-
Notifications
You must be signed in to change notification settings - Fork 0
/
tdeploy
executable file
·2763 lines (2070 loc) · 74.5 KB
/
tdeploy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#!/bin/sh
#
# tdeploy
#
# A 3rd party shell script to help you deploy and update teleport nodes
#
# This script can:
# * Create a setup package for provisioning the teleport service onto new nodes
# * Install the teleport service on new teleport nodes if they are setup for ssh
# * Update teleport service on existing teleport nodes within your infrastructure
# * Remove the teleport service from existing nodes within your infrastructure
#
# "tdeploy --help" for more information
#
# (2019) dreamcat4@gmail.com
# Public Domain, and Apache v2.0 license
#
# Testing:
#
# The original version has been tested to work well on ubuntu linux based distributions.
# For the following package types: deb, binary, sh, tarball. And systemd only.
#
# Further work and provisions have been made for supporting other package types and also
# additional service managers other than systemsd. For example: rpm, macos_pkg, snap,
# launchd, sysv, upstart, runit. Plus a few others. However expect those untested platforms
# not to work OOB. A little further work is required to get those other formats to work
# properly and as intended. Until then, they will likely throw an error - PRs welcome.
#
#
_program="$(basename $0)"
_program_folder="$(dirname $0)"
if [ "$TDEPLOY_CONFIG" ]; then
_tdeploy_config="$TDEPLOY_CONFIG"
else
_tdeploy_config="${HOME}/.tsh/${_program}.config"
fi
# Do not directly tweak the settings below this line, if you need to change them, first run:
# "tdeploy --settings". To generate a confid file in your home folder
# ___MARK___tdeploy_settings_begin___DO_NOT_REMOVE_THIS_LINE___
# ======================================================
# tdeploy.config
# ======================================================
# uncomment those settings which you wish to override
# ======================================================
# set the default package type. "binary" is recommended, it requires the tool makeself.sh
_pkg_type_default="binary"
# packaging style
# debian = follow the debian packaging guidelines
# self = self contained, everything under the same folder
# linkself = self-contained, but also symlink outside the teleport folder to create
# presence of them in system wide locations, to be debian compatible
# "debian" or "linkself" for the pkg to be able to install and start teleport as a daemon
_pkg_style_default="debian"
# _pkg_style_default="self"
# _pkg_style_default="linkself"
# The "description", "maintainer", and "arch" metadata fields, passed into the "fpm" tool when creating packages
_pkg_description="gravitational/teleport (golang). Modern privelidge-based access management for your infrastructure."
_pkg_maintainer="info@gravitational.com"
_arch="x86_64"
_pkg_name="teleport"
# when the packaging tool is not "fpm", the filename generated will start "teleport-setup"
_setup_name="${_pkg_name}-setup"
# change this if you are building executables from a different fork
_go_src_address="github.com/gravitational/teleport"
# we assume you have a valid GOPATH and go development environment already setup, for compiling
_teleport_src_path="${GOPATH}/src/${_go_src_address}"
_teleport_build="${_teleport_src_path}/build"
# this setting just finds the local host's teleport.yaml file, whilst performing admin operations
# this is NOT the config file used for making the installer package's default "teleport.yaml" file,
# for that look further down, in the shell script helper function "_cat_teleport_yaml()"
_teleport_config_search_paths="/etc /var/lib/teleport ${HOME}/.config/teleport ${HOME}/.teleport"
# these 2 settings decide whether to append a token expiry date, to the filename of the generated package
# an token expiry date is only relevant for using the "--install" and "--with-token" flags
# unset _tsetup_include_expiry
_tsetup_include_expiry="true"
_expiry_seperator="__"
# # the target installation folder
# _teleport_prefix="/root"
# _teleport_dirname=".teleport"
_teleport_prefix="/var/lib"
_teleport_dirname="$_pkg_name"
_out_dir="${_teleport_prefix}/${_teleport_dirname}"
# name of the systemd service file
_teleport_service="teleport.service"
# name of the teleport config file
_cfg_file="teleport.yaml"
