forked from mbentley/docker-omada-controller
-
Notifications
You must be signed in to change notification settings - Fork 0
/
entrypoint-5.x.sh
executable file
·312 lines (274 loc) · 12.2 KB
/
entrypoint-5.x.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
#!/bin/bash
set -e
# set environment variables
export TZ
TZ="${TZ:-Etc/UTC}"
SMALL_FILES="${SMALL_FILES:-false}"
# PORTS CONFIGURATION
MANAGE_HTTP_PORT="${MANAGE_HTTP_PORT:-8088}"
MANAGE_HTTPS_PORT="${MANAGE_HTTPS_PORT:-8043}"
PORTAL_HTTP_PORT="${PORTAL_HTTP_PORT:-8088}"
PORTAL_HTTPS_PORT="${PORTAL_HTTPS_PORT:-8843}"
PORT_ADOPT_V1="${PORT_ADOPT_V1:-29812}"
PORT_APP_DISCOVERY="${PORT_APP_DISCOVERY:-27001}"
PORT_UPGRADE_V1="${PORT_UPGRADE_V1:-29813}"
PORT_MANAGER_V1="${PORT_MANAGER_V1:-29811}"
PORT_MANAGER_V2="${PORT_MANAGER_V2:-29814}"
PORT_DISCOVERY="${PORT_DISCOVERY:-29810}"
# END PORTS CONFIGURATION
SHOW_SERVER_LOGS="${SHOW_SERVER_LOGS:-true}"
SHOW_MONGODB_LOGS="${SHOW_MONGODB_LOGS:-false}"
SSL_CERT_NAME="${SSL_CERT_NAME:-tls.crt}"
SSL_KEY_NAME="${SSL_KEY_NAME:-tls.key}"
TLS_1_11_ENABLED="${TLS_1_11_ENABLED:-false}"
PUID="${PUID:-508}"
PGID="${PGID:-508}"
# validate user/group exist with correct UID/GID
echo "INFO: Validating user/group (omada:omada) exists with correct UID/GID (${PUID}:${PGID})"
# check to see if group exists; if not, create it
if grep -q -E "^omada:" /etc/group > /dev/null 2>&1
then
# exiting group found; also make sure the omada user matches the GID
echo "INFO: Group (omada) exists; skipping creation"
EXISTING_GID="$(id -g omada)"
if [ "${EXISTING_GID}" != "${PGID}" ]
then
echo "ERROR: Group (omada) has an unexpected GID; was expecting '${PGID}' but found '${EXISTING_GID}'!"
exit 1
fi
else
# make sure the group doesn't already exist with a different name
if awk -F ':' '{print $3}' /etc/group | grep -q "^${PGID}$"
then
# group ID exists but has a different group name
EXISTING_GROUP="$(grep ":${PGID}:" /etc/group | awk -F ':' '{print $1}')"
echo "INFO: Group (omada) already exists with a different name; renaming '${EXISTING_GROUP}' to 'omada'"
groupmod -n omada "${EXISTING_GROUP}"
else
# create the group
echo "INFO: Group (omada) doesn't exist; creating"
groupadd -g "${PGID}" omada
fi
fi
# check to see if user exists; if not, create it
if id -u omada > /dev/null 2>&1
then
# exiting user found; also make sure the omada user matches the UID
echo "INFO: User (omada) exists; skipping creation"
EXISTING_UID="$(id -u omada)"
if [ "${EXISTING_UID}" != "${PUID}" ]
then
echo "ERROR: User (omada) has an unexpected UID; was expecting '${PUID}' but found '${EXISTING_UID}'!"
