modules/roles/files/static-mirroring/staticsync-ssh-wrap

   1 #!/bin/bash
   2
   3 # Copyright (c) 2009, 2010, 2012 Peter Palfrader
   4 #
   5 # Permission is hereby granted, free of charge, to any person obtaining
   6 # a copy of this software and associated documentation files (the
   7 # "Software"), to deal in the Software without restriction, including
   8 # without limitation the rights to use, copy, modify, merge, publish,
   9 # distribute, sublicense, and/or sell copies of the Software, and to
  10 # permit persons to whom the Software is furnished to do so, subject to
  11 # the following conditions:
  12 #
  13 # The above copyright notice and this permission notice shall be
  14 # included in all copies or substantial portions of the Software.
  15 #
  16 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
  17 # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
  18 # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
  19 # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
  20 # LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
  21 # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
  22 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  23
  24 set -e
  25 set -u
  26
  27 . /etc/staticsync.conf
  28 if ! [ -n "$base" ]; then
  29   echo >&2 "base not configured!"
  30   exit 1
  31 fi
  32 BASEDIR="$base"
  33
  34 MYLOGNAME="`basename "$0"`[$$]"
  35 COMPONENTLIST=/etc/static-components.conf
  36
  37 usage() {
  38         echo "local Usage: $0 <host>"
  39         echo "via ssh orig command:"
  40         echo "                      mirror <component> <serial>"
  41         echo "                      rsync <stuff>"
  42         echo "                      static-master-update-component <component>"
  43 }
  44
  45 one_more_arg() {
  46         if [ "$#" -lt 1 ]; then
  47                 usage >&2
  48                 exit 1
  49         fi
  50 }
  51
  52 info() {
  53         logger -p daemon.info -t "$MYLOGNAME" "$1"
  54 }
  55
  56 croak() {
  57         logger -s -p daemon.warn -t "$MYLOGNAME" "$1"
  58         exit 1
  59 }
  60
  61 do_mirror() {
  62         local remote_host="$1"; shift
  63         one_more_arg "$@"
  64         local component="$1"; shift
  65         one_more_arg "$@"
  66         local serial="$1"; shift
  67
  68         masterhost="$(awk -v component="$component" '!/^ *(#|$)/ && $2 == component {print $1; exit}' "$COMPONENTLIST")"
  69         if [ -z "$masterhost" ]; then
  70                 croak "Did not find master for component $component."
  71         elif [ "$masterhost" != "$remote_host" ]; then
  72                 croak "$remote_host is not master for $component."
  73         else
  74                 info "Host $remote_host triggered a mirror run for $component, serial $serial"
  75                 exec /usr/local/bin/static-mirror-run "$BASEDIR/mirrors/$component" "$remote_host:$component/-new-" "$serial"
  76                 echo >&2 "Exec failed"
  77                 croak "exec failed"
  78         fi
  79 }
  80
  81 do_rsync_on_master() {
  82         local remote_host="$1"; shift
  83         local allowed_rsyncs
  84         allowed_rsyncs=()
  85         allowed_rsyncs+=("--server --sender -vlHtrze.iLsf --safe-links .") # wheezy
  86         allowed_rsyncs+=("--server --sender -vlHtrze.iLsfx --safe-links .") # jessie
  87         allowed_rsyncs+=("--server --sender -vlHtrze.iLsfxC --safe-links .") # stretch
  88
  89         for cmd_idx in ${!allowed_rsyncs[*]}; do
  90                 args="${allowed_rsyncs[$cmd_idx]}"
  91                 for component in $(awk -v this_host="$(hostname -f)" '!/^ *(#|$)/ && $1 == this_host {print $2}' $COMPONENTLIST); do
  92                         if [ "$*" = "$args $component/-new-/" ] || [ "$*" = "$args ./$component/-new-/" ] ; then
  93                                 local path="$BASEDIR/master/$component-current-push"
  94                                 info "serving $remote_host with $path"
  95                                 exec rsync $args "$path/."
  96                                 croak "Exec failed"
  97                         elif [ "$*" = "$args $component/-live-/" ] || [ "$*" = "$args ./$component/-live-/" ] ; then
  98                                 local path="$BASEDIR/master/$component-current-live"
  99                                 info "host $remote_host wants $path, acquiring lock"
 100                                 tgtlock="$BASEDIR/master/$component.lock"
 101                                 if ! [ -e "$tgtlock" ]; then
 102                                         touch "$tgtlock"
 103                                 fi
 104                                 exec 200< "$tgtlock"
 105                                 if ! flock -s -w 0 200; then
 106                                 echo >&2 "Cannot acquire shared lock on $tgtlock covering $path - this should mean an update is already underway anyway."
