/trust-manager=httpsTM:add(key-store=httpsTS)'
ejbca_wildfly_command '/subsystem=elytron/server-ssl-context=httpspub:add(key-manager=httpsKM,protocols=["TLSv1.2"])'
ejbca_wildfly_command '/subsystem=elytron/server-ssl-context=httpspriv:add(key-manager=httpsKM,protocols=["TLSv1.2"],trust-manager=httpsTM,need-client-auth=false,authentication-optional=true,want-client-auth=true)'
info "Add HTTP(S) Listeners"
ejbca_wildfly_command '/subsystem=undertow/server=default-server/http-listener=http:add(socket-binding="http", redirect-socket="httpspriv")'
ejbca_wildfly_command '/subsystem=undertow/server=default-server/https-listener=httpspub:add(socket-binding="httpspub", ssl-context="httpspub", max-parameters=2048)'
ejbca_wildfly_command '/subsystem=undertow/server=default-server/https-listener=httpspriv:add(socket-binding="httpspriv", ssl-context="httpspriv", max-parameters=2048)'
ejbca_wildfly_command ':reload'
wait_for_wildfly
info "HTTP Protocol Behavior Configuration"
ejbca_wildfly_command '/system-property=org.apache.catalina.connector.URI_ENCODING:add(value="UTF-8")'
ejbca_wildfly_command '/system-property=org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:add(value=true)'
ejbca_wildfly_command '/system-property=org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:add(value=true)'
ejbca_wildfly_command '/system-property=org.apache.tomcat.util.http.Parameters.MAX_COUNT:add(value=2048)'
ejbca_wildfly_command '/system-property=org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH:add(value=true)'
ejbca_wildfly_command '/subsystem=webservices:write-attribute(name=wsdl-host, value=jbossws.undefined.host)'
ejbca_wildfly_command '/subsystem=webservices:write-attribute(name=modify-wsdl-address, value=true)'
ejbca_wildfly_command ':reload'
wait_for_wildfly
}
########################
# Start wildfly in background
# Globals:
# EJBCA_*
# Arguments:
# None
# Returns:
# None
#########################
ejbca_start_wildfly_bg() {
local -r exec="$EJBCA_WILDFLY_BIN_DIR"/standalone.sh
local args=("-b" "127.0.0.1")
info "Starting wildfly..."
if ! [[ -f "$EJBCA_WILDFLY_PID_FILE" ]]; then
if [[ "${BITNAMI_DEBUG:-false}" = true ]]; then
"${exec}" "${args[@]}" &
else
"${exec}" "${args[@]}" >/dev/null 2>&1 &
fi
fi
}
######################
# Stop wildfly
# Globals:
# None
# Arguments:
# None
# Returns:
# None
#########################
ejbca_stop_wildfly() {
info "Stopping wildfly..."
ejbca_wildfly_command ":shutdown"
}
#######################
# Create wildfly management user
# Globals:
# EJBCA_*
# Arguments:
# None
# Returns:
# None
#########################
ejbca_create_management_user() {
info "Creating wildfly management user..."