exit 1
fi
else
# make sure the user doesn't already exist with a different name
if awk -F ':' '{print $3}' /etc/passwd | grep -q "^${PUID}$"
then
# user ID exists but has a different user name
EXISTING_USER="$(grep ":${PUID}:" /etc/passwd | awk -F ':' '{print $1}')"
echo "INFO: User (omada) already exists with a different name; renaming '${EXISTING_USER}' to 'omada'"
usermod -g "${PGID}" -d /opt/tplink/EAPController/data -l omada -s /bin/sh -c "" "${EXISTING_USER}"
else
# create the user
echo "INFO: User (omada) doesn't exist; creating"
useradd -u "${PUID}" -g "${PGID}" -d /opt/tplink/EAPController/data -s /bin/sh -c "" omada
fi
fi
# check if properties file exists; create it if it is mising
DEFAULT_FILES="/opt/tplink/EAPController/properties.defaults/*"
for FILE in ${DEFAULT_FILES}
do
BASENAME=$(basename "${FILE}")
if [ ! -f "/opt/tplink/EAPController/properties/${BASENAME}" ]
then
echo "INFO: Properties file '${BASENAME}' missing, restoring default file..."
cp "${FILE}" "/opt/tplink/EAPController/properties/${BASENAME}"
chown omada:omada "/opt/tplink/EAPController/properties/${BASENAME}"
fi
done
# set default time zone and notify user of time zone
echo "INFO: Time zone set to '${TZ}'"
# append smallfiles if set to true
if [ "${SMALL_FILES}" = "true" ]
then
echo "WARN: smallfiles was passed but is not supported in >= 4.1 with the WiredTiger engine in use by MongoDB"
echo "INFO: Skipping setting smallfiles option"
fi
set_port_property() {
# check to see if we are trying to bind to privileged port
if [ "${3}" -lt "1024" ] && [ "$(cat /proc/sys/net/ipv4/ip_unprivileged_port_start)" = "1024" ]
then
echo "ERROR: Unable to set '${1}' to ${3}; 'ip_unprivileged_port_start' has not been set. See https://github.com/mbentley/docker-omada-controller#unprivileged-ports"
exit 1
fi
echo "INFO: Setting '${1}' to ${3} in omada.properties"
sed -i "s/^${1}=${2}$/${1}=${3}/g" /opt/tplink/EAPController/properties/omada.properties
}
# update stored ports when different of enviroment defined ports
for ELEM in MANAGE_HTTP_PORT MANAGE_HTTPS_PORT PORTAL_HTTP_PORT PORTAL_HTTPS_PORT PORT_ADOPT_V1 PORT_APP_DISCOVERY PORT_UPGRADE_V1 PORT_MANAGER_V1 PORT_MANAGER_V2 PORT_DISCOVERY
do
# convert element to key name
KEY="$(echo "${ELEM}" | tr '[:upper:]' '[:lower:]' | tr '_' '.')"
# get value we want to set from the element
END_VAL=${!ELEM}
# get the current value from the omada.properties file
STORED_PROP_VAL=$(grep -Po "(?<=${KEY}=)([0-9]+)" /opt/tplink/EAPController/properties/omada.properties)
# check to see if we need to set the value
if [ "${STORED_PROP_VAL}" != "${END_VAL}" ]
then
set_port_property "${KEY}" "${STORED_PROP_VAL}" "${END_VAL}"
fi
done
# make sure that the html directory exists
if [ ! -d "/opt/tplink/EAPController/data/html" ] && [ -f "/opt/tplink/EAPController/data-html.tar.gz" ]
then
# missing directory; extract from original
echo "INFO: Report HTML directory missing; extracting backup to '/opt/tplink/EAPController/data/html'"
tar zxvf /opt/tplink/EAPController/data-html.tar.gz -C /opt/tplink/EAPController/data
chown -R omada:omada /opt/tplink/EAPController/data/html
fi
# make sure that the pdf directory exists
if [ ! -d "/opt/tplink/EAPController/data/pdf" ]
then
# missing directory; extract from original
echo "INFO: Report PDF directory missing; creating '/opt/tplink/EAPController/data/pdf'"
mkdir /opt/tplink/EAPController/data/pdf
chown -R omada:omada /opt/tplink/EAPController/data/pdf
fi