 107                                 exit 1
 108                                 fi
 109                                 exec rsync $args "$path/."
 110                                 croak "Exec failed"
 111                         fi
 112                 done
 113         done
 114 }
 115
 116 do_rsync_on_source() {
 117         local remote_host="$1"
 118         shift
 119
 120         local allowed_rsyncs
 121         allowed_rsyncs=()
 122
 123         if [ -e "$COMPONENTLIST" ]; then
 124                 for path in $(awk -v host="$(hostname -f)" '!/^ *(#|$)/ && $3 == host {print $4}' $COMPONENTLIST); do
 125                         allowed_rsyncs+=("--server --sender -lHtrze.iLsf --safe-links . $path/.") # wheezy
 126                         allowed_rsyncs+=("--server --sender -lHtrze.iLsfx --safe-links . $path/.") # jessie
 127                         allowed_rsyncs+=("--server --sender -lHtrze.iLsfxC --safe-links . $path/.") # stretch
 128                 done
 129         fi
 130         for cmd_idx in ${!allowed_rsyncs[*]}; do
 131                 allowed="${allowed_rsyncs[$cmd_idx]}"
 132                 if [ "$*" = "$allowed" ]; then
 133                         info "Running for host $remote_host: rsync $*"
 134                         exec rsync "$@"
 135                         croak "Exec failed"
 136                 fi
 137         done
 138 }
 139
 140 do_rsync() {
 141         do_rsync_on_master "$@"
 142         do_rsync_on_source "$@"
 143
 144         info "NOT allowed for $remote_host: rsync $*"
 145         echo >&2 "This rsync command ($@) not allowed."
 146         exit 1
 147 }
 148
 149 do_update_component() {
 150         local remote_host="$1"; shift
 151
 152         one_more_arg "$@"
 153         component="$1"
 154         shift
 155
 156         hit="$(
 157                 awk -v this_host="$(hostname -f)" -v component="$component" -v host="$remote_host" '
 158                         !/^ *(#|$)/ && $1 == this_host && $2 == component {
 159                                 if ($3 == host) {
 160                                         print $4
 161                                         exit
 162                                 }
 163                                 split($5,extra,",")
 164                                 for (i in extra) {
 165                                         if (host == extra[i]) {
 166                                                 printf "%s:%s\n", $3, $4
 167                                                 exit
 168                                         }
 169                                 }
 170                                 exit
 171                         }' "$COMPONENTLIST"
 172                 )"
 173         if [ -n "$hit" ]; then
 174                 exec static-master-update-component "$component"
 175                 echo >&2 "Exec failed"
 176                 croak "exec failed"
 177         else
 178                 info "Not whitelisted: $remote_host update $component"
 179                 echo >&2 "Not whitelisted: $remote_host update $component"
 180                 exit 1
 181         fi
 182 }
 183
 184
 185 if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
 186         usage
 187         exit 0
 188 fi
 189
 190 one_more_arg "$@"
 191 remote_host="$1"
 192 shift
 193
 194
 195 # check/parse remote command line
 196 if [ -z "${SSH_ORIGINAL_COMMAND:-}" ] ; then
 197         croak "Did not find SSH_ORIGINAL_COMMAND"
 198 fi
 199 set "dummy" ${SSH_ORIGINAL_COMMAND}
 200 shift
 201
 202 info "host $remote_host called with $*"
 203
 204 one_more_arg "$@"
 205 action="$1"
 206 shift
 207
 208 case "$action" in
 209         # on a static mirror, update a component from its master
 210         mirror)
 211                 do_mirror "$remote_host" "$@"
 212                 ;;
 213         # on a static source, allow fetching from the master,
 214         # on a master, allow fetching from a component's mirrors
 215         rsync)
 216                 do_rsync "$remote_host" "$@"
 217                 ;;
 218         # on a master, initiate an update of a component
 219         static-master-update-component)
 220                 do_update_component "$remote_host" "$@"
 221                 ;;
 222         *)
 223                 croak "Invalid operation '$action'"
 224                 ;;
 225 esac