"$EJBCA_WILDFLY_BIN_DIR"/add-user.sh -u "$EJBCA_WILDFLY_ADMIN_USER" -p "$EJBCA_WILDFLY_ADMIN_PASSWORD" -s
}
#######################
# Deploy package in wildfly
# Globals:
# EJBCA_*
# Arguments:
# None
# Returns:
# None
#########################
ejbca_wildfly_deploy() {
deployed_file="$EJBCA_WILDFLY_DEPLOY_DIR"/$(basename "$1").deployed
if [[ ! -f "$deployed_file" ]]; then
cp "$1" "$EJBCA_WILDFLY_DEPLOY_DIR"/
retry_while "ls $deployed_file" 2>/dev/null
info "Deployment done"
else
info "Already deployed"
fi
}
########################
# Check if the console is not ready
# Globals:
# EJBCA_*
# Arguments:
# None
# Returns:
# None
#########################
database_not_ready() {
echo "select 1" | debug_execute mysql -u"$EJBCA_DATABASE_USERNAME" -p"$EJBCA_DATABASE_PASSWORD" -h"$EJBCA_DATABASE_HOST" -P"$EJBCA_DATABASE_PORT" "$EJBCA_DATABASE_NAME"
}
########################
# Check if the console is not ready
# Globals:
# EJBCA_*
# Arguments:
# None
# Returns:
# None
#########################
ejbca_create_database() {
info "Creating database tables and indexes"
# Wait for the database to be ready
retry_while database_not_ready
# Create database structure
mysql -u"$EJBCA_DATABASE_USERNAME" -p"$EJBCA_DATABASE_PASSWORD" -h"$EJBCA_DATABASE_HOST" -P"$EJBCA_DATABASE_PORT" "$EJBCA_DATABASE_NAME" < "$EJBCA_DB_SCRIPT_TABLES"
mysql -u"$EJBCA_DATABASE_USERNAME" -p"$EJBCA_DATABASE_PASSWORD" -h"$EJBCA_DATABASE_HOST" -P"$EJBCA_DATABASE_PORT" "$EJBCA_DATABASE_NAME" < "$EJBCA_DB_SCRIPT_INDEXES"
}
########################
# Generate CA
# Globals:
# EJBCA_*
# Arguments:
# None
# Returns:
# None
#########################
ejbca_generate_ca() {
local ejbca_ca
local existing_management_ca
local instance_hostname
local end_entity_name
local -r instance_hostname="$(hostname --fqdn)"
info "Generating CA"
ejbca_ca="$(ejbca_command ca listcas 2>&1)"
if ! grep -q 'CA Name: ' <<< "$ejbca_ca"; then
info "Init CA"
ejbca_command ca init \
--dn "CN=$EJBCA_CA_NAME,$EJBCA_BASE_DN" \
--caname "$EJBCA_CA_NAME" \
--tokenType "soft" \
--tokenPass "null" \
--keytype "RSA" \
--keyspec "3072" \
-v "3652" \
--policy "null" \
-s "SHA256WithRSA" \
-type "x509"
info "Add superadmin user"
ejbca_command ra addendentity \
--username "$EJBCA_ADMIN_USERNAME" \
--dn "\"CN=SuperAdmin,$EJBCA_BASE_DN\"" \
--caname "$EJBCA_CA_NAME" \
--type 1 \
--token P12 \
--password "$EJBCA_ADMIN_PASSWORD"
fi
ejbca_ca="$(ejbca_command ca listcas 2>&1)"
if grep -q "CA Name: $EJBCA_CA_NAME" <<< "$ejbca_ca"; then
existing_management_ca="$(grep "CA Name: $EJBCA_CA_NAME" <<< "$ejbca_ca" | sed 's/.*CA Name: //g')"
if [[ "$existing_management_ca" == "$EJBCA_CA_NAME" ]]; then
end_entity_name="$instance_hostname"
if [ "$instance_hostname" == "ejbca" ]; then
# Avoid conflicts with the default EJBCA EJB CLI end entity "ejbca"
end_entity_name="ejbca-instance-tls"
fi
info "Add RA Entity"
ejbca_command ra addendentity \
--username "$end_entity_name" \
--dn "\"CN=$instance_hostname,$EJBCA_BASE_DN\"" \
--caname "$EJBCA_CA_NAME" \
--type 1 \
--token JKS \
--password "$EJBCA_KEYSTORE_PASSWORD" \
--altname "dnsName=$instance_hostname" \
--certprofile SERVER
info "Set RA status to new"
ejbca_command ra setendentitystatus \
--username "$end_entity_name" \
-S 10
info "Set RA entity password"
ejbca_command ra setclearpwd \
--username "$end_entity_name" \
--password "$EJBCA_KEYSTORE_PASSWORD"
info "Export entity certificate"
ejbca_command batch \
--username "$end_entity_name" \
-dir "$EJBCA_TMP_DIR/"
mv "$EJBCA_TMP_DIR/$end_entity_name.jks" "$EJBCA_TEMP_KEYSTORE_FILE"
ejbca_command roles addrolemember \
--namespace "" \
--role "Super Administrator Role" \
--caname "$EJBCA_CA_NAME" \
--with "CertificateAuthenticationToken:WITH_COMMONNAME" \
--value "SuperAdmin" \
--description "Initial RoleMember."