# make sure permissions are set appropriately on each directory
for DIR in data logs properties
do
OWNER="$(stat -c '%u' /opt/tplink/EAPController/${DIR})"
GROUP="$(stat -c '%g' /opt/tplink/EAPController/${DIR})"
if [ "${OWNER}" != "${PUID}" ] || [ "${GROUP}" != "${PGID}" ]
then
# notify user that uid:gid are not correct and fix them
echo "WARN: Ownership not set correctly on '/opt/tplink/EAPController/${DIR}'; setting correct ownership (omada:omada)"
chown -R omada:omada "/opt/tplink/EAPController/${DIR}"
fi
done
# validate permissions on /tmp
TMP_PERMISSIONS="$(stat -c '%a' /tmp)"
if [ "${TMP_PERMISSIONS}" != "1777" ]
then
echo "WARN: Permissions are not set correctly on '/tmp' (${TMP_PERMISSIONS}); setting correct permissions (1777)"
chmod -v 1777 /tmp
fi
# check to see if there is a db directory; create it if it is missing
if [ ! -d "/opt/tplink/EAPController/data/db" ]
then
echo "INFO: Database directory missing; creating '/opt/tplink/EAPController/data/db'"
mkdir /opt/tplink/EAPController/data/db
chown omada:omada /opt/tplink/EAPController/data/db
echo "done"
fi
# Import a cert from a possibly mounted secret or file at /cert
if [ -f "/cert/${SSL_KEY_NAME}" ] && [ -f "/cert/${SSL_CERT_NAME}" ]
then
# see where the keystore directory is; check for old location first
if [ -d /opt/tplink/EAPController/keystore ]
then
# keystore in the parent folder before 5.3.1
KEYSTORE_DIR="/opt/tplink/EAPController/keystore"
else
# keystore directory moved to the data directory in 5.3.1
KEYSTORE_DIR="/opt/tplink/EAPController/data/keystore"
# check to see if the KEYSTORE_DIR exists (it won't on upgrade)
if [ ! -d "${KEYSTORE_DIR}" ]
then
echo "INFO: Creating keystore directory (${KEYSTORE_DIR})"
mkdir "${KEYSTORE_DIR}"
echo "INFO: Setting permissions on ${KEYSTORE_DIR}"
chown omada:omada "${KEYSTORE_DIR}"
fi
fi
echo "INFO: Importing cert from /cert/tls.[key|crt]"
# delete the existing keystore
rm -f "${KEYSTORE_DIR}/eap.keystore"
# example certbot usage: ./certbot-auto certonly --standalone --preferred-challenges http -d mydomain.net
openssl pkcs12 -export \
-inkey "/cert/${SSL_KEY_NAME}" \
-in "/cert/${SSL_CERT_NAME}" \
-certfile "/cert/${SSL_CERT_NAME}" \
-name eap \
-out "${KEYSTORE_DIR}/eap.keystore" \
-passout pass:tplink
# set ownership/permission on keystore
chown omada:omada "${KEYSTORE_DIR}/eap.keystore"
chmod 400 "${KEYSTORE_DIR}/eap.keystore"
fi
# re-enable disabled TLS versions 1.0 & 1.1
if [ "${TLS_1_11_ENABLED}" = "true" ]
then
echo "INFO: Re-enabling TLS 1.0 & 1.1"
if [ -f "/etc/java-8-openjdk/security/java.security" ]
then
# openjdk8
sed -i 's#^jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1,#jdk.tls.disabledAlgorithms=SSLv3,#' /etc/java-8-openjdk/security/java.security
elif [ -f "/etc/java-17-openjdk/security/java.security" ]
then
# openjdk17
sed -i 's#^jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1,#jdk.tls.disabledAlgorithms=SSLv3,#' /etc/java-17-openjdk/security/java.security
else
# not running openjdk8 or openjdk17
echo "WARN: Unable to re-enable TLS 1.0 & 1.1; unable to detect openjdk version"
fi
fi
# see if any of these files exist; if so, do not start as they are from older versions
if [ -f /opt/tplink/EAPController/data/db/tpeap.0 ] || [ -f /opt/tplink/EAPController/data/db/tpeap.1 ] || [ -f /opt/tplink/EAPController/data/db/tpeap.ns ]
then
echo "ERROR: The data volume mounted to /opt/tplink/EAPController/data appears to have data from a previous version!"