# This next setting specifies the default listen ip address for the target node.
# Normally you will only ever set this setting to either 0.0.0.0 or 127.0.0.1
#
# By default, teleport daemon will try to bind to 0.0.0.0 and come up on
# all available interfaces. This is very beneficial for automated installs
# where each node might be getting a dynamically allocated cloud ip address
# which is not known ahead of time. However this can also be a security risk
# if there are multiple interfaces. Some public facing, others private facing.
#
# If installing the resultant debian package interactively, then actually dconf will
# pause installation to throw up an ncurses prompt to give the user an opportunity
# to override this default listen ip address. But if DEBIAN_FRONTEND=noninteractive
# then you can either override this setting here to 127.0.0.1 (the localhost ip).
# Or you can instead leave this as 0.0.0.0. And instead simply opt to run a couple of
# commands behore installing. To systemctl mask and disable the systemd service and
# therefore automatically prevent it from coming up immediately as part of the pkg
# install. Which otherwise will happen automatically without and user intervention.
# You can then simply "dpkg-reconfigure teleport" to manually set the listen address.
#
# Or you can instead take the option override the configuration file template
# which is embedded in your tdeploy config file and comment out the line "listen_addr: "
# since only the 1st encountered match of "listen_addr: " is ever being overwritten
# by the teleport packaging "post install" script.
#
# Each method has it's own set of pros and cons. Depending upon the deployment scenario.
#
_cfg_default_listen_addr="0.0.0.0"
# _cfg_default_listen_addr="127.0.0.1"
# the names of the programs being packaged
_bin_teleport="teleport"
_bin_tctl="tctl"
_bin_tsh="tsh"
_bins="$_bin_tctl $_bin_teleport $_bin_tsh"
for _bin in $_bins; do
eval "_bin_src_${_bin}=\"${_teleport_build}/${_bin}\""
eval "_bins_src=\"$_bins_src \$_bin_src_${_bin}\""
done
# the names of the helper post install, and pre uninstall scripts
_teleport_post_install="teleport-postinst"
_teleport_pre_uninstall="teleport-prerm"
_teleport_post_uninstall="teleport-postrm"
# for debian packaging only
_deb_templates="deb-templates"
_deb_config="deb-config"
# these settings select a very useful 3rd party helper script 'tsysinfo', to include
# within the main teleport package. 'tsysinfo' is required for the dynamic label commands
# that are included in the config template, which provides a useful health monitoring
_bin_tsysinfo="tsysinfo"
_bin_src_tsysinfo="${_program_folder}/${_bin_tsysinfo}"
if [ ! -e "$_bin_src_tsysinfo" ]; then
_bin_src_tsysinfo="$(realpath $(which ${_bin_tsysinfo} 2> /dev/null) 2>/dev/null)"
fi
if [ "$_bin_src_tsysinfo" ]; then
_bins_src="$_bins_src $_bin_src_tsysinfo"
_bins="$_bins $_bin_tsysinfo"
fi
# the following locations are only used when _pkg_style=debian or _pkg_style=linkself
# on any platforms that install to /usr/local/bin, instead of debian
# then it would be most fitting to change this next setting around for the other one
# _out_binpath_debian="/usr/local/bin"
_out_binpath_debian="/usr/bin"
_cfg_path_debian="/etc"
_systemd_path_debian="/lib/systemd/system"
_systemd_file_debian="${_systemd_path_debian}/${_teleport_service}"
_cfg_file_debian="${_cfg_path_debian}/${_cfg_file}"
# Perform any tweaks to the teleport.yaml configureation file here
_cat_teleport_yaml()
{
cat << EOF
teleport:
data_dir: ${_out_dir}/data
pid_file: ${_out_dir}/teleport.pid
${_token_line}${_ca_pin_line}${_auth_servers_lines}
# This next line may be changed or updated by the teleport installer's post install script
# And my also be updated from the debconf database during package upgrades (on debian systems)
listen_addr: $_cfg_default_listen_addr
# However any 2nd,3rd subsequent re-occurence or this same setting will not be updated by the
# teleport post install script. Therefore if you would like to manually override "listen_addr" here...
# Then first comment out the above prior setting ^^ and keep it intact but disabled (dont delete it).
# listen_addr: $_cfg_default_listen_addr
connection_limits:
max_connections: 15000
max_users: 250
log:
output: stderr
severity: INFO
auth_service:
enabled: "$_role_auth"
proxy_service:
enabled: "$_role_proxy"
ssh_service:
enabled: "$_role_node"
labels:
pkg-type: $_pkg_type
commands:
- name: cpu-cores
command: [${_target_bins_out}/${_bin_tsysinfo}, cpu-cores]
period: 1h0m0s
# # requires the package 'lm-sensors', for the command 'sensors' (you must also run 'sensors-detect' too)
# - name: cpu
# command: [${_target_bins_out}/${_bin_tsysinfo}, cpu-temp]
# period: 1h0m0s
# # requires the 'sysstat' package, for the command 'mpstat'
# - name: cpu
# command: [/bin/sh, -c, "sleep 1; ${_target_bins_out}/${_bin_tsysinfo} cpu-usage"]
# period: 0h57m0s
# # requires the package 'smartmontools', for the command 'smartctl'
# # requires the package 'lsscsi' for the command 'lsscsi'
# - name: disks
# command: [${_target_bins_out}/${_bin_tsysinfo}, disk-health]
# period: 1h0m0s
- name: /
command: [${_target_bins_out}/${_bin_tsysinfo}, disk-usage, "/"]
period: 1h0m0s
- name: disks
command: [${_target_bins_out}/${_bin_tsysinfo}, disks]
period: 1h0m0s
# # requires the package 'smartmontools', for the command 'smartctl'
# # requires the package 'lsscsi' for the command 'lsscsi'
# - name: disktemps
# command: [${_target_bins_out}/${_bin_tsysinfo}, disks-worst-temp]
# period: 1h0m0s
- name: dmesg
command: [${_target_bins_out}/${_bin_tsysinfo}, dmesg-health]
period: 1h0m0s
# # requires systemd, for the command 'systemctl', and
# # requires the package 'docker-ce', for the command 'docker'
# - name: docker
# command: [${_target_bins_out}/${_bin_tsysinfo}, docker-status]
# period: 1h0m0s
# # requires the package 'lm-sensors', for the command 'sensors' (you must also run 'sensors-detect' too)
# # takes a single argument, comma separated list of fans e.g. "1,2,3"
# - name: fans
# command: [${_target_bins_out}/${_bin_tsysinfo}, fan-spin, "1,2,3"]
# period: 1h0m0s
# # requires systemd, for the command 'systemctl'
# - name: fancontrol.service
# command: [${_target_bins_out}/${_bin_tsysinfo}, systemctl-status, "fancontrol.service"]
# period: 1h0m0s
- name: kernel
command: [${_target_bins_out}/${_bin_tsysinfo}, kernel]
period: 1h0m0s
- name: mem
command: [${_target_bins_out}/${_bin_tsysinfo}, memory-usage]
period: 1h0m0s
- name: os
command: [${_target_bins_out}/${_bin_tsysinfo}, os]
period: 1h0m0s
- name: platform
command: [${_target_bins_out}/${_bin_tsysinfo}, platform]
period: 1h0m0s