fi
fi
}
########################
# EJBCA CLI
# Globals:
# EJBCA_*
# Arguments:
# None
# Returns:
# None
#########################
ejbca_command() {
"$EJBCA_BIN_DIR"/ejbca.sh "$@" 2>&1
}
########################
# Keytool wrapper
# Globals:
# None
# Arguments:
# None
# Returns:
# None
#########################
ejbca_keytool_command() {
keytool "$@" 2>&1
}
########################
# Generate keystores
# Globals:
# EJBCA_*
# Arguments:
# None
# Returns:
# None
#########################
ejbca_create_truststore() {
local line
local ejbca_ca
local ca_list
info "Load the CAs in the trustkeystore"
ejbca_ca="$(ejbca_command ca listcas 2>&1)"
if grep -q 'CA Name: ' <<< "$ejbca_ca"; then
ca_list=($(grep 'CA Name: ' <<< "$ejbca_ca" | sed 's/.*CA Name: //g'))
for line in "${ca_list[@]}"; do
ejbca_command ca getcacert \
--caname "$line" \
-f "$EJBCA_TEMP_CERT" \
-der
if [ -f "$EJBCA_TEMP_CERT" ] ; then
ejbca_keytool_command -alias "$line" \
-import -trustcacerts \
-file "$EJBCA_TEMP_CERT" \
-keystore "$EJBCA_TEMP_TRUSTSTORE_FILE" \
-storepass "$EJBCA_TRUSTSTORE_PASSWORD" \
-noprompt
rm "$EJBCA_TEMP_CERT"
fi
done
fi
}
########################
# Generate keystores
# Globals:
# EJBCA_*
# Arguments:
# None
# Returns:
# None
#########################
ejbca_persist_keystores() {
info "Persisting keystores"
# Persist keystores and passwords
mv "$EJBCA_TEMP_TRUSTSTORE_FILE" "$EJBCA_TRUSTSTORE_FILE"
mv "$EJBCA_TEMP_KEYSTORE_FILE" "$EJBCA_KEYSTORE_FILE"
echo "$EJBCA_KEYSTORE_PASSWORD" > "$EJBCA_KEYSTORE_PASSWORD_FILE"
echo "$EJBCA_TRUSTSTORE_PASSWORD" > "$EJBCA_TRUSTSTORE_PASSWORD_FILE"
# Provide keystores to wildfly
ln -s "$EJBCA_TRUSTSTORE_FILE" "$EJBCA_WILDFLY_TRUSTSTORE_FILE"
ln -s "$EJBCA_KEYSTORE_FILE" "$EJBCA_WILDFLY_KEYSTORE_FILE"
}
########################
# Check if there is data persisted
# Globals:
# EJBCA_*
# Arguments:
# None
# Returns:
# None
#########################
ejbca_is_persisted() {
[[ -f "$EJBCA_TRUSTSTORE_FILE" ]] && [[ -f "$EJBCA_KEYSTORE_FILE" ]] && [[ -f "$EJBCA_TRUSTSTORE_PASSWORD_FILE" ]] && [[ -f "$EJBCA_KEYSTORE_PASSWORD_FILE" ]]
}
########################
# Load persisted passwords
# Globals:
# EJBCA_*
# Arguments:
# None
# Returns:
# None
#########################
ejbca_load_persisted() {
read -r EJBCA_KEYSTORE_PASSWORD < "$EJBCA_KEYSTORE_PASSWORD_FILE"
read -r EJBCA_TRUSTSTORE_PASSWORD < "$EJBCA_TRUSTSTORE_PASSWORD_FILE"
info "Using persisted server TLS keystore"
ejbca_keytool_command -importkeystore -noprompt \
-srckeystore "$EJBCA_KEYSTORE_FILE" \
-srcstorepass "$EJBCA_KEYSTORE_PASSWORD" \
-destkeystore "$EJBCA_TEMP_KEYSTORE_FILE" \
-deststorepass "$EJBCA_KEYSTORE_PASSWORD" \
-deststoretype jks
}
########################
# Ensure EJBCA is initialized
# Globals:
# EJBCA_*
# Arguments:
# None
# Returns:
# None
#########################
ejbca_initialize() {
info "Initializing EJBCA..."
