Gitiles
Code Review Sign In
www.giggi.me / tod / b52d6d21eee4868f573b902226f209a98eaaddcc / . / module / mysql / module.sh
blob: 11215bd113b66a46b1a0150a4b8d46a528c8cae8 [file] [log] [blame]
Luigi Santivettib52d6d22020-05-18 00:56:27 +0100[diff] [blame^]1#!/bin/bash
2#
3# module.sh - mysql
4#
5# Copyright 2019 Luigi Santivetti <luigi.santivetti@gmail.com>
6
7# Permission is hereby granted, free of charge, to any person obtaining a
8# copy of this software and associated documentation files (the "Software"),
9# to deal in the Software without restriction, including without limitation
10# the rights to use, copy, modify, merge, publish, distribute, sublicense,
11# and/or sell copies of the Software, and to permit persons to whom the
12# Software is furnished to do so, subject to the following conditions:
13
14# The above copyright notice and this permission notice (including the next
15# paragraph) shall be included in all copies or substantial portions of the
16# Software.
17
18# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21# ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
22# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
23# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
24
25declare -r module="mysql"
26source $common_sh
27
28module_enable $module
29
30declare -r etc_d="$mod_rootfs_d/etc"
31declare -r initdb_d="$mod_docker_d"
32declare -r var_d="$mod_rootfs_d/var"
33
34declare -r mycnf_d="$etc_d/mysql"
35declare -r mysql_d="$var_d/lib/mysql"
36declare -r log_d="$var_d/log/mysql"
37
38declare -ir mysql_uid="999"
39
40declare -ir mysql_has_dummy_certs=1
41if [ $mysql_has_dummy_certs -eq 1 ]; then
42 declare -r certificates_d="$mod_staging_d/${module}_dummy_cert"
43 declare -r ca_key_f="$certificates_d/${module}_dummy-ca-key.pem"
44 declare -r ca_f="$certificates_d/${module}_dummy-ca.pem"
45
46 declare -r server_key_f="$certificates_d/${module}_dummy-server-key.pem"
47 declare -r server_req_f="$certificates_d/${module}_dummy-server-req.pem"
48 declare -r server_cert_f="$certificates_d/${module}_dummy-server-cert.pem"
49
50 declare -r client_key_f="$certificates_d/${module}_dummy-client-key.pem"
51 declare -r client_req_f="$certificates_d/${module}_dummy-client-req.pem"
52 declare -r client_cert_f="$certificates_d/${module}_dummy-client-cert.pem"
53
54 # Dup ca to avoid bind mounting the same file twice
55 declare -r ca_dup_f="$certificates_d/${module}_dummy-ca-dup.pem"
56else
57 lets -l -e "official CA certificates not supported"
58 exit 1
59fi
60declare -r certificates_l="$etc_d/mysql_ssl"
61
62# Output files
63declare -r dockerfile="Dockerfile"
64declare -r dockerfile_f="$mod_docker_d/$dockerfile"
65declare -r initdb_f="$initdb_d/initdb.sql"
66declare -r mycnf_f="$mycnf_d/my.cnf"
67declare -r log_error_f="$log_d/error.txt"
68declare -r log_general_f="$log_d/general.txt"
69declare -r log_query_f="$log_d/query.txt"
70declare -r mysql_cli_bang_f="$mod_docker_d/mysql-cli.sh"
71
72declare -ar mod_more_dirs=( \
73 $etc_d $initdb_d $var_d $mycnf_d $log_d $mysql_d \
74)
75
76declare -ar mod_more_files=( $mycnf_f $initdb_f $dockerfile_f $mysql_cli_bang_f )
77declare -ar mod_more_trefs=( mycnf_t initdb_t dockerfile_t mysql_cli_bang_t )
78
79function tod_watch
80{
81 __watch_module_common || return $s_err
82}
83
84function tod_doins
85{
86 __doins_module_common || return $s_err
87 __mysql_do_log_files || return $s_err
88
89 # Use certificates provided by Apache
90 __mysql_do_dummy_cert || return $s_err
91 __mysql_do_links || return $s_err
92}
93
94function tod_clins
95{
96 __clins_module_common || return $s_err
97 __mysql_undo_log_files || return $s_err
98}
99
100function tod_upins
101{
102 __upins_module_common || return $s_err
103
104 # Use ceritificates provided by Apache
105 __mysql_do_dummy_cert || return $s_err
106}
107
108function tod_doall
109{
110 tod_doins
111}
112
113function tod_upall
114{
115 tod_upins
116}
117
118function __mysql_do_dummy_cert_helper
119{
120 # Credits:
121 # https://techsparx.com/software-development/docker/damp/mysql-ssl-connection.html
122
123 local -r OPENSSL_SUBJ="/C=US/ST=Utopia/L=Neverland"
124 local -r OPENSSL_CA="${OPENSSL_SUBJ}/CN=dummy-CA"
125 local -r OPENSSL_SERVER="${OPENSSL_SUBJ}/CN=dummy-server"
126 local -r OPENSSL_CLIENT="${OPENSSL_SUBJ}/CN=dummy-client"
127
128 # Generate new CA certificate ca.pem file.