# # requires systemd, for the command 'systemctl'
# - name: systemd-health
# command: [${_target_bins_out}/${_bin_tsysinfo}, systemd-health]
# period: 1h0m0s
- name: up
command: [${_target_bins_out}/${_bin_tsysinfo}, uptime]
period: 1h0m0s
# # requires the 'zfs' package(s), for the command 'zpool', and a working zfs filesystem loaded
# - name: zfs
# command: [${_target_bins_out}/${_bin_tsysinfo}, zfs-health]
# period: 1h0m0s
EOF
}
# Perform any tweaks to you platform's service files below
_cat_teleport_service_launchd()
{
# Not tested - needs testing
# /Library/LaunchDaemons/teleport.plist
cat << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key><false/>
<key>Label</key><string>${_pkg_name}</string>
<key>Program</key><string>${_target_bins_out}/${_pkg_name}</string>
<key>ProgramArguments</key><array>
<string>${_target_bins_out}/${_pkg_name}</string>
<string>start</string>
<string>--config</string>
<string>${_target_cfg_file}</string>
</array>
<key>KeepAlive</key> <true/>
<key>StandardOutPath</key><string>/var/log/${_pkg_name}-stdout.log</string>
<key>StandardErrorPath</key><string>/var/log/${_pkg_name}-stderr.log</string>
<key>WorkingDirectory</key><string>${_out_dir}</string>
<key>UserName</key><string>root</string>
<key>GroupName</key><string>root</string>
<key>EnvironmentVariables</key>
<dict>
</dict>
</dict>
</plist>
EOF
}
_cat_teleport_service_runit_run()
{
# Not tested - needs testing
# /etc/service/teleport/run
cat << EOF
#! /bin/sh
# Send stderr to stdout so svlogd catches all output.
exec 2>&1
PROGRAM="${_target_bins_out}/${_pkg_name}"
# Set up the arguments (for \$@)
set -- "start" "--config" "$_target_cfg_file"
exec env chpst -u "root:root" -/ "/" "\$PROGRAM" "\$@"
EOF
}
_cat_teleport_service_runit_log()
{
# Not tested - needs testing
# /etc/service/teleport/log/run
cat << EOF
#! /bin/sh
exec svlogd -tt /var/log/${_pkg_name}
EOF
}
_cat_teleport_service_systemd()
{
# Tested - ok
# /lib/systemd/system/teleport.service
cat << EOF
[Unit]
Description=Teleport SSH Service
After=network.target
AssertPathExists=${_out_dir}
[Service]
Type=simple
# User=root
# Group=root
# Restart=always
Restart=on-failure
RestartSec=3
PrivateTmp=true
#NoNewPrivileges=true
# ExecReload=/bin/kill -HUP \$MAINPID
# PIDFile=${_out_dir}/${_pkg_name}.pid
WorkingDirectory=${_out_dir}
ExecStart=${_target_bins_out}/${_pkg_name} start --config $_target_cfg_file
[Install]
WantedBy=multi-user.target
EOF
}
_cat_teleport_service_sysv()
{
# Not tested - needs testing
# /etc/init.d/teleport
cat << EOF
#!/bin/sh
# Init script for ${_pkg_name}
# Maintained by
# Generated by pleaserun.
# Implemented based on LSB Core 3.1:
# * Sections: 20.2, 20.3
#
### BEGIN INIT INFO
# Provides: ${_pkg_name}
# Required-Start: \$remote_fs \$syslog
# Required-Stop: \$remote_fs \$syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description:
# Description: $_pkg_description
### END INIT INFO
PATH=/sbin:/usr/sbin:/bin:/usr/bin
export PATH
name=${_pkg_name}
program=${_target_bins_out}/${_pkg_name}
args=start\ --config\ $_target_cfg_file
pidfile="/var/run/\$name.pid"
user="root"
group="root"
chroot="/"
chdir="$_out_dir"
nice=""
