Spotter-VM/basic/usr/bin/spotter-appmgr

318 lines
13 KiB
Plaintext
Raw Normal View History

#!/usr/bin/python
# -*- coding: utf-8 -*-
import argparse
import json
import os
import subprocess
CONF_FILE = '/srv/config.json'
ISSUE_FILE = '/etc/issue'
NGINX_DIR = '/etc/nginx/conf.d'
NGINX_TEMPLATE = '''server {{
listen [::]:{port} ssl http2;
server_name {host}.{domain};
access_log /var/log/nginx/{app}.access.log;
error_log /var/log/nginx/{app}.error.log;
location / {{
proxy_pass http://{ip}:8080;
}}
error_page 502 /errror.html;
location /error.html {{
root /srv/portal;
}}
}}
'''
NGINX_DEFAULT_TEMPLATE = '''server {{
listen [::]:80 default_server ipv6only=off;
location / {{
return 301 https://$host:{port}$request_uri;
}}
location /.well-known/acme-challenge/ {{
root /etc/acme.sh.d;
}}
}}
server {{
listen [::]:{port} ssl http2 default_server ipv6only=off;
root /srv/portal;
index index.html;
location / {{
try_files $uri $uri/ =404;
}}
location /config.json {{
alias /srv/config.json;
}}
error_page 404 /error.html;
}}
'''
ISSUE_TEMPLATE = '''
\x1b[1;32m _____ _ _ __ ____ __
/ ____| | | | | \\\\ \\\\ / / \\\\/ |
| (___ _ __ ___ | |_| |_ ___ _ _\\\\ \\\\ / /| \\\\ / |
\\\\___ \\\\| '_ \\\\ / _ \\\\| __| __/ _ \\\\ '__\\\\ \\\\/ / | |\\\\/| |
____) | |_) | (_) | |_| || __/ | \\\\ / | | | |
|_____/| .__/ \\\\___/ \\\\__|\\\\__\\\\___|_| \\\\/ |_| |_|
| |
|_|\x1b[0m
\x1b[1;33mUPOZORNĚNÍ:\x1b[0m Neoprávněný přístup k tomuto zařízení je zakázán.
Musíte mít výslovné oprávnění k přístupu nebo konfiguraci tohoto zařízení.
Neoprávněné pokusy a kroky k přístupu nebo používání tohoto systému mohou mít
za následek občanské nebo trestní sankce.
\x1b[1;33mCAUTION:\x1b[0m Unauthozired access to this device is prohibited.
You must have explicit, authorized permission to access or configure this
device. Unauthorized attempts and actions to access or use this system may
result in civil or criminal penalties.
Pro přístup k aplikacím otevřete URL \x1b[1mhttps://{host}\x1b[0m ve Vašem
internetovém prohlížeči.
\x1b[0;30m
'''
class SpotterManager:
def __init__(self):
# Load JSON configuration
with open(CONF_FILE, 'r') as f:
self.conf = json.load(f)
self.domain = self.conf['host']['domain']
self.port = self.conf['host']['port']
def save_conf(self):
# Save a sorted JSON configuration object with indentation
with open(CONF_FILE, 'w') as f:
json.dump(self.conf, f, sort_keys=True, indent=4)
def update_login(self, app, login, password):
# Update login and password for an app in the configuration
if login is not None:
self.conf['apps'][app]['login'] = login
if password is not None:
self.conf['apps'][app]['password'] = password
self.save_conf()
def show_tiles(self, app):
# Update tiles-shown for the app in the configuration
self.conf['apps'][app]['tiles-shown'] = True
self.save_conf()
def hide_tiles(self, app):
# Update tiles-shown for the app in the configuration
self.conf['apps'][app]['tiles-shown'] = False
self.save_conf()
def start_app(self, app):
# Start the actual app service
subprocess.call(['/sbin/service', app, 'start'])
def stop_app(self, app):
# Stop the actual app service
subprocess.call(['/sbin/service', app, 'stop'])
# Stop the app service's dependencies if they are not used by any other running app
deps = self.build_deps_tree()
for dep in self.get_app_deps(app):
if False not in [self.is_app_started(d) for d in deps[dep]]:
subprocess.call(['/sbin/service', dep, 'stop'])
def build_deps_tree(self):
# Fisrt, build a dictionary of {app: [needs]}
needs = {}
for app in self.conf['apps']:
needs[app] = self.get_app_deps(app)
# Then reverse it to {need: [apps]}
deps = {}
for app, need in needs.iteritems():
for n in need:
deps.setdefault(n, []).append(app)
return deps
def get_app_deps(self, app):
# Get "needs" line from init script and split it to list, skipping first two elements (docker, net)
try:
with open(os.path.join('/etc/init.d', app), 'r') as f:
return [l.split()[2:] for l in f.readlines() if l.startswith('\tneed')][0]
except:
return []
def is_app_started(self, app):
# Check OpenRC service status without calling any binary
return os.path.exists(os.path.join('/run/openrc/started', app))
def enable_autostart(self, app):
# Add the app to OpenRC default runlevel
subprocess.call(['/sbin/rc-update', 'add', app])
def disable_autostart(self, app):
# Remove the app from OpenRC default runlevel
subprocess.call(['/sbin/rc-update', 'del', app])
def register_proxy(self, app):
# Rebuild nginx configuration using an actual IP of referenced app container
with open(os.path.join(NGINX_DIR, '{}.conf'.format(app)), 'w') as f:
f.write(NGINX_TEMPLATE.format(app=app, host=self.conf['apps'][app]['host'], ip=self.get_container_ip(app), domain=self.domain, port=self.port))
subprocess.call(['/sbin/service', 'nginx', 'reload'])
def unregister_proxy(self, app):
# Remove nginx configuration to prevent proxy mismatch when the container IP is reassigned to another container
nginx_conf = os.path.join(NGINX_DIR, '{}.conf'.format(app))
if os.path.exists(nginx_conf):
os.unlink(nginx_conf)
subprocess.call(['/sbin/service', 'nginx', 'reload'])
def get_container_ip(self, app):
# Return an IP address of a container. If the container is not running, return localhost address instead
try:
return subprocess.check_output(['/usr/bin/docker', 'inspect', '-f', '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}', app]).strip()
except:
return '127.0.0.1'
def update_domain(self, domain, port):
self.domain = self.conf['host']['domain'] = domain
self.port = self.conf['host']['port'] = port
self.save_conf()
self.rebuild_nginx()
self.rebuild_issue()
self.restart_apps()
def rebuild_nginx(self):
# Remove all nginx config files to prevent errors during reloads invoked by app restarts
for f in os.listdir(NGINX_DIR):
os.unlink(os.path.join(NGINX_DIR, f))
# Rebuild nginx config for the portal app and restart nginx to properly bind the new listen port
with open(os.path.join(NGINX_DIR, 'default.conf'), 'w') as f:
f.write(NGINX_DEFAULT_TEMPLATE.format(port=self.port))
subprocess.call(['/sbin/service', 'nginx', 'restart'])
def rebuild_issue(self):
# Compile the HTTPS host displayed in terminal banner
host = self.domain
# If the dummy host is used, take an IP address of a primary interface instead
if self.domain == 'spotter.vm':
host = subprocess.check_output(['ip', 'route', 'get', '1']).split()[-1]
# Show port number only when using the non-default HTTPS port
if self.port != '443':
host = ':{}'.format(self.port)
# Rebuild the terminal banner
with open(ISSUE_FILE, 'w') as f:
f.write(ISSUE_TEMPLATE.format(host=host))
def restart_apps(self):
for app in self.conf['apps']:
# Check if a script for internal update of URL in the app exists and is executable and run it
script_path = os.path.join('/srv', app, 'update-url.sh')
if os.path.exists(script_path) and os.access(script_path, os.X_OK):
subprocess.call([script_path, '{}.{}'.format(self.conf['apps'][app]['host'], self.domain), self.port])
# If the app is currently running, restart the app service
if self.is_app_started(app):
subprocess.call(['/sbin/service', app, 'restart'])
def request_cert(self, email):
# Compile an acme.sh command for certificate requisition
cmd = ['/usr/bin/acme.sh', '--issue', '-d', self.domain]
for app in self.conf['apps']:
cmd += ['-d', '{}.{}'.format(self.conf['apps'][app]['host'], self.domain)]
cmd += ['-w', '/etc/acme.sh.d', '--accountemail', email]
# Request the certificate. If the requisition command fails, CalledProcessError will be raised
subprocess.check_output(cmd, stderr=subprocess.STDOUT)
# Install the issued certificate
subprocess.call(['/usr/bin/acme.sh', '--installcert', '-d', self.domain, '--keypath', '/etc/ssl/private/services.key', '--fullchainpath', '/etc/ssl/certs/services.pem', '--reloadcmd', 'service nginx reload'])