129 openssl genrsa 2048 > $ca_key_f
130
131 # TODO This has interaction that must be automated
132 openssl req -new -x509 -nodes -days 3600 \
133 -subj "${OPENSSL_CA}" \
134 -key $ca_key_f -out $ca_f
135
136 # Create the server-side certificates
137 # This has more interaction that must be automated
138
139 openssl req -newkey rsa:2048 -days 3600 -nodes \
140 -subj "${OPENSSL_SERVER}" \
141 -keyout $server_key_f -out $server_req_f
142 openssl rsa -in $server_key_f -out $server_key_f
143
144 openssl x509 -req -in $server_req_f -days 3600 \
145 -CA $ca_f -CAkey $ca_key_f -set_serial 01 -out $server_cert_f
146
147 # Create the client-side certificates
148 openssl req -newkey rsa:2048 -days 3600 -nodes \
149 -subj "${OPENSSL_CLIENT}" \
150 -keyout $client_key_f -out $client_req_f
151 openssl rsa -in $client_key_f -out $client_key_f
152
153 openssl x509 -req -in $client_req_f -days 3600 \
154 -CA $ca_f -CAkey $ca_key_f -set_serial 01 -out $client_cert_f
155
156 # Verify the certificates are correct
157 openssl verify -CAfile \
158 $ca_f $server_cert_f $client_cert_f || return $s_err
159
160 # Duplicate ca as it needs to be mounted client side
161 cp -ar $ca_f $ca_dup_f
162
163 set_mode "0644" $mysql_uid \
164 $ca_f $ca_dup_f \
165 $server_key_f $server_req_f $server_cert_f \
166 $client_key_f $client_req_f $client_cert_f || return $s_err
167
168 set_mode "0600" $mysql_uid $ca_key_f || return $s_err
169}
170
171function __mysql_do_dummy_cert
172{
173 if [ $mysql_has_dummy_certs -eq 1 ]; then
174 if [ ! -d $certificates_d ]; then
175 mkdir -p $certificates_d && \
176 pushd $certificates_d >/dev/null || return $s_err
177 __mysql_do_dummy_cert_helper 2>&1 | lets -l -x "openssl"
178 case "${PIPESTATUS[0]}" in
179 $s_err ) lets -l -e "failed to make dummy certificates"
180 popd >/dev/null; return $s_err ;;
181 esac
182 popd >/dev/null
183 fi
184 fi;
185
186 lets -l -i "$module SSL cert from: ${certificates_d#$script_dir/}"
187 return $s_ok
188}
189
190function __mysql_do_links
191{
192 # NOTE: container path must match localhost path
193 #
194 # i.e.
195 # localhost:/etc container:/etc OK
196 # localhost:/home/luigi container:/home/??? NOT OK
197 #
198 ln -sf "${certificates_d}" "${certificates_l}"
199}
200
201function __mysql_do_log_files
202{
203 sudo touch $log_error_f $log_general_f $log_query_f || {
204 lets -l -e "failed to touch log files"; return $s_err
205 }
206
207 set_mode "0755" $mysql_uid $log_d || {
208 lets -l -e "failed to set mode $log_d"; return $s_err
209 }
210
211 set_mode "0644" $mysql_uid $log_error_f $log_general_f $log_query_f || {
212 lets -l -e "failed to set mode log files"; return $s_err
213 }
214}
215
216function __mysql_undo_log_files
217{
218 sudo rm -f $log_error_f $log_general_f $log_query_f || {
219 lets -l -e "failed remove log files"; return $s_err
220 }
221
222 __mysql_do_log_files
223}