# If this is set to 1, then when \`stop\` is called, if the process has
# not exited within a reasonable time, SIGKILL will be sent next.
# The default behavior is to simply log a message "program stop failed; still running"
KILL_ON_STOP_TIMEOUT=0
# When loading default and sysconfig files, we use \`set -a\` to make
# all variables automatically into environment variables.
set -a
# [ -r /etc/default/${_pkg_name} ] && . /etc/default/${_pkg_name}
# [ -r /etc/sysconfig/${_pkg_name} ] && . /etc/sysconfig/${_pkg_name}
set +a
[ -z "\$nice" ] && nice=0
trace() {
logger -t "/etc/init.d/${_pkg_name}" "\$@"
}
emit() {
trace "\$@"
echo "\$@"
}
start() {
# Ensure the log directory is setup correctly.
if [ ! -d "/var/log" ]; then
mkdir "/var/log"
chown "\$user":"\$group" "/var/log"
chmod 755 "/var/log"
fi
# Setup any environmental stuff beforehand
# Run the program!
chroot --userspec "\$user":"\$group" "\$chroot" sh -c "
cd "\$chdir"
exec "\$program" \$args >> /var/log/${_pkg_name}-stdout.log 2>> /var/log/${_pkg_name}-stderr.log &
# Generate the pidfile from here. If we instead made the forked process
# generate it there will be a race condition between the pidfile writing
# and a process possibly asking for status.
echo \$! > \$pidfile
emit "\$name started"
return 0
}
stop() {
# Try a few times to kill TERM the program
if status ; then
pid=\$(cat "\$pidfile")
trace "Killing \$name (pid \$pid) with SIGTERM"
kill -TERM \$pid
# Wait for it to exit.
for i in 1 2 3 4 5 ; do
trace "Waiting \$name (pid \$pid) to die..."
status || break
sleep 1
done
if status ; then
if [ "\$KILL_ON_STOP_TIMEOUT" -eq 1 ] ; then
trace "Timeout reached. Killing \$name (pid \$pid) with SIGKILL. This may result in data loss."
kill -KILL \$pid
emit "\$name killed with SIGKILL."
else
emit "\$name stop failed; still running."
fi
else
emit "\$name stopped."
fi
fi
}
status() {
if [ -f "\$pidfile" ] ; then
pid=\$(cat "\$pidfile")
if ps -p \$pid > /dev/null 2> /dev/null ; then
# process by this pid is running.
# It may not be our pid, but that's what you get with just pidfiles.
# TODO(sissel): Check if this process seems to be the same as the one we
# expect. It'd be nice to use flock here, but flock uses fork, not exec,
# so it makes it quite awkward to use in this case.
return 0
else
return 2 # program is dead but pid file exists
fi
else
return 3 # program is not running
fi
}
force_stop() {
if status ; then
stop
status && kill -KILL \$(cat "\$pidfile")
fi
}
case "\$1" in
force-start|start|stop|force-stop|restart)
trace "Attempting '\$1' on ${_pkg_name}"
;;
esac
case "\$1" in
force-start)
PRESTART=no
exec "\$0" start
;;
start)
status
code=\$?
if [ \$code -eq 0 ]; then
emit "\$name is already running"
exit \$code
else
start
exit \$?
fi
;;
stop) stop ;;
force-stop) force_stop ;;
status)
status
code=\$?
if [ \$code -eq 0 ] ; then
emit "\$name is running"
else
emit "\$name is not running"
fi
exit \$code
;;
restart)
stop && start
;;
*)
echo "Usage: \$SCRIPTNAME {start|force-start|stop|force-start|force-stop|status|restart}" >&2
exit 3
;;
esac
exit \$?
EOF
}
_cat_teleport_service_upstart()
{
# Not tested - needs testing
# /etc/init/teleport.conf
cat << EOF
description "$_pkg_description"
start on filesystem or runlevel [2345]
stop on runlevel [!2345]