# Configuring permissions for tmp, logs and data folders
am_i_root && configure_permissions_ownership "$EJBCA_TMP_DIR $EJBCA_LOG_DIR" -u "$EJBCA_DAEMON_USER" -g "$EJBCA_DAEMON_GROUP"
am_i_root && configure_permissions_ownership "$EJBCA_DATA_DIR" -u "$EJBCA_DAEMON_USER" -g "$EJBCA_DAEMON_GROUP" -d "755" -f "644"
ensure_dir_exists "$EJBCA_DATA_DIR"
if [[ -f "$EJBCA_TEMP_KEYSTORE_FILE" ]]; then rm -f "$EJBCA_TEMP_KEYSTORE_FILE" ; fi
if [[ -f "$EJBCA_TEMP_TRUSTSTORE_FILE" ]]; then rm -f "$EJBCA_TEMP_TRUSTSTORE_FILE" ; fi
# Check if external keystore
if [[ -f "$EJBCA_SERVER_CERT_FILE" && -n "$EJBCA_SERVER_CERT_PASSWORD" ]]; then
info "Using provided server TLS keystore"
ejbca_keytool_command -importkeystore -noprompt \
-srckeystore "$EJBCA_SERVER_CERT_FILE" \
-srcstorepass "$EJBCA_SERVER_CERT_PASSWORD" \
-destkeystore "$EJBCA_TEMP_KEYSTORE_FILE" \
-deststorepass "$EJBCA_KEYSTORE_PASSWORD" \
-deststoretype jks
fi
# Generate random passwords
EJBCA_TRUSTSTORE_PASSWORD="${EJBCA_TRUSTSTORE_PASSWORD:-$(generate_random_string -t alphanumeric)}"
export EJBCA_TRUSTSTORE_PASSWORD
EJBCA_KEYSTORE_PASSWORD="${EJBCA_TRUSTSTORE_PASSWORD:-$(generate_random_string -t alphanumeric)}"
export EJBCA_KEYSTORE_PASSWORD
EJBCA_WILDFLY_ADMIN_PASSWORD="${EJBCA_TRUSTSTORE_PASSWORD:-$(generate_random_string -t alphanumeric)}"
export EJBCA_WILDFLY_ADMIN_PASSWORD
EJBCA_BASE_DN="${EJBCA_BASE_DN:-O=Example CA,C=SE,UID=c-$(generate_random_string -t alphanumeric)}"
export EJBCA_BASE_DN
if ! ejbca_is_persisted; then
info "Deploying EJBCA from scratch..."
ejbca_create_database
ejbca_create_management_user
ejbca_start_wildfly_bg
wait_for_wildfly
ejbca_configure_wildfly
info "Deploying EJBCA application"
ejbca_wildfly_deploy "$EJBCA_EAR_FILE"
ejbca_generate_ca
ejbca_create_truststore
ejbca_persist_keystores
ejbca_configure_wildfly_https
ejbca_stop_wildfly
else
info "Persisted data detected"
ejbca_load_persisted
fi
}

234
bitnami/ejbca/README.md Normal file
View File

@ -0,0 +1,234 @@
# What is EJBCA?
> [EJBCA](https://www.ejbca.org/) is a free software public key infrastructure certificate authority software package.
# TL;DR;
```console
$ docker run --name ejbca bitnami/ejbca:latest
```
## Docker Compose
```console
$ curl -sSL https://raw.githubusercontent.com/bitnami/bitnami-docker-ejbca/master/docker-compose.yml > docker-compose.yml
$ docker-compose up -d
```
# Why use Bitnami Images?
* Bitnami closely tracks upstream source changes and promptly publishes new versions of this image using our automated systems.
* With Bitnami images the latest bug fixes and features are available as soon as possible.
* Bitnami containers, virtual machines and cloud images use the same components and configuration approach - making it easy to switch between formats based on your project needs.
* All our images are based on [minideb](https://github.com/bitnami/minideb) a minimalist Debian based container image which gives you a small base container image and the familiarity of a leading linux distribution.
* All Bitnami images available in Docker Hub are signed with [Docker Content Trust (DTC)](https://docs.docker.com/engine/security/trust/content_trust/). You can use `DOCKER_CONTENT_TRUST=1` to verify the integrity of the images.
* Bitnami container images are released daily with the latest distribution packages available.
> This [CVE scan report](https://quay.io/repository/bitnami/ejbca?tab=tags) contains a security report with all open CVEs. To get the list of actionable security issues, find the "latest" tag, click the vulnerability report link under the corresponding "Security scan" field and then select the "Only show fixable" filter on the next page.