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Spotter VM application manager')
subparsers = parser.add_subparsers()
parser_update_login = subparsers.add_parser('update-login', help='Updates application login')
parser_update_login.set_defaults(action='update-login')
parser_update_login.add_argument('app', help='Application name')
parser_update_login.add_argument('login', help='Administrative login')
parser_update_login.add_argument('password', help='Administrative password')
parser_show_tiles = subparsers.add_parser('show-tiles', help='Shows application tiles in Portal')
parser_show_tiles.set_defaults(action='show-tiles')
parser_show_tiles.add_argument('app', help='Application name')
parser_hide_tiles = subparsers.add_parser('hide-tiles', help='Hides application tiles in Portal')
parser_hide_tiles.set_defaults(action='hide-tiles')
parser_hide_tiles.add_argument('app', help='Application name')
parser_start_app = subparsers.add_parser('start-app', help='Start application including it\'s dependencies')
parser_start_app.set_defaults(action='start-app')
parser_start_app.add_argument('app', help='Application name')
parser_stop_app = subparsers.add_parser('stop-app', help='Stops application including it\'s dependencies if they are not used by another running application')
parser_stop_app.set_defaults(action='stop-app')
parser_stop_app.add_argument('app', help='Application name')
parser_enable_autostart = subparsers.add_parser('enable-autostart', help='Enables application autostart')
parser_enable_autostart.set_defaults(action='enable-autostart')
parser_enable_autostart.add_argument('app', help='Application name')
parser_disable_autostart = subparsers.add_parser('disable-autostart', help='Disables application autostart')
parser_disable_autostart.set_defaults(action='disable-autostart')
parser_disable_autostart.add_argument('app', help='Application name')
parser_register_proxy = subparsers.add_parser('register-proxy', help='Rebuilds nginx proxy target for an application container')
parser_register_proxy.set_defaults(action='register-proxy')
parser_register_proxy.add_argument('app', help='Application name')
parser_unregister_proxy = subparsers.add_parser('unregister-proxy', help='Removes nginx proxy target for an application container')
parser_unregister_proxy.set_defaults(action='unregister-proxy')
parser_unregister_proxy.add_argument('app', help='Application name')
parser_update_domain = subparsers.add_parser('update-domain', help='Rebuilds domain structure of VM with new domain name and new HTTPS port')
parser_update_domain.set_defaults(action='update-domain')
parser_update_domain.add_argument('domain', help='Domain name')
parser_update_domain.add_argument('port', help='HTTPS port')
parser_request_cert = subparsers.add_parser('request-cert', help='Requests and installs Let\'s Encrypt certificate for currently set domain')
parser_request_cert.set_defaults(action='request-cert')
parser_request_cert.add_argument('email', help='Email address to receive certificate notifications')
args = parser.parse_args()
sm = SpotterManager()
if args.action == 'update-login':
sm.update_login(args.app, args.login, args.password)
elif args.action == 'show-tiles':
sm.show_tiles(args.app)
elif args.action == 'hide-tiles':
sm.hide_tiles(args.app)
elif args.action == 'start-app':
sm.start_app(args.app)
elif args.action == 'stop-app':
sm.stop_app(args.app)
elif args.action == 'enable-autostart':
sm.enable_autostart(args.app)
elif args.action == 'disable-autostart':
sm.disable_autostart(args.app)
elif args.action == 'register-proxy':
sm.register_proxy(args.app)
elif args.action == 'unregister-proxy':
sm.unregister_proxy(args.app)
elif args.action == 'update-domain':
sm.update_domain(args.domain, args.port)
elif args.action == 'request-cert':
sm.request_cert(args.email)