respawn
umask 022
chroot /
chdir $_out_dir
setuid root
setgid root
script
# When loading default and sysconfig files, we use \`set -a\` to make
# all variables automatically into environment variables.
set -a
# [ -r /etc/default/${_pkg_name} ] && . /etc/default/${_pkg_name}
# [ -r /etc/sysconfig/${_pkg_name} ] && . /etc/sysconfig/${_pkg_name}
set +a
exec $_target_bins_out/${_pkg_name} "start" "--config" "$_target_cfg_file"
end script
EOF
}
# ___MARK___tdeploy_settings_end_____DO_NOT_REMOVE_THIS_LINE___
__disabled_generate_service_file_templates()
{
# patch pleaserun runit error
_pr_gempath="$(VISUAL=echo gem open pleaserun)"
sudo sed -i -e "s#\"/service\" do |path|#\"/service\" do#g" -e "s#validate do#validate do |path|#g" "${_pr_gempath}/lib/pleaserun/platform/runit.rb"
_platforms="launchd runit systemd sysv upstart"
for _p in $_platforms; do
pleaserun --overwrite --platform $_p --no-install-actions --install-prefix ${_p} --chdir /z_out_dir /z_out_binpath/teleport start --config z_cfg_file_out
done
}
_cat_teleport_service_files()
{
_platforms="$@"
for _p in $_platforms; do
case $_p in
launchd)
_service_folder="${_outpath}/Library/LaunchDaemons"
mkdir -p "$_service_folder"
_cat_teleport_service_launchd > "${_service_folder}/${_pkg_name}.plist"
;;
runit)
_service_folder="${_outpath}/etc/service/${_pkg_name}"
mkdir -p "${_service_folder}/log"
_cat_teleport_service_runit_run > "${_service_folder}/run"
_cat_teleport_service_runit_log > "${_service_folder}/log/run"
;;
systemd)
_service_folder="${_outpath}/${_systemd_path_debian}"
mkdir -p "$_service_folder"
_cat_teleport_service_systemd > "${_service_folder}/${_pkg_name}.service"
;;
sysv)
_service_folder="${_outpath}/etc/init.d"
mkdir -p "$_service_folder"
_cat_teleport_service_sysv > "${_service_folder}/${_pkg_name}"
;;
upstart)
_service_folder="${_outpath}/etc/init"
mkdir -p "$_service_folder"
_cat_teleport_service_upstart > "${_service_folder}/${_pkg_name}.conf"
;;
*)
err 1 "platform \"$_platform\" not recognized. valid values are: launchd runit systemd sysv upstart"
;;
esac
done
}
err()
{
_rc="$1"
shift
echo "${_program}: error: $@"
exit $_rc
}
warn()
{
echo "${_program}: warning: $@"
}
info()
{
echo "${_program}: info: $@"
}
dwarn()
{
[ "$__debug" ] && echo "${_program}: debug: warning: $@"
}
dinfo()
{
[ "$__debug" ] && echo "${_program}: debug: info: $@"
}
if [ -e "$_tdeploy_config" ]; then
info "loaded $_tdeploy_config"
. "$_tdeploy_config"
fi
_cat_tdeploy_config()
{
_script="$0"
if [ ! -e "$(realpath "$_script")" ]; then
err 1 "cannot find this script on disk \"${0}\"..." "so cannot extract settings from it."
fi
_tdeploy_header_start_marker="# ___MARK___tdeploy_settings_begin___DO_NOT_REMOVE_THIS_LINE___"
_tdeploy_header_end_marker="# ___MARK___tdeploy_settings_end_____DO_NOT_REMOVE_THIS_LINE___"
awk "/${_tdeploy_header_start_marker}/{flag=1;next}/${_tdeploy_header_end_marker}/{flag=0}flag" "$_script"
}
_tdeploy_settings()
{
if [ ! -e "$_tdeploy_config" ]; then
mkdir -p "$(dirname "$_tdeploy_config")"
_cat_tdeploy_config > "$_tdeploy_config"
sed -i -e "s/^/# /g" -e "s/^# $//g" "$_tdeploy_config"
info "generated file: \"$_tdeploy_config\". for your user settings"
exit 0
else
err 1 "file already exists: \"$_tdeploy_config\"." "please remove / rename your old config."
fi
}
_cat_help()
{
cat << EOF
$_program:
Options are passed to 'tctl nodes add', for the token generation.
Creates a setup package for provisioning 1 new teleport node.
