archive/netdata_netdata
0
0
Fork 0
mirror of https://github.com/netdata/netdata.git synced 2025-03-16 22:13:38 +00:00
Code Issues Projects Releases Wiki Activity
netdata_netdata/packaging/makeself/install-or-update.sh
Costa Tsaousis 834b0f0a0a detect the system ca bundle at runtime (#19622) 
* detect the system ca bundle at runtime

* minor fix

* fix for older libcurl versions

* added X509_get_default_cert_file()

* added validation for the certificates

* moved ssl/curl code to separate file; now it configured both libcurl and openssl; added defaults to libcurl static install

* run the new code only in netdata static builds

* auto to check

* disable runtime ssl checks

(cherry picked from commit 3e15a013d0)
2025-02-20 09:09:07 -05:00

332 lines
12 KiB
Bash
Executable file
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/bin/env bash
# SPDX-License-Identifier: GPL-3.0-or-later
# shellcheck source=./packaging/makeself/functions.sh
. "$(dirname "${0}")"/functions.sh
export LC_ALL=C
umask 002
# Be nice on production environments
renice 19 $$ > /dev/null 2> /dev/null
NETDATA_PREFIX="/opt/netdata"
NETDATA_USER_CONFIG_DIR="${NETDATA_PREFIX}/etc/netdata"
# -----------------------------------------------------------------------------
if [ -d /opt/netdata/etc/netdata.old ]; then
progress "Found old etc/netdata directory, reinstating this"
[ -d /opt/netdata/etc/netdata.new ] && rm -rf /opt/netdata/etc/netdata.new
mv -f /opt/netdata/etc/netdata /opt/netdata/etc/netdata.new
mv -f /opt/netdata/etc/netdata.old /opt/netdata/etc/netdata
progress "Trigger stock config clean up"
rm -f /opt/netdata/etc/netdata/.installer-cleanup-of-stock-configs-done
fi
STARTIT=1
REINSTALL_OPTIONS=""
NETDATA_CERT_MODE="${NETDATA_CERT_MODE:-check}"
NETDATA_CERT_TEST_URL="${NETDATA_CERT_TEST_URL:-https://app.netdata.cloud}"
RELEASE_CHANNEL="nightly"
while [ "${1}" ]; do
case "${1}" in
"--dont-start-it")
STARTIT=0
REINSTALL_OPTIONS="${REINSTALL_OPTIONS} ${1}"
;;
"--auto-update" | "-u") ;;
"--stable-channel")
RELEASE_CHANNEL="stable"
REINSTALL_OPTIONS="${REINSTALL_OPTIONS} ${1}"
;;
"--nightly-channel")
RELEASE_CHANNEL="nightly"
REINSTALL_OPTIONS="${REINSTALL_OPTIONS} ${1}"
;;
"--disable-telemetry")
NETDATA_DISABLE_TELEMETRY=1
REINSTALL_OPTIONS="${REINSTALL_OPTIONS} ${1}"
;;
"--certificates")
case "${2}" in
auto|system) NETDATA_CERT_MODE="auto" ;;
check) NETDATA_CERT_MODE="check" ;;
bundled) NETDATA_CERT_MODE="bundled" ;;
*) run_failed "Unknown certificate handling mode '${2}'. Supported modes are auto, check, system, and bundled."; exit 1 ;;
esac
shift 1
;;
"--certificate-test-url")
NETDATA_CERT_TEST_URL="${2}"
shift 1
;;
*) echo >&2 "Unknown option '${1}'. Ignoring it." ;;
esac
shift 1
done
if [ ! "${DISABLE_TELEMETRY:-0}" -eq 0 ] ||
[ -n "$DISABLE_TELEMETRY" ] ||
[ ! "${DO_NOT_TRACK:-0}" -eq 0 ] ||
[ -n "$DO_NOT_TRACK" ]; then
NETDATA_DISABLE_TELEMETRY=1
REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --disable-telemetry"
fi
if [ -n "${NETDATA_CERT_MODE}" ]; then
REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --certificates ${NETDATA_CERT_MODE}"
fi
if [ -n "${NETDATA_CERT_TEST_URL}" ]; then
REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --certificate-test-url ${NETDATA_CERT_TEST_URL}"
fi
# -----------------------------------------------------------------------------
progress "Attempt to create user/group netdata/netadata"
NETDATA_WANTED_GROUPS="docker nginx varnish haproxy adm nsd proxy squid ceph nobody I2C"
NETDATA_ADDED_TO_GROUPS=""
# Default user/group
NETDATA_USER="root"
NETDATA_GROUP="root"
if portable_add_group netdata; then
if portable_add_user netdata "/opt/netdata"; then
progress "Add user netdata to required user groups"
for g in ${NETDATA_WANTED_GROUPS}; do
# shellcheck disable=SC2086
if portable_add_user_to_group ${g} netdata; then
NETDATA_ADDED_TO_GROUPS="${NETDATA_ADDED_TO_GROUPS} ${g}"
else
run_failed "Failed to add netdata user to secondary groups"
fi
done