# Why use a non-root container?
Non-root container images add an extra layer of security and are generally recommended for production environments. However, because they run as a non-root user, privileged tasks are typically off-limits. Learn more about non-root containers [in our docs](https://docs.bitnami.com/containers/how-to/work-with-non-root-containers/).
# Supported tags and respective `Dockerfile` links
Learn more about the Bitnami tagging policy and the difference between rolling tags and immutable tags [in our documentation page](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/).
* [`6-debian-10`, `6.15.2-6-debian-10-r1`, `6`, `6.15.2-6`, `latest` (6/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-ejbca/blob/6.15.2-6-debian-10-r1/6/debian-10/Dockerfile)
Subscribe to project updates by watching the [bitnami/ejbca GitHub repo](https://github.com/bitnami/bitnami-docker-ejbca).
# Get this image
The recommended way to get the Bitnami EJBCA Docker Image is to pull the prebuilt image from the [Docker Hub Registry](https://hub.docker.com/r/bitnami/ejbca).
```console
$ docker pull bitnami/ejbca:latest
```
To use a specific version, you can pull a versioned tag. You can view the [list of available versions](https://hub.docker.com/r/bitnami/ejbca/tags/) in the Docker Hub Registry.
```console
$ docker pull bitnami/ejbca:[TAG]
```
If you wish, you can also build the image yourself.
```console
$ docker build -t bitnami/ejbca:latest 'https://github.com/bitnami/bitnami-docker-ejbca.git#master:6/debian-10'
```
# How to use this image
EJBCA requires access to a MySQL or MariaDB database to store information. We'll use our very own [MariaDB image](https://www.github.com/bitnami/bitnami-docker-mariadb) for the database requirements.
## Run the application using Docker Compose
The main folder of this repository contains a functional [`docker-compose.yml`](https://github.com/bitnami/bitnami-docker-ejbca/blob/master/docker-compose.yml) file. Run the application using it as shown below:
```console
$ curl -sSL https://raw.githubusercontent.com/bitnami/bitnami-docker-ejbca/master/docker-compose.yml > docker-compose.yml
$ docker-compose up -d
```
## Using the Docker Command Line
If you want to run the application manually instead of using `docker-compose`, these are the basic steps you need to run:
### Step 1: Create a network
```console
$ docker network create ejbca-network
```
### Step 2: Create a volume for MariaDB persistence and create a MariaDB container
```console
$ docker volume create --name mariadb_data
$ docker run -d --name mariadb \
--env ALLOW_EMPTY_PASSWORD=yes \
--env MARIADB_USER=bn_ejbca \
--env MARIADB_PASSWORD=Bitnami1234 \
--env MARIADB_DATABASE=bitnami_ejbca \
--network ejbca-network \
--volume mariadb_data:/bitnami/mariadb \
bitnami/mariadb:latest
```
### Step 3: Create volumes for EJBCA persistence and launch the container
```console
$ docker volume create --name ejbca_data
$ docker run -d --name ejbca \
-p 8080:8080 -p 8443:8443 \
--env ALLOW_EMPTY_PASSWORD=yes \
--env EJBCA_DATABASE_USERNAME=bn_ejbca \
--env EJBCA_DATABASE_PASSWORD=Bitnami1234 \
--env EJBCA_DATABASE_HOST=mariadb \
--env EJBCA_DATABASE_NAME=bitnami_ejbca \
--network ejbca-network \
--volume ejbca_data:/bitnami/ejbca \
bitnami/ejbca:latest
```
Access your application at http://your-ip:8080/ejbca/
# Persisting your application
If you remove the container all your data will be lost, and the next time you run the image the database will be reinitialized. To avoid this loss of data, you should mount a volume that will persist even after the container is removed.
For persistence you should mount a directory at the `/bitnami/ejbca` path. If the mounted directory is empty, it will be initialized on the first run.
```console
$ docker run \
-v /path/to/ejbca-persistence:/bitnami/ejbca \
bitnami/ejbca:latest
```
You can also do this with a minor change to the [`docker-compose.yml`](https://github.com/bitnami/bitnami-docker-ejbca/blob/master/docker-compose.yml) file present in this repository:
```diff
ejbca:
...
volumes:
- - 'ejbca_data:/bitnami/ejbca'
+ - /path/to/ejbca-persistence:/bitnami/ejbca
...