Prints out all necessary instructions for how to use it.
usage:
$_program --settings
$_program --install [options]
$_program --upgrade --nodes="node1,node2,...|all" [options]
$_program --remove --nodes="node1,node2,...|all" [options]
flags:
--settings
Generates a settings file for tdeploy's own settings. Allows a user to override
any of the variables at the top of this script. ! Not teleport's "teleport.yaml".
Accepts under configuration an optional environment variable "TDEPLOY_CONFIG="
To specify alternative configuration file(s). Useful for different node types.
Otherwise the default file location will be read/written (~/.tsh/tdeploy.config).
--install
Create a generic installer package, for installing teleport to another machine.
It assumes that you have a working $GOPATH and go environment from which to
locally build and compile the teleport binaries from source.
--with-token
The --install action will by default generate a generic setup installer file.
Designed for widespread disributeion. However then you will also need to
manage yourself the seperate distribution of the one-time use tokens which can
be generated by executing 'tctl nodes add'.
Use this flag to get this script to perform that missing step for you. It will
then instead generate a customized installer package. That is exactly the same
as the generic package, however with a single 1 time use token already included.
As a part of it's 'teleport.yaml' configuration file. This unique package can
then be used to provision exactly 1 node to join this cluster. So is only good
for provisioning a single node. (however you can re-run this program as many times
as you wish in order to generate multple installation packages, each with their
own unique token). For a purely file-based provisioning.
--ssh
This flag will override the default transport mechanism, which is teleports' native
commandline `tsh ssh` command. This is necessary for the --install action if you
have also supplied the --nodes flag and wish to install teleport onto them via ssh.
So the --install --ssh --nodes="..." flags, this script will attempt with ssh and scp.
This mode requires calling ssh many times, so is not pleasant to type your ssh password
up to 10 times per node. It's only worth using if you have setup ssh so that it does
not require to enter a password everytime. Either with a key file, or an ~/.ssh/config
entry which there specifies a password in that ssh host's entry. Or ssh-agent. Whatever.
This feature also requires the ability to either ssh in as root, or otherwise be able
to elevate permissions on the target machine with the `sudo` command.
--ssh-user
This optional flag works for both tsh and ssh transport mechanisms. It is to
specify the remote username to login as for any nodes that you to not prefix
explicitly with an username@node syntax. Otherwise the decision as to what user
to login as will be left to either teleport's tsh command, or ssh's client config.
--upgrade
Update the specified --nodes= (nodes which are already joined)
Use the flag --nodes=all to perform the action on all known nodes
--remove
Uninstall teleport from the specified --nodes=
Use the flag --nodes=all to perform the action on all known nodes
--nodes
Comma or space separated list ("quoted list") of teleport nodes to perform
the action on. Must have sudo or 'root' login permission on those target nodes.
The special node named "all" selects all of the nodes returned by the command:
tsh ls | grep -o "^[^ -]*" | grep -v "Node"
In the context of --install action with the --ssh flag, this --nodes flag
specifies a list of ssh hosts, and uses ssh as the transport mechanism.
In the context of --upgrade and --remove actions, then teleport / tsh is used.
--long-version
For a longer version string that includes a git commit short hash within it.
--debian-revision
To specify an increasing integer number greater than 1 for 2nd, 3rd pkg revisions
that have the same teleport version number. Which is then tagged on at the end
of the debian version string to differentiate subsequent revisions of a package.
Otherwise the default '-1' will be the unique debian revision for deb packages.
--force-confnew
--force-confold
--force-confdef
--force-confask
For --install and --upgrade operations. This flag is specific to deb (debian)
distributions. The default behaviour is to NOT overwrite an existing config
file (teleport.yaml) on the target node. I.e. --force-confold. Applying a
different flag to change that behaviour. Applying the flag "--force-confnew"
is necessary to push out new updates to the "teleport.yaml" config file
The flag is passed to command "dpkg -i file.deb". See: dpkg --force-help
--init-types=
Comma or space separated list ("quoted list") of system service managers to
include support for in the generated installation package. Possible values:
launchd, runit, systemd, sysv and upstart. NOTE: only "systemd" was tested.