# Netdata must be able to read /etc/pve/qemu-server/* and /etc/pve/lxc/*
# for reading VMs/containers names, CPU and memory limits on Proxmox.
if [ -d "/etc/pve" ]; then
portable_add_user_to_group "www-data" netdata && NETDATA_ADDED_TO_GROUPS="${NETDATA_ADDED_TO_GROUPS} www-data"
fi
NETDATA_USER="netdata"
NETDATA_GROUP="netdata"
else
run_failed "I could not add user netdata, will be using root"
fi
else
run_failed "I could not add group netdata, so no user netdata will be created as well. Netdata run as root:root"
fi
# -----------------------------------------------------------------------------
progress "Install logrotate configuration for netdata"
install_netdata_logrotate || run_failed "Cannot install logrotate file for netdata."
progress "Install journald configuration for netdata"
install_netdata_journald_conf || run_failed "Cannot install journald file for netdata."
# -----------------------------------------------------------------------------
progress "Telemetry configuration"
# Opt-out from telemetry program
if [ -n "${NETDATA_DISABLE_TELEMETRY}" ]; then
run touch "${NETDATA_USER_CONFIG_DIR}/.opt-out-from-anonymous-statistics"
else
printf "You can opt out from anonymous statistics via the --disable-telemetry option, or by creating an empty file %s \n\n" "${NETDATA_USER_CONFIG_DIR}/.opt-out-from-anonymous-statistics"
fi
# -----------------------------------------------------------------------------
progress "Install netdata at system init"
install_netdata_service || run_failed "Cannot install netdata init service."
set_netdata_updater_channel || run_failed "Cannot set netdata updater tool release channel to '${RELEASE_CHANNEL}'"
# -----------------------------------------------------------------------------
progress "Install (but not enable) netdata updater tool"
install_netdata_updater || run_failed "Cannot install netdata updater tool."
# -----------------------------------------------------------------------------
progress "creating quick links"
dir_should_be_link() {
local p="${1}" t="${2}" d="${3}" old
old="${PWD}"
cd "${p}" || return 0
if [ -e "${d}" ]; then
if [ -h "${d}" ]; then
run rm "${d}"
else
run mv -f "${d}" "${d}.old.$$"
fi
fi
run ln -s "${t}" "${d}"
cd "${old}" || true
}
dir_should_be_link . bin sbin
dir_should_be_link usr ../bin bin
dir_should_be_link usr ../bin sbin
dir_should_be_link usr . local
dir_should_be_link . etc/netdata netdata-configs
dir_should_be_link . usr/share/netdata/web netdata-web-files
dir_should_be_link . usr/libexec/netdata netdata-plugins
dir_should_be_link . var/lib/netdata netdata-dbs
dir_should_be_link . var/cache/netdata netdata-metrics
dir_should_be_link . var/log/netdata netdata-logs
dir_should_be_link etc/netdata ../../usr/lib/netdata/conf.d orig
# -----------------------------------------------------------------------------
progress "fix permissions"
run chmod g+rx,o+rx /opt
run find /opt/netdata -type d -exec chmod go+rx '{}' \+
run chown -R ${NETDATA_USER}:${NETDATA_GROUP} /opt/netdata/var
if [ -d /opt/netdata/usr/libexec/netdata/plugins.d/ebpf.d ]; then
run chown -R root:${NETDATA_GROUP} /opt/netdata/usr/libexec/netdata/plugins.d/ebpf.d
fi
# -----------------------------------------------------------------------------
progress "changing plugins ownership and permissions"
for x in ndsudo apps.plugin perf.plugin slabinfo.plugin debugfs.plugin freeipmi.plugin ioping cgroup-network local-listeners network-viewer.plugin ebpf.plugin nfacct.plugin xenstat.plugin python.d.plugin charts.d.plugin go.d.plugin ioping.plugin cgroup-network-helper.sh; do
f="usr/libexec/netdata/plugins.d/${x}"
if [ -f "${f}" ]; then
run chown root:${NETDATA_GROUP} "${f}"
fi
done
if command -v setcap >/dev/null 2>&1; then
if ! run setcap "cap_dac_read_search,cap_sys_ptrace=ep" "usr/libexec/netdata/plugins.d/apps.plugin"; then
run chmod 4750 "usr/libexec/netdata/plugins.d/apps.plugin"
fi
if ! run setcap "cap_dac_read_search=ep" "usr/libexec/netdata/plugins.d/slabinfo.plugin"; then
run chmod 4750 "usr/libexec/netdata/plugins.d/slabinfo.plugin"
fi