echo " Follow the upgrade instructions at https://github.com/mbentley/docker-omada-controller#upgrading-to-41"
exit 1
fi
# check to see if the CMD passed contains the text "com.tplink.omada.start.OmadaLinuxMain" which is the old classpath from 4.x
if [ "$(echo "${@}" | grep -q "com.tplink.omada.start.OmadaLinuxMain"; echo $?)" = "0" ]
then
echo -e "\n############################"
echo "WARNING: CMD from 4.x detected! It is likely that this container will fail to start properly with a \"Could not find or load main class com.tplink.omada.start.OmadaLinuxMain\" error!"
echo " See the note on old CMDs at https://github.com/mbentley/docker-omada-controller/blob/master/KNOWN_ISSUES.md#upgrade-issues for details on why and how to resolve the issue."
echo -e "############################\n"
fi
# compare version from the image to the version stored in the persistent data (last ran version)
if [ -f "/opt/tplink/EAPController/IMAGE_OMADA_VER.txt" ]
then
# file found; read the version that is in the image
IMAGE_OMADA_VER="$(cat /opt/tplink/EAPController/IMAGE_OMADA_VER.txt)"
else
echo "ERROR: Missing image version file (/opt/tplink/EAPController/IMAGE_OMADA_VER.txt); this should never happen!"
exit 1
fi
# load LAST_RAN_OMADA_VER, if file present
if [ -f "/opt/tplink/EAPController/data/LAST_RAN_OMADA_VER.txt" ]
then
# file found; read the version that was last recorded
LAST_RAN_OMADA_VER="$(cat /opt/tplink/EAPController/data/LAST_RAN_OMADA_VER.txt)"
else
# no file found; set version to 0.0.0 as we don't know the last version
LAST_RAN_OMADA_VER="0.0.0"
fi
# use sort to check which version is newer; should sort the newest version to the top
if [ "$(printf '%s\n' "${IMAGE_OMADA_VER}" "${LAST_RAN_OMADA_VER}" | sort -rV | head -n1)" != "${IMAGE_OMADA_VER}" ]
then
# version in the image is didn't match newest image version; this means we are trying to start and older version
echo "ERROR: The version from the image (${IMAGE_OMADA_VER}) is older than the last version executed (${LAST_RAN_OMADA_VER})! Refusing to start to prevent data loss!"
echo " To bypass this check, remove /opt/tplink/EAPController/data/LAST_RAN_OMADA_VER.txt only if you REALLY know what you're doing!"
exit 1
else
echo "INFO: Version check passed; image version (${IMAGE_OMADA_VER}) >= the last version ran (${LAST_RAN_OMADA_VER}); writing image version to last ran file..."
echo "${IMAGE_OMADA_VER}" > /opt/tplink/EAPController/data/LAST_RAN_OMADA_VER.txt
fi
echo "INFO: Starting Omada Controller as user omada"
# tail the omada logs if set to true
if [ "${SHOW_SERVER_LOGS}" = "true" ]
then
gosu omada tail -F -n 0 /opt/tplink/EAPController/logs/server.log &
fi
# tail the mongodb logs if set to true
if [ "${SHOW_MONGODB_LOGS}" = "true" ]
then
gosu omada tail -F -n 0 /opt/tplink/EAPController/logs/mongod.log &
fi
# run the actual command as the omada user
exec gosu omada "${@}"