Therefore some additional work may be required for the other init types.
Service files were created from templates of fpm helper tool "pleaserun".
--pkg-style=<debian|self|linkself>
Select the packaging style. Determines the filesystem layout once installed.
debian = follow debian fs hierachy packaging guidelines, the default
self = self contained, everything under the same folder
linkself = self-contained, but also symlink outside the teleport folder to create
presence of them in system wide locations, to be debian compatible
"debian" or "linkself" for the pkg to be able to install and start teleport as a daemon
--pkg-type=<tarball|zip|tar|dir|binary|sh|deb>
For the --install and --upgrade commands
Select the type of package to generate as the installer. Defaults to "binary"
and so creates a self extracting installer using the tool "makeself.sh".
Therefore you must first download "makeself.sh" and put it on your \$PATH
before running this script. This is the default packaging option.
"tarball" is a .tar.gz archive which requires no packager tool dependancies
All of the other supported package formats require the optional "fpm" ruby gem.
Those package types are documented in the fpm documentation. "fpm --help".
Note: Not all package types are tested or supported yet! Some package types will
throw an error and therefore will require extra work, to implement those missing
handler functions in the tdeploy script. These further possible types are:
<rpm|osxpkg|solaris|freebsd|pkgin|puppet|apk|pacman|snap>
For the --upgrade and --remove commands
If the existing node has a label "pkg-type=", then that will be used to determine
the package type. This node label is created by default by the --install command.
Therefore this flag is then only applied to those existing nodes which do not have
an existing "pkg-type=" label.
Node provisioning options:
If the action is --install or --upgrade. Then these optional flags are passed
down to 'tctl nodes add' provisioning command. "tctl help" for more information.
--roles <auth,node,proxy>
Comma-separated list of roles for the new node to assume. Defaults to 'node'.
--debug, -d
Enable verbose logging of 'tctl nodes add' command
--token
Custom token to use, autogenerated if not provided
--config, -c
Path to auth server's teleport.yaml config file (for calling "tctl nodes add")
This is not the one being packaged and distributed to the target node. Which
is generated on the fly from the shell function "_cat_teleport_yaml".
This argument is also needed for the --upgrade command, which invokes 'tctl'.
--ttl
Authentication token lifetime in hms, eg '30m' or '10h30m15s'
--help, -h:
Display this message and exit
Examples:
Create a new tdeploy user configuration file, in the default location
This allows a more fine-grained control over the package generation
Including editing of generated teleport.yaml, service init files, etc.
tdeploy --settings
Create a new CUSTOM tdeploy user configuration file, for multiple configs.
This is then used whenver prefixing the same TDEPLOY_CONFIG="<filename>"
to any of your subsequent tdeploy commands. So selecting the tdeploy config.
TDEPLOY_CONFIG="/path/to/my-tdeploy-auth.config" tdeploy --settings
Use an alternative tdeploy configuration file, and provision for a new auth server
export TDEPLOY_CONFIG="/path/to/my-tdeploy-auth.config"
tdeploy --install --with-token --roles=auth
Create a custom installer package (including token), for debian distributions with
a debian files layout, and include a service file for debian's default systemd
tdeploy --install --with-token --pkg-type=deb
Create a generic self extracting binary with the init types for sysv and systemd.
Without including the per-node provisioning token
tdeploy --install --init-types="sysv systemd"
Create an rpm, with a custom token value, and token lifetime of 3.5 hours
tdeploy --install --pkg-type=rpm --with-token --token="my_token" --ttl="3h30m"
Check up on what is being generated, creates a local folder as the pkg
tdeploy --install --pkg-type=dir
Upgrade all of the nodes in my cluster to the current build in my \$GOPATH
tdeploy --upgrade --nodes=all