if ! run setcap "cap_dac_read_search=ep" "usr/libexec/netdata/plugins.d/debugfs.plugin"; then
run chmod 4750 "usr/libexec/netdata/plugins.d/debugfs.plugin"
fi
if ! run setcap "cap_dac_read_search+epi cap_net_admin+epi cap_net_raw=eip" "usr/libexec/netdata/plugins.d/go.d.plugin"; then
run chmod 4750 "usr/libexec/netdata/plugins.d/go.d.plugin"
fi
perf_caps="cap_sys_admin=ep"
if command -v capsh >/dev/null 2>&1 && capsh --supports=cap_perfmon 2>/dev/null; then
perf_caps="cap_perfmon=ep"
fi
if ! run setcap "${perf_caps}" "usr/libexec/netdata/plugins.d/perf.plugin"; then
run chmod 4750 "usr/libexec/netdata/plugins.d/perf.plugin"
fi
else
for x in apps.plugin perf.plugin slabinfo.plugin debugfs.plugin; do
f="usr/libexec/netdata/plugins.d/${x}"
run chmod 4750 "${f}"
done
fi
for x in ndsudo freeipmi.plugin ioping cgroup-network local-listeners network-viewer.plugin ebpf.plugin nfacct.plugin xenstat.plugin; do
f="usr/libexec/netdata/plugins.d/${x}"
if [ -f "${f}" ]; then
run chmod 4750 "${f}"
fi
done
# -----------------------------------------------------------------------------
replace_symlink() {
target="${1}"
name="${2}"
rm -f "${name}"
ln -s "${target}" "${name}"
}
select_system_certs() {
if [ -d /etc/pki/tls ] ; then
echo "${1} /etc/pki/tls for TLS configuration and certificates"
replace_symlink /etc/pki/tls /opt/netdata/etc/ssl
elif [ -d /etc/ssl ] ; then
echo "${1} /etc/ssl for TLS configuration and certificates"
replace_symlink /etc/ssl /opt/netdata/etc/ssl
fi
}
select_internal_certs() {
echo "Using bundled TLS configuration and certificates"
replace_symlink /opt/netdata/share/ssl /opt/netdata/etc/ssl
}
certs_selected() {
[ -L /opt/netdata/etc/ssl ] || return 1
}
test_certs() {
/opt/netdata/bin/curl --fail --max-time 300 --silent --output /dev/null "${NETDATA_CERT_TEST_URL}"
case "$?" in
35|77) echo "Failed to load certificate files for test." ; return 1 ;;
60|82|83) echo "Certificates cannot be used to connect to ${NETDATA_CERT_TEST_URL}" ; return 1 ;;
53|54|66) echo "Unable to use OpenSSL configuration associated with certificates" ; return 1 ;;
0) echo "Successfully connected to ${NETDATA_CERT_TEST_URL} using certificates" ;;
*) echo "Unable to test certificates due to networking problems, blindly assuming they work" ;;
esac
}
# If the user has manually set up certificates, dont mess with it.
if [ ! -L /opt/netdata/etc/ssl ] && [ -d /opt/netdata/etc/ssl ] ; then
echo "Preserving existing user configuration for TLS"
else
echo "Configure TLS certificate paths (mode: ${NETDATA_CERT_MODE})"
case "${NETDATA_CERT_MODE}" in
check)
select_system_certs "Testing"
if certs_selected && test_certs; then
select_system_certs "Using"
else
select_internal_certs
fi
;;
bundled) select_internal_certs ;;
*)
select_system_certs "Using"
if ! certs_selected; then
select_internal_certs
fi
;;
esac
fi
# -----------------------------------------------------------------------------
echo "Save install options"
grep -qv 'IS_NETDATA_STATIC_BINARY="yes"' "${NETDATA_PREFIX}/etc/netdata/.environment" || echo IS_NETDATA_STATIC_BINARY=\"yes\" >> "${NETDATA_PREFIX}/etc/netdata/.environment"
REINSTALL_OPTIONS="$(echo "${REINSTALL_OPTIONS}" | awk '{gsub("/", "\\/"); print}')"
sed -i "s/REINSTALL_OPTIONS=\".*\"/REINSTALL_OPTIONS=\"${REINSTALL_OPTIONS}\"/" "${NETDATA_PREFIX}/etc/netdata/.environment"
# -----------------------------------------------------------------------------
if [ ${STARTIT} -eq 0 ]; then
create_netdata_conf "${NETDATA_PREFIX}/etc/netdata/netdata.conf"
netdata_banner "is installed now!"
else
progress "starting netdata"
if ! restart_netdata "${NETDATA_PREFIX}/bin/netdata"; then
create_netdata_conf "${NETDATA_PREFIX}/etc/netdata/netdata.conf"
netdata_banner "is installed and running now!"
else
create_netdata_conf "${NETDATA_PREFIX}/etc/netdata/netdata.conf" "http://localhost:19999/netdata.conf"
netdata_banner "is installed now!"
fi
fi
run chmod 0644 "${NETDATA_PREFIX}/etc/netdata/netdata.conf"
Reference in a new issue View git blame Copy permalink