-volumes:
- ejbca_data:
- driver: local
```
# Configuration
The EJBCA instance can be customized by specifying environment variables on the first run. The following environment variables are available:
- `EJBCA_HTTP_PORT_NUMBER`: HTTP port number. Defaults to `8080`.
- `EJBCA_HTTPS_PORT_NUMBER`: HTTPS port number. Default to `8443`.
- `EJBCA_ADMIN_USERNAME`: EJBCA administrator username. Defaults to `superadmin`.
- `EJBCA_ADMIN_PASSWORD`: EJBCA administrator password. Defaults to `Bitnami1234`.
- `EJBCA_DATABASE_HOST`: Database hostname. No defaults.
- `EJBCA_DATABASE_PORT`: Database port name. Defaults to `3306`.
- `EJBCA_DATABASE_NAME`: Database name. No defaults.
- `EJBCA_DATABASE_USERNAME`: Database username. No defaults.
- `EJBCA_DATABASE_PASSWORD`: Database password. No defaults.
- `EJBCA_BASE_DN`: Base DN for the CA. Defaults to `O=Example CA,C=SE,UID=c-XXXXXXX`, where `XXXXXXX` is a random generated ID.
- `EJBCA_CA_NAME`: CA Name. Defaults to `ManagementCA`
- `JAVA_OPTS`: Java options. Defaults to `-Xms2048m -Xmx2048m -XX:MetaspaceSize=192M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Dhibernate.dialect=org.hibernate.dialect.MySQL5Dialect -Dhibernate.dialect.storage_engine=innodb`.
- `EJBCA_SERVER_CERT_FILE`: User provided keystore file. No defaults.
- `EJBCA_SERVER_CERT_PASSWORD`: User provided keystore file password. No defaults.
# Logging
The Bitnami EJBCA Docker image sends the container logs to `stdout`. To view the logs:
```console
$ docker logs ejbca
```
You can configure the containers [logging driver](https://docs.docker.com/engine/admin/logging/overview/) using the `--log-driver` option if you wish to consume the container logs differently. In the default configuration docker uses the `json-file` driver.
# Maintenance
## Upgrade this image
Bitnami provides up-to-date versions of EJBCA, including security patches, soon after they are made upstream. We recommend that you follow these steps to upgrade your container.
### Step 1: Get the updated image
```console
$ docker pull bitnami/ejbca:latest
```
### Step 2: Stop the running container
Stop the currently running container using the command
```console
$ docker stop ejbca
```
### Step 3: Remove the currently running container
```console
$ docker rm -v ejbca
```
### Step 4: Run the new image
Re-create your container from the new image.
```console
$ docker run --name ejbca bitnami/ejbca:latest
```
# Contributing
We'd love for you to contribute to this container. You can request new features by creating an [issue](https://github.com/bitnami/bitnami-docker-ejbca/issues), or submit a [pull request](https://github.com/bitnami/bitnami-docker-ejbca/pulls) with your contribution.
# Issues
If you encountered a problem running this container, you can file an [issue](https://github.com/bitnami/bitnami-docker-ejbca/issues). For us to provide better support, be sure to include the following information in your issue:
- Host OS and version
- Docker version (`docker version`)
- Output of `docker info`
- Version of this container
- The command you used to run the container, and any relevant output you saw (masking any sensitive information)
# License
Copyright (c) 2020 Bitnami
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

28
bitnami/ejbca/docker-compose.yml Normal file
View File

@ -0,0 +1,28 @@
version: '2'
services:
mariadb:
image: 'docker.io/bitnami/mariadb:10.3-debian-10'
volumes:
- 'mariadb_data:/bitnami/mariadb'
environment:
- ALLOW_EMPTY_PASSWORD=yes
- MARIADB_USER=bn_ejbca
- MARIADB_DATABASE=bitnami_ejbca
- MARIADB_PASSWORD=Bitnami1234
ejbca:
image: 'docker.io/bitnami/ejbca:6-debian-10'
ports:
- 8080:8080
- 8443:8443
volumes:
- 'ejbca_data:/bitnami/ejbca'
environment:
- EJBCA_DATABASE_HOST=mariadb
- EJBCA_DATABASE_NAME=bitnami_ejbca
- EJBCA_DATABASE_USERNAME=bn_ejbca
- EJBCA_DATABASE_PASSWORD=Bitnami1234
volumes:
mariadb_data:
driver: local
ejbca_data